Overview

overview

10

Static

static

Windows Se...er.exe

windows10_x64

10

Resubmissions

21/09/2022, 15:35

220921-s1bj5scbfr 9

18/06/2021, 06:44

210618-hbnfahrlfa 10

18/06/2021, 06:16

210618-zl79572kwa 10

Analysis

  • max time kernel
    299s
  • max time network
    281s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    18/06/2021, 06:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Windows Session Manager.exe

  • Size

    278KB

  • MD5

    6736b48ac9b71f21d8e41d5a1f27a0a6

  • SHA1

    45eb63e779cb9f33209b29a175199a9048bd9035

  • SHA256

    5ad38d579fb249b3326a25cffb6f5ffea11b125cda7b61205893432f59a02101

  • SHA512

    c009278cd156d72957b5a29cec68eb97a0aad8dba7dc3c7a3bb1bba2c96779c41a89a106d65dcb91880fb5e2a639c1b89c87ba3906dd11f4aa7f76fe1f5de8ad

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\readme.txt

Ransom Note
All of your files such as Document, photos ,Databases, etc... has been successfully encrypted! are encrypted by Poteston Ransomware What guarantees do we give to you? You can send one of your encrypted file from your PC and we decrypt it for free. and files should not contain valuable information (databases, backups, large excel sheets, etc.). After payment we will send you the decryption tool that will decrypt all your files. Contact us using this email address: [email protected] Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it Your personal ID : H4za1TkOTMRislVpl+pxDTIqEFNbsRl+X+q9HQCz2H0sbohbWa3BqyW38dI/Pu4W1LLmwudvd/5FOkL+EaMH/BqkPXpocREl7FVtVKruWhhrQkb32tUnIuyo451UV9wJkIUWYgBdGZUIKX6nLTiAk0ka3FNPcd5OpHN6ldxKzso=

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:476
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:188
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3400
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2032
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:200
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3324

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/476-114-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/476-116-0x0000000005440000-0x0000000005441000-memory.dmp

      Filesize

      4KB

      Download

    • memory/476-117-0x0000000009D10000-0x0000000009D11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/476-118-0x000000000A2B0000-0x000000000A2B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/476-119-0x0000000005760000-0x0000000005761000-memory.dmp

      Filesize

      4KB

      Download

    • memory/476-123-0x00000000056E0000-0x00000000056E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/476-125-0x0000000005EE0000-0x0000000005EE1000-memory.dmp

      Filesize

      4KB

      Download