803eb608ac54661ccf23259c6a8d07fdc26bd83788a661dbd0cf1a08022d4a0f

General

Target

TekDefense.exe
Size

381KB
MD5

1d8b370a114f9490f36bebd77ed347d1
SHA1

91690d293bc2ecf4c77f46954d93b990269d8c0f
SHA256

f3e2e7ee2f7ff8be2e3812e3a3c4cbbec9dc560dfa62bada624aad85f1c56049
SHA512

947c0e165712656ac956023815a23cd549562aedbaf44bfec0ea9d132bd18bca914abced9747aa9a724ab21b1748240874cdd83aff4d235407ad0b68b2be286d
SSDEEP

6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIeENOy343jajyp:v6Wq4aaE6KwyF5L0Y2D1PqLxOyozaj2

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	TekDefense.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2208-135-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/2208-144-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/2208-147-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/2208-156-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/2208-157-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/2208-160-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/2208-169-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/2208-172-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\denwz = "C:\\Windows\\SysWOW64\\lssas.exe"	TekDefense.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run	TekDefense.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2208-135-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/2208-144-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/2208-147-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/2208-156-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/2208-157-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/2208-160-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/2208-169-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/2208-172-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lssas.exe	TekDefense.exe
File opened for modification	C:\Windows\SysWOW64\lssas.exe	TekDefense.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4204	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2208	TekDefense.exe
2208	TekDefense.exe
2208	TekDefense.exe
2208	TekDefense.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1040	2208	TekDefense.exe	90
PID 2208 wrote to memory of 1040	2208	TekDefense.exe	90
PID 2208 wrote to memory of 1040	2208	TekDefense.exe	90
PID 1040 wrote to memory of 4204	1040	cmd.exe	92
PID 1040 wrote to memory of 4204	1040	cmd.exe	92
PID 1040 wrote to memory of 4204	1040	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\TekDefense.exe
"C:\Users\Admin\AppData\Local\Temp\TekDefense.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rm.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fgdump.exe

Filesize
505B

MD5
2854bb73002f6d00fed33848122b1bc5

SHA1
a7998a5a69ddc81bb29bdab9c4352fd9d7edc37f

SHA256
853bbf3da224b0ffc0615e6e8e783042e3236ec23e7e618d0330818c20151eab

SHA512
7bfd23313890675a0ab2f5eb4a1e5f626d4552af66cd938a4f79427fd45adb663abbcede88d184a4328715139734c1333ba550a4cc72bb79d340e2bfc6d1ff0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rm.bat

Filesize
272B

MD5
c23f2cf5a74e83fc26be8cb6b08491a9

SHA1
b6445827774a7a3ff7e204a6174579ca3b2666b2

SHA256
4789743515eca4e51c2da75cb7d6d1a7582f009cb3dec85567ab774ba0802831

SHA512
289cc305095816e7e49e49e4b179aae62b4da469b3d48c9b8b6c9e9d7e55a650a7d159170fbd08e64a624843cb0d63e7f39a467bcb1b7440bb3cb26387fe77cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\syringe.exe

Filesize
506B

MD5
30f2ed134d68e9db97b41776cb18b67e

SHA1
4cde84fb059ce10a186a517ad32f9ac0c501d88c

SHA256
42343377736d72299b17c596b23128ef5657032883504d1f8afbcfd514501b27

SHA512
960c139a2f6f4b6fe00904f3306fd1aaa9fa203133c0d6324e17c0fbccce92c9293d0b91fa7822c58bdd170373d27ee56b6f488d3894073ef3c9f882993666dd

Download Submit
memory/2208-135-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2208-144-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2208-147-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2208-156-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2208-157-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2208-160-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2208-169-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2208-172-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing