Analysis
-
max time kernel
51s -
max time network
100s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-06-2021 06:05
General
-
Target
Windows Session Manager.exe
-
Size
1.3MB
-
MD5
000e2743bf3cb96cefc4be357765cec3
-
SHA1
62b9b6afc91e349c56ce967985eec229f7db82aa
-
SHA256
126f06426beeaaeea65331c5896590eb558405e5b924254e1aa17c3adc5c2fb3
-
SHA512
b8298aed9d0ac929c9942ff8addce2a3b0e779093dad50fc99242542e8894fb0c45a5d4e60ed33691fc5fbcdeccfc9e50244dad6056500de8a28fddb6f6f275f
Score
10/10
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Drops file in Drivers directory 9 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
NTFS ADS 5 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSDTC3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop vds3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter2⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser2⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO12⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO13⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO14⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/300-85-0x0000000000000000-mapping.dmp
-
memory/384-73-0x0000000000000000-mapping.dmp
-
memory/396-71-0x0000000000000000-mapping.dmp
-
memory/484-68-0x0000000000000000-mapping.dmp
-
memory/556-66-0x0000000000000000-mapping.dmp
-
memory/568-77-0x0000000000000000-mapping.dmp
-
memory/572-72-0x0000000000000000-mapping.dmp
-
memory/620-76-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB
-
memory/620-75-0x0000000000000000-mapping.dmp
-
memory/788-87-0x0000000000000000-mapping.dmp
-
memory/904-64-0x0000000000000000-mapping.dmp
-
memory/960-90-0x0000000000000000-mapping.dmp
-
memory/1048-74-0x0000000000000000-mapping.dmp
-
memory/1080-88-0x0000000000000000-mapping.dmp
-
memory/1092-67-0x0000000000000000-mapping.dmp
-
memory/1168-82-0x0000000000000000-mapping.dmp
-
memory/1172-59-0x0000000000000000-mapping.dmp
-
memory/1188-86-0x0000000000000000-mapping.dmp
-
memory/1652-78-0x0000000000000000-mapping.dmp
-
memory/1692-84-0x0000000000000000-mapping.dmp
-
memory/1708-63-0x0000000000000000-mapping.dmp
-
memory/1728-65-0x0000000000000000-mapping.dmp
-
memory/1732-60-0x0000000000000000-mapping.dmp
-
memory/1752-81-0x0000000000000000-mapping.dmp
-
memory/1756-61-0x0000000000000000-mapping.dmp
-
memory/1784-83-0x0000000000000000-mapping.dmp
-
memory/1784-62-0x0000000000000000-mapping.dmp
-
memory/1828-80-0x0000000000000000-mapping.dmp
-
memory/1900-70-0x0000000000000000-mapping.dmp
-
memory/1920-69-0x0000000000000000-mapping.dmp
-
memory/1920-91-0x0000000000000000-mapping.dmp
-
memory/1932-89-0x0000000000000000-mapping.dmp