Overview

overview

10

Static

static

10

TekDefense.exe

windows7-x64

7

TekDefense.exe

windows10-2004-x64

7

index 2.html

windows7-x64

1

index 2.html

windows10-2004-x64

1

index2 2.html

windows7-x64

1

index2 2.html

windows10-2004-x64

1

index3 2.html

windows7-x64

1

index3 2.html

windows10-2004-x64

1

ransomware.exe

windows7-x64

7

ransomware.exe

windows10-2004-x64

7

tekdefense.dll

windows7-x64

10

tekdefense.dll

windows10-2004-x64

5

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TekDefense.7z

  • Size

    797KB

  • Sample

    230327-llngtscg26

  • MD5

    c82d09221968ed5704ab50846de38f5b

  • SHA1

    08309adceb9635a1079145478aa0effe3d1eeeaf

  • SHA256

    803eb608ac54661ccf23259c6a8d07fdc26bd83788a661dbd0cf1a08022d4a0f

  • SHA512

    0f97ea615aa8f62f05e880b14b6207b24b6f8a924c5c7464bebb6cb6b6b6ccc7bbfcb381caf951ddf1d4845b6e758b450f4b4ae8a15b6b5abfd2e9e24f56f427

  • SSDEEP

    24576:56n+Kxq0SkvyymIRXjFuY08ub0D0/QgvWcNFK31M:56nZvqymyj68oQgvz/K31M

Score
10/10
metasploitbackdoorpersistencetrojanupx

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://zwned.tekdefense.com:80/JpHZ

Targets

    • Target

      TekDefense.exe

    • Size

      381KB

    • MD5

      1d8b370a114f9490f36bebd77ed347d1

    • SHA1

      91690d293bc2ecf4c77f46954d93b990269d8c0f

    • SHA256

      f3e2e7ee2f7ff8be2e3812e3a3c4cbbec9dc560dfa62bada624aad85f1c56049

    • SHA512

      947c0e165712656ac956023815a23cd549562aedbaf44bfec0ea9d132bd18bca914abced9747aa9a724ab21b1748240874cdd83aff4d235407ad0b68b2be286d

    • SSDEEP

      6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIeENOy343jajyp:v6Wq4aaE6KwyF5L0Y2D1PqLxOyozaj2

    Score
    7/10
    persistenceupx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      index 2.html

    • Size

      536B

    • MD5

      d8054b190eeae6c777bb693dc14ce497

    • SHA1

      1b7aa7a0b6d0126ed4e2771a89ffbcb0f1e50205

    • SHA256

      69392b73c989af987838d132fbe17bfe6b124917074200897197c21f6ff51716

    • SHA512

      351ad20ece4d3155fb7045a3a20de33276d76f934c88d538f86aa5e7f419a2bd1253f870e5a9e07a46c4657149dade9b93fc94c3e0d04ca565082c2ad18ded39

    Score
    1/10
    behavioral3behavioral4

    • Target

      index2 2.html

    • Size

      291B

    • MD5

      d49409921bb8cd4bdf277752bc7291af

    • SHA1

      129a86e978f9ae72fc1714757289675bd18ad54c

    • SHA256

      a9ae4f9ab97c9ab2158ea0594bfec1db6be0ddb7b9605c228c2950c0ac9484f5

    • SHA512

      7bfbbc1d781b0efef75ee5fe438969a9c0f3fc9e42b843a4253fd9d67f02ab9c92900edb79a069de360033618260fd288e638980164e6afd8a88351b1a24402e

    Score
    1/10
    behavioral5behavioral6

    • Target

      index3 2.html

    • Size

      1B

    • MD5

      c4ca4238a0b923820dcc509a6f75849b

    • SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

    • SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    • SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Score
    1/10
    behavioral7behavioral8

    • Target

      ransomware.exe

    • Size

      434KB

    • MD5

      63bab74409c514ed8548b1f33d0acedc

    • SHA1

      abc6bb8dd01fa83d7fd92182601b868d2b6dd1ea

    • SHA256

      265041a4e943debd8b6b147085cb8549be110facde2288021e90ae65e87be235

    • SHA512

      27a28305e604b25fe7c71a8f7db4a453e6cca234c27f1c747cdaa98060c5a7f7788e983b5ec9d550ca62a0895b21b4c1403d3b3f595d7d7693e7f422855af4f1

    • SSDEEP

      12288:s6Wq4aaE6KwyF5L0Y2D1PqLVSV7uikFgd9OFNu:qthEVaPqLIlubgdYu

    Score
    7/10
    persistenceupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral10behavioral9

    • Target

      tekdefense.dll

    • Size

      14KB

    • MD5

      1f3195eff807eceda24c74ea4c483f8c

    • SHA1

      875b5d9b81e27ed8e5dc6fc8610813f68c5f59a9

    • SHA256

      9420c9b7b0e45c2e5440c20cca570e991cbf151babf2537bf3dc08cf6d12c321

    • SHA512

      15125f2c6d89af222fc092b20bf8a560d1913bf45ad54cbb6a94382fa8416054ba1b65261d0ba8e4ff3fbf825a41d7f27a9556dad3ea8e13f1ed7c4587a5c887

    • SSDEEP

      48:6D640H+VzPiZerMpZytjWeyLhnhIAsYBlnfpJo+b23mRhHeq0JEI0oqtIzNi:WmHGzq6tjW33XlfprbSmRhsJNcy

    Score
    10/10
    metasploitbackdoortrojan

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

MITRE ATT&CK Enterprise v6

Tasks