Overview

overview

10

Static

static

Windows Se...er.exe

windows7_x64

10

Windows Se...er.exe

windows10_x64

10

Resubmissions

21-09-2022 15:35

220921-s1bj5scbfr 9

18-06-2021 06:44

210618-hbnfahrlfa 10

18-06-2021 06:16

210618-zl79572kwa 10

Analysis

  • max time kernel
    31s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    18-06-2021 06:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Windows Session Manager.exe

  • Size

    278KB

  • MD5

    6736b48ac9b71f21d8e41d5a1f27a0a6

  • SHA1

    45eb63e779cb9f33209b29a175199a9048bd9035

  • SHA256

    5ad38d579fb249b3326a25cffb6f5ffea11b125cda7b61205893432f59a02101

  • SHA512

    c009278cd156d72957b5a29cec68eb97a0aad8dba7dc3c7a3bb1bba2c96779c41a89a106d65dcb91880fb5e2a639c1b89c87ba3906dd11f4aa7f76fe1f5de8ad

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\readme.txt

Ransom Note
All of your files such as Document, photos ,Databases, etc... has been successfully encrypted! are encrypted by Poteston Ransomware What guarantees do we give to you? You can send one of your encrypted file from your PC and we decrypt it for free. and files should not contain valuable information (databases, backups, large excel sheets, etc.). After payment we will send you the decryption tool that will decrypt all your files. Contact us using this email address: recovery_Potes@firemail.de Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it Your personal ID : 71e4g05Zbhuc+s2SSHGlHHWR6uVMHnsvmr3lA5w2wlTDNbbfsKWZ6uv2PUn0hT/+SE3k322k9R+C3GGYtPnig48s/Go0lvwV3ylFNHiVQAJ8Bs0dbyOwVNVYQBTYOD8+cLQpmjXLhg2kxjMFoqUoZgooJ3NiZwiGR6Q+2e3onuw=
Emails

recovery_Potes@firemail.de

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:744
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:692
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1804
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1620
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1336
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x500
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2044
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\readme.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:436

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Replication Through Removable Media

    1
    T1091

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    File Deletion

    2
    T1107

    Credential Access

    Discovery

    Lateral Movement

    Replication Through Removable Media

    1
    T1091

    Collection

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    2
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\readme.txt
      MD5

      2d02842c3d3e76c4ff2a940f10ac681e

      SHA1

      58bf5d5122a2a060e753d7e36066c8c89d188778

      SHA256

      646e51a5f0fddaef7939fe7d3920da71ae00387fd8d2a657dc5671833c7b1b20

      SHA512

      9af6debd5a55cd8240e215a3e55847c11bf2f8cd14622eb92cd79b71d516306bad3e1f352fe6b42f420fc550fb2585ab1fd606b9dcb4fd1c9a2567878a9a42c9

      Download Submit
    • memory/692-64-0x0000000000000000-mapping.dmp
      Download
    • memory/744-63-0x0000000000000000-mapping.dmp
      Download
    • memory/756-59-0x0000000000270000-0x0000000000271000-memory.dmp
      Filesize

      4KB

      Download
    • memory/756-61-0x0000000000360000-0x0000000000361000-memory.dmp
      Filesize

      4KB

      Download
    • memory/756-62-0x0000000004A50000-0x0000000004A51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1336-67-0x000007FEFB531000-0x000007FEFB533000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1588-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1804-66-0x0000000000000000-mapping.dmp
      Download