803eb608ac54661ccf23259c6a8d07fdc26bd83788a661dbd0cf1a08022d4a0f

General

Target

TekDefense.exe
Size

381KB
MD5

1d8b370a114f9490f36bebd77ed347d1
SHA1

91690d293bc2ecf4c77f46954d93b990269d8c0f
SHA256

f3e2e7ee2f7ff8be2e3812e3a3c4cbbec9dc560dfa62bada624aad85f1c56049
SHA512

947c0e165712656ac956023815a23cd549562aedbaf44bfec0ea9d132bd18bca914abced9747aa9a724ab21b1748240874cdd83aff4d235407ad0b68b2be286d
SSDEEP

6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIeENOy343jajyp:v6Wq4aaE6KwyF5L0Y2D1PqLxOyozaj2

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
784	cmd.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2008-63-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2008-66-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2008-70-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2008-71-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2008-77-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2008-78-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2008-81-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2008-89-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run	TekDefense.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\denwz = "C:\\Windows\\SysWOW64\\lssas.exe"	TekDefense.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2008-63-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2008-66-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2008-70-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2008-71-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2008-77-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2008-78-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2008-81-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2008-89-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lssas.exe	TekDefense.exe
File opened for modification	C:\Windows\SysWOW64\lssas.exe	TekDefense.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
920	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2008	TekDefense.exe
2008	TekDefense.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 784	2008	TekDefense.exe	30
PID 2008 wrote to memory of 784	2008	TekDefense.exe	30
PID 2008 wrote to memory of 784	2008	TekDefense.exe	30
PID 2008 wrote to memory of 784	2008	TekDefense.exe	30
PID 784 wrote to memory of 920	784	cmd.exe	32
PID 784 wrote to memory of 920	784	cmd.exe	32
PID 784 wrote to memory of 920	784	cmd.exe	32
PID 784 wrote to memory of 920	784	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\TekDefense.exe
"C:\Users\Admin\AppData\Local\Temp\TekDefense.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\rm.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rm.bat

Filesize
272B

MD5
c23f2cf5a74e83fc26be8cb6b08491a9

SHA1
b6445827774a7a3ff7e204a6174579ca3b2666b2

SHA256
4789743515eca4e51c2da75cb7d6d1a7582f009cb3dec85567ab774ba0802831

SHA512
289cc305095816e7e49e49e4b179aae62b4da469b3d48c9b8b6c9e9d7e55a650a7d159170fbd08e64a624843cb0d63e7f39a467bcb1b7440bb3cb26387fe77cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rm.bat

Filesize
272B

MD5
c23f2cf5a74e83fc26be8cb6b08491a9

SHA1
b6445827774a7a3ff7e204a6174579ca3b2666b2

SHA256
4789743515eca4e51c2da75cb7d6d1a7582f009cb3dec85567ab774ba0802831

SHA512
289cc305095816e7e49e49e4b179aae62b4da469b3d48c9b8b6c9e9d7e55a650a7d159170fbd08e64a624843cb0d63e7f39a467bcb1b7440bb3cb26387fe77cc

Download Submit
memory/2008-63-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2008-66-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2008-67-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download
memory/2008-70-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2008-71-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2008-74-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download
memory/2008-77-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2008-78-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2008-81-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2008-89-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing