Overview

overview

10

Static

static

Windows Se...er.exe

windows7_x64

10

Windows Se...er.exe

windows10_x64

8

Resubmissions

25/06/2021, 20:08

210625-1ay8ymabc6 10

24/06/2021, 06:05

210624-z3rv4e1ed2 10

Analysis

  • max time kernel
    40s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    24/06/2021, 06:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Windows Session Manager.exe

  • Size

    1.3MB

  • MD5

    000e2743bf3cb96cefc4be357765cec3

  • SHA1

    62b9b6afc91e349c56ce967985eec229f7db82aa

  • SHA256

    126f06426beeaaeea65331c5896590eb558405e5b924254e1aa17c3adc5c2fb3

  • SHA512

    b8298aed9d0ac929c9942ff8addce2a3b0e779093dad50fc99242542e8894fb0c45a5d4e60ed33691fc5fbcdeccfc9e50244dad6056500de8a28fddb6f6f275f

Score
8/10
evasionransomwarespywarestealer

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • NTFS ADS 21 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop MSDTC
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:616
      • C:\Windows\SysWOW64\net.exe
        net stop MSDTC
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2168
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MSDTC
          4⤵
            PID:2388
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
        2⤵
          PID:2572
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
          2⤵
            PID:4028
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
            2⤵
              PID:4088
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3284
              • C:\Windows\SysWOW64\net.exe
                net stop SQLSERVERAGENT
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3980
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop SQLSERVERAGENT
                  4⤵
                    PID:3940
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3388
                • C:\Windows\SysWOW64\net.exe
                  net stop MSSQLSERVER
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1220
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop MSSQLSERVER
                    4⤵
                      PID:3856
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c net stop vds
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2100
                  • C:\Windows\SysWOW64\net.exe
                    net stop vds
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:504
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop vds
                      4⤵
                        PID:2412
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3928
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh advfirewall set currentprofile state off
                      3⤵
                        PID:3708
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1428
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall set opmode mode=disable
                        3⤵
                          PID:1888
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c net stop SQLWriter
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1532
                        • C:\Windows\SysWOW64\net.exe
                          net stop SQLWriter
                          3⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1112
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 stop SQLWriter
                            4⤵
                              PID:4092
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c net stop SQLBrowser
                          2⤵
                            PID:1824
                            • C:\Windows\SysWOW64\net.exe
                              net stop SQLBrowser
                              3⤵
                                PID:3448
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 stop SQLBrowser
                                  4⤵
                                    PID:3472
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
                                2⤵
                                  PID:4008
                                  • C:\Windows\SysWOW64\net.exe
                                    net stop MSSQLSERVER
                                    3⤵
                                      PID:3748
                                      • C:\Windows\SysWOW64\net1.exe
                                        C:\Windows\system32\net1 stop MSSQLSERVER
                                        4⤵
                                          PID:3388
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
                                      2⤵
                                        PID:3860
                                        • C:\Windows\SysWOW64\net.exe
                                          net stop MSSQL$CONTOSO1
                                          3⤵
                                            PID:1724
                                            • C:\Windows\SysWOW64\net1.exe
                                              C:\Windows\system32\net1 stop MSSQL$CONTOSO1
                                              4⤵
                                                PID:2104

                                        Network

                                        MITRE ATT&CK Enterprise v6

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads