5ad38d579fb249b3326a25cffb6f5ffea11b125cda7b61205893432f59a02101

Resubmissions

21/09/2022, 15:35

220921-s1bj5scbfr 9

18/06/2021, 06:44

210618-hbnfahrlfa 10

18/06/2021, 06:16

210618-zl79572kwa 10

Analysis

max time kernel
17s
max time network
112s
platform
windows10_x64
resource
win10v20210410
submitted
18/06/2021, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows Session Manager.exe
Size

278KB
MD5

6736b48ac9b71f21d8e41d5a1f27a0a6
SHA1

45eb63e779cb9f33209b29a175199a9048bd9035
SHA256

5ad38d579fb249b3326a25cffb6f5ffea11b125cda7b61205893432f59a02101
SHA512

c009278cd156d72957b5a29cec68eb97a0aad8dba7dc3c7a3bb1bba2c96779c41a89a106d65dcb91880fb5e2a639c1b89c87ba3906dd11f4aa7f76fe1f5de8ad

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\readme.txt

Ransom Note

All of your files such as Document, photos ,Databases, etc... has been successfully encrypted! are encrypted by Poteston Ransomware What guarantees do we give to you? You can send one of your encrypted file from your PC and we decrypt it for free. and files should not contain valuable information (databases, backups, large excel sheets, etc.). After payment we will send you the decryption tool that will decrypt all your files. Contact us using this email address: [email protected] Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it Your personal ID : ObiZ6mSNEZ70odVMM4rEDT8CfYZPL3lDmFBZxKO5zqTeSxg6X0H677Dd3l4UY3RySHE8nfInzKC/DuXF8PcHY62hMz+Lo/zojxLWpnpV2e2EnQ8sVeX58aYeucp3QztWQ6igezkXvrZU6eTuZdDnbxsSkXkUv9AT9e6PDo0XSvI=

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\SuspendImport.tif.Poteston	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Pictures\OutConvertFrom.raw.Poteston	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Pictures\SkipDisconnect.crw.Poteston	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitUnpublish.tif.Poteston	Windows Session Manager.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Session Manager.exe	Windows Session Manager.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3936	vssadmin.exe
2444	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3160	vssvc.exe
Token: SeRestorePrivilege	3160	vssvc.exe
Token: SeAuditPrivilege	3160	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 3524	2388	Windows Session Manager.exe	75
PID 2388 wrote to memory of 3524	2388	Windows Session Manager.exe	75
PID 2388 wrote to memory of 3524	2388	Windows Session Manager.exe	75
PID 3524 wrote to memory of 3936	3524	cmd.exe	77
PID 3524 wrote to memory of 3936	3524	cmd.exe	77
PID 3524 wrote to memory of 3936	3524	cmd.exe	77
PID 2388 wrote to memory of 4028	2388	Windows Session Manager.exe	79
PID 2388 wrote to memory of 4028	2388	Windows Session Manager.exe	79
PID 2388 wrote to memory of 4028	2388	Windows Session Manager.exe	79
PID 4028 wrote to memory of 2444	4028	cmd.exe	82
PID 4028 wrote to memory of 2444	4028	cmd.exe	82
PID 4028 wrote to memory of 2444	4028	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3936
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2388-114-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2388-116-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2388-117-0x00000000092F0000-0x00000000092F1000-memory.dmp

Filesize
4KB

Download
memory/2388-118-0x0000000009890000-0x0000000009891000-memory.dmp

Filesize
4KB

Download
memory/2388-119-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/2388-123-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/2388-125-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads