Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

E-DEKONT.exe

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy:	7.761776865378202
Filename:	E-DEKONT.exe
Filesize:	325782
MD5:	0aa36eb080cf7171cec271b2cd4d2108
SHA1:	eb7f3bf8e15ae16e765e480510d2260a9e9facb8
SHA256:	6ca208edbc718f737f74ee0a631ed22cd2bf67a0db679d9d1702575c087550cc
SHA512:	a350d13a00cfb426c046b370b018309fb614ab597159fc53a07b017143960d68dab186b71e12156bd8966234f49775f70d7bbfafe53ada4d7ded282d2780d489
SSDEEP:	6144:nQ606xDpoDTOfHQerv776jfhtjdTAhjr6ec5eF4fe8YCsboQ+Ni5JFapbARUTv/4:FpoPOfQqvH6j5PTIr6FZTQ+aJwp8KH4
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...6.uY.................f.........

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	Native API Security Software Discovery System Information Discovery
Uses 32bit PE files	Compliance, System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Abnormal high CPU Usage	System Summary	Access Token Manipulation
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Sample is known by Antivirus	System Summary	Windows Service Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to query windows version	Language, Device and Operating System Detection
Program exit points	Malware Analysis System Evasion	Windows Service
URLs found in memory or binary data	Networking
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Reads ini files	System Summary	File and Directory Discovery
Contains functionality to check free disk space	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Creates a software uninstall entry	Compliance, System Summary	Windows Service

C:\Users\user\AppData\Local\Temp\nsc1ED3.tmp\System.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nsc1ED3.tmp\System.dll
Category:	dropped
Dump:	System.dll.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Users\user\Desktop\E-DEKONT.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.659384359264642
Encrypted:	false
Ssdeep:	192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz
Size:	11776
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Internalisere\Brnesangen.End

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Internalisere\Brnesangen.End
Category:	dropped
Dump:	Brnesangen.End.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\E-DEKONT.exe
Type:	data
Entropy:	6.737126845009294
Encrypted:	false
Ssdeep:	3072:mEYhKhav/hqkoeGD+8H2yAIkD6EZq85d3wkwaIg0sAjx:mEYA44nKbyAIbYVd6aIg0sA9
Size:	165922
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Sldede\memstat.c

C source, ASCII text

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Sldede\memstat.c
Category:	dropped
Dump:	memstat.c.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\E-DEKONT.exe
Type:	C source, ASCII text
Entropy:	5.15716859322729
Encrypted:	false
Ssdeep:	192:B3tdgdRmAMgyWkSctse3XX6ZjuguOixHRYqx0NzZW+08e:B3tuPdjJ0TCzZWv
Size:	13484
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Sldede\selection-end-symbolic.symbolic.png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Sldede\selection-end-symbolic.symbolic.png
Category:	dropped
Dump:	selection-end-symbolic.symbolic.png.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\E-DEKONT.exe
Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Entropy:	5.559646592748364
Encrypted:	false
Ssdeep:	3:yionv//thPl9vt3lAnsrtxBllO9p2hkq8PQ1/kbcw1w9lDk7kup:6v/lhPys8pQt8PQ2cw1IlDXup
Size:	138
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\logicalization\libxml2-2.0.typelib

HTML document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\logicalization\libxml2-2.0.typelib
Category:	dropped
Dump:	libxml2-2.0.typelib.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\E-DEKONT.exe
Type:	HTML document, ASCII text, with CRLF line terminators
Entropy:	5.462849750105637
Encrypted:	false
Ssdeep:	24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5
Size:	1245
Whitelisted:	true
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\logicalization\sgelngdernes.Dep74

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\logicalization\sgelngdernes.Dep74
Category:	dropped
Dump:	sgelngdernes.Dep74.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\E-DEKONT.exe
Type:	data
Entropy:	7.997405530190593
Encrypted:	true
Ssdeep:	1536:30X06uHVfTFBRFMyLsstapQk8OtIopWndeX21HGaOSpD:EXru1fpBRS6sstapQk8MIo6HPpD
Size:	69983
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\E-DEKONT.exe

Details

Is windows:	false
Is dropped:	false
PID:	3648
Target ID:	0
Parent PID:	3324
Name:	E-DEKONT.exe
Path:	C:\Users\user\Desktop\E-DEKONT.exe
Commandline:	C:\Users\user\Desktop\E-DEKONT.exe
Size:	325782
MD5:	0AA36EB080CF7171CEC271B2CD4D2108
Time:	09:10:44
Date:	29/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	577536
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

URLs

Name

Malicious

http://nsis.sf.net/NSIS_ErrorError

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fivefoldness\Endosseringerne\Fouragen

Arigue

HKEY_CURRENT_USER\Software\Fruticeta\Lavandin\Kingliest\Ernringsenhed

Legating

Memdumps

Base Address

Regiontype

Protect

Malicious

2980000

direct allocation

page execute and read and write

1F53A60E000

trusted library allocation

page read and write

476000

unkown

page readonly

40A000

unkown

page write copy

D05F5FE000

stack

page read and write

1F53A390000

trusted library allocation

page read and write

1F535E70000

trusted library section

page readonly

40A000

unkown

page read and write

D05F7FB000

stack

page read and write

1F53A6C0000

remote allocation

page read and write

730000

heap

page read and write

1F534C72000

heap

page read and write

1F53A240000

trusted library allocation

page read and write

1F53A608000

trusted library allocation

page read and write

1F535C70000

trusted library allocation

page read and write

D05F2F7000

stack

page read and write

1F53A4F7000

heap

page read and write

1F534D02000

heap

page read and write

1F535602000

heap

page read and write

D05F3FC000

stack

page read and write

277F000

stack

page read and write

1F53A680000

trusted library allocation

page read and write

401000

unkown

page execute read

1F53A3D0000

trusted library allocation

page read and write

1F534BC0000

heap

page read and write

D05F9FF000

stack

page read and write

45C000

unkown

page read and write

431000

unkown

page read and write

1F53A4FB000

heap

page read and write

1F53A4DB000

heap

page read and write

22E0000

trusted library allocation

page read and write

22F0000

heap

page read and write

22DF000

stack

page read and write

1F53A45D000

heap

page read and write

D05F8FE000

stack

page read and write

30000

heap

page read and write

D05F87F000

stack

page read and write

1F534BF0000

trusted library allocation

page read and write

1F53A360000

trusted library allocation

page read and write

1F535E90000

trusted library section

page readonly

1F534D13000

heap

page read and write

1F534C58000

heap

page read and write

1F53A440000

heap

page read and write

1F534CFE000

heap

page read and write

1F534C13000

heap

page read and write

1F535718000

heap

page read and write

10001000

unkown

page execute read

2850000

trusted library allocation

page read and write

400000

unkown

page readonly

1F53A4F1000

heap

page read and write

1F53A4F9000

heap

page read and write

1F534B50000

heap

page read and write

42F000

unkown

page read and write

1F535615000

heap

page read and write

1F535700000

heap

page read and write

1F53A41F000

heap

page read and write

1F53A44D000

heap

page read and write

437000

unkown

page read and write

1F53A627000

trusted library allocation

page read and write

D05FA7F000

stack

page read and write

408000

unkown

page readonly

D05F4FA000

stack

page read and write

1F535E80000

trusted library section

page readonly

1F53A250000

trusted library allocation

page read and write

D05FCFE000

stack

page read and write

1F53A690000

trusted library allocation

page read and write

1F53A3A0000

trusted library allocation

page read and write

1F53A464000

heap

page read and write

1F53A6C0000

remote allocation

page read and write

1F53A390000

trusted library allocation

page read and write

1F534C41000

heap

page read and write

10003000

unkown

page readonly

97000

stack

page read and write

43C000

unkown

page read and write

2130000

heap

page read and write

1F535E60000

trusted library section

page readonly

401000

unkown

page execute read

769000

heap

page read and write

400000

unkown

page readonly

10000000

unkown

page readonly

1F534CA1000

heap

page read and write

408000

unkown

page readonly

560000

trusted library allocation

page read and write

2840000

trusted library allocation

page read and write

1F534C8F000

heap

page read and write

10005000

unkown

page readonly

267E000

stack

page read and write

1F53A621000

trusted library allocation

page read and write

2134000

heap

page read and write

1F53A4A9000

heap

page read and write

21D0000

heap

page read and write

1F534B60000

heap

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
E-DEKONT.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportE-DEKONT.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
E-DEKONT.exe