Resubmissions
21-09-2022 15:35
220921-s1bj5scbfr 918-06-2021 06:44
210618-hbnfahrlfa 1018-06-2021 06:16
210618-zl79572kwa 10Analysis
-
max time kernel
31s -
max time network
42s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
18-06-2021 06:16
Static task
static1
Behavioral task
behavioral1
Sample
Windows Session Manager.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Windows Session Manager.exe
Resource
win10v20210410
General
-
Target
Windows Session Manager.exe
-
Size
278KB
-
MD5
6736b48ac9b71f21d8e41d5a1f27a0a6
-
SHA1
45eb63e779cb9f33209b29a175199a9048bd9035
-
SHA256
5ad38d579fb249b3326a25cffb6f5ffea11b125cda7b61205893432f59a02101
-
SHA512
c009278cd156d72957b5a29cec68eb97a0aad8dba7dc3c7a3bb1bba2c96779c41a89a106d65dcb91880fb5e2a639c1b89c87ba3906dd11f4aa7f76fe1f5de8ad
Malware Config
Extracted
C:\readme.txt
recovery_Potes@firemail.de
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Windows Session Manager.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\CopyUnregister.tiff.Poteston Windows Session Manager.exe File opened for modification C:\Users\Admin\Pictures\InvokeBackup.png.Poteston Windows Session Manager.exe File opened for modification C:\Users\Admin\Pictures\OpenMove.tif.Poteston Windows Session Manager.exe File opened for modification C:\Users\Admin\Pictures\PublishComplete.raw.Poteston Windows Session Manager.exe File opened for modification C:\Users\Admin\Pictures\TestUnregister.crw.Poteston Windows Session Manager.exe File opened for modification C:\Users\Admin\Pictures\UseReset.tif.Poteston Windows Session Manager.exe File opened for modification C:\Users\Admin\Pictures\ConfirmOut.tiff.Poteston Windows Session Manager.exe -
Drops startup file 1 IoCs
Processes:
Windows Session Manager.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Session Manager.exe Windows Session Manager.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 692 vssadmin.exe 1804 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 436 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
vssvc.exeAUDIODG.EXEdescription pid process Token: SeBackupPrivilege 1620 vssvc.exe Token: SeRestorePrivilege 1620 vssvc.exe Token: SeAuditPrivilege 1620 vssvc.exe Token: 33 2044 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2044 AUDIODG.EXE Token: 33 2044 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2044 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Windows Session Manager.execmd.execmd.exedescription pid process target process PID 756 wrote to memory of 744 756 Windows Session Manager.exe cmd.exe PID 756 wrote to memory of 744 756 Windows Session Manager.exe cmd.exe PID 756 wrote to memory of 744 756 Windows Session Manager.exe cmd.exe PID 756 wrote to memory of 744 756 Windows Session Manager.exe cmd.exe PID 744 wrote to memory of 692 744 cmd.exe vssadmin.exe PID 744 wrote to memory of 692 744 cmd.exe vssadmin.exe PID 744 wrote to memory of 692 744 cmd.exe vssadmin.exe PID 744 wrote to memory of 692 744 cmd.exe vssadmin.exe PID 756 wrote to memory of 1588 756 Windows Session Manager.exe cmd.exe PID 756 wrote to memory of 1588 756 Windows Session Manager.exe cmd.exe PID 756 wrote to memory of 1588 756 Windows Session Manager.exe cmd.exe PID 756 wrote to memory of 1588 756 Windows Session Manager.exe cmd.exe PID 1588 wrote to memory of 1804 1588 cmd.exe vssadmin.exe PID 1588 wrote to memory of 1804 1588 cmd.exe vssadmin.exe PID 1588 wrote to memory of 1804 1588 cmd.exe vssadmin.exe PID 1588 wrote to memory of 1804 1588 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5001⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\readme.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\readme.txtMD5
2d02842c3d3e76c4ff2a940f10ac681e
SHA158bf5d5122a2a060e753d7e36066c8c89d188778
SHA256646e51a5f0fddaef7939fe7d3920da71ae00387fd8d2a657dc5671833c7b1b20
SHA5129af6debd5a55cd8240e215a3e55847c11bf2f8cd14622eb92cd79b71d516306bad3e1f352fe6b42f420fc550fb2585ab1fd606b9dcb4fd1c9a2567878a9a42c9
-
memory/692-64-0x0000000000000000-mapping.dmp
-
memory/744-63-0x0000000000000000-mapping.dmp
-
memory/756-59-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/756-61-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB
-
memory/756-62-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/1336-67-0x000007FEFB531000-0x000007FEFB533000-memory.dmpFilesize
8KB
-
memory/1588-65-0x0000000000000000-mapping.dmp
-
memory/1804-66-0x0000000000000000-mapping.dmp