Resubmissions
21/09/2022, 15:35
220921-s1bj5scbfr 918/06/2021, 06:44
210618-hbnfahrlfa 1018/06/2021, 06:16
210618-zl79572kwa 10Analysis
-
max time kernel
31s -
max time network
42s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
18/06/2021, 06:16
General
-
Target
Windows Session Manager.exe
-
Size
278KB
-
MD5
6736b48ac9b71f21d8e41d5a1f27a0a6
-
SHA1
45eb63e779cb9f33209b29a175199a9048bd9035
-
SHA256
5ad38d579fb249b3326a25cffb6f5ffea11b125cda7b61205893432f59a02101
-
SHA512
c009278cd156d72957b5a29cec68eb97a0aad8dba7dc3c7a3bb1bba2c96779c41a89a106d65dcb91880fb5e2a639c1b89c87ba3906dd11f4aa7f76fe1f5de8ad
Score
10/10
Malware Config
Extracted
Path
C:\readme.txt
Ransom Note
All of your files such as Document, photos ,Databases, etc... has been successfully encrypted! are encrypted by Poteston Ransomware
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
and files should not contain valuable information (databases, backups, large excel sheets, etc.).
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: [email protected]
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it
Your personal ID : 71e4g05Zbhuc+s2SSHGlHHWR6uVMHnsvmr3lA5w2wlTDNbbfsKWZ6uv2PUn0hT/+SE3k322k9R+C3GGYtPnig48s/Go0lvwV3ylFNHiVQAJ8Bs0dbyOwVNVYQBTYOD8+cLQpmjXLhg2kxjMFoqUoZgooJ3NiZwiGR6Q+2e3onuw=
Emails
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 1 IoCs
-
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5001⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\readme.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB