Resubmissions
21-09-2022 15:35
220921-s1bj5scbfr 918-06-2021 06:44
210618-hbnfahrlfa 1018-06-2021 06:16
210618-zl79572kwa 10Analysis
-
max time kernel
17s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-06-2021 06:16
Static task
static1
Behavioral task
behavioral1
Sample
Windows Session Manager.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Windows Session Manager.exe
Resource
win10v20210410
General
-
Target
Windows Session Manager.exe
-
Size
278KB
-
MD5
6736b48ac9b71f21d8e41d5a1f27a0a6
-
SHA1
45eb63e779cb9f33209b29a175199a9048bd9035
-
SHA256
5ad38d579fb249b3326a25cffb6f5ffea11b125cda7b61205893432f59a02101
-
SHA512
c009278cd156d72957b5a29cec68eb97a0aad8dba7dc3c7a3bb1bba2c96779c41a89a106d65dcb91880fb5e2a639c1b89c87ba3906dd11f4aa7f76fe1f5de8ad
Malware Config
Extracted
C:\readme.txt
recovery_Potes@firemail.de
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Windows Session Manager.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\SuspendImport.tif.Poteston Windows Session Manager.exe File opened for modification C:\Users\Admin\Pictures\OutConvertFrom.raw.Poteston Windows Session Manager.exe File opened for modification C:\Users\Admin\Pictures\SkipDisconnect.crw.Poteston Windows Session Manager.exe File opened for modification C:\Users\Admin\Pictures\SubmitUnpublish.tif.Poteston Windows Session Manager.exe -
Drops startup file 1 IoCs
Processes:
Windows Session Manager.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Session Manager.exe Windows Session Manager.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3936 vssadmin.exe 2444 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3160 vssvc.exe Token: SeRestorePrivilege 3160 vssvc.exe Token: SeAuditPrivilege 3160 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Windows Session Manager.execmd.execmd.exedescription pid process target process PID 2388 wrote to memory of 3524 2388 Windows Session Manager.exe cmd.exe PID 2388 wrote to memory of 3524 2388 Windows Session Manager.exe cmd.exe PID 2388 wrote to memory of 3524 2388 Windows Session Manager.exe cmd.exe PID 3524 wrote to memory of 3936 3524 cmd.exe vssadmin.exe PID 3524 wrote to memory of 3936 3524 cmd.exe vssadmin.exe PID 3524 wrote to memory of 3936 3524 cmd.exe vssadmin.exe PID 2388 wrote to memory of 4028 2388 Windows Session Manager.exe cmd.exe PID 2388 wrote to memory of 4028 2388 Windows Session Manager.exe cmd.exe PID 2388 wrote to memory of 4028 2388 Windows Session Manager.exe cmd.exe PID 4028 wrote to memory of 2444 4028 cmd.exe vssadmin.exe PID 4028 wrote to memory of 2444 4028 cmd.exe vssadmin.exe PID 4028 wrote to memory of 2444 4028 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2388-114-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/2388-116-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/2388-117-0x00000000092F0000-0x00000000092F1000-memory.dmpFilesize
4KB
-
memory/2388-118-0x0000000009890000-0x0000000009891000-memory.dmpFilesize
4KB
-
memory/2388-119-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/2388-123-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/2388-125-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/2444-124-0x0000000000000000-mapping.dmp
-
memory/3524-120-0x0000000000000000-mapping.dmp
-
memory/3936-121-0x0000000000000000-mapping.dmp
-
memory/4028-122-0x0000000000000000-mapping.dmp