5f15219a3137edce6d551f39a939d0d31fefb8b87d82f38be81c5ff6c7f60ce7

General

Target

TLL.exe
Size

929KB
MD5

5636b827940a35459b1da7d2134d2eda
SHA1

440239dfd292d496f1b1e76541168768e9d9abd3
SHA256

5f15219a3137edce6d551f39a939d0d31fefb8b87d82f38be81c5ff6c7f60ce7
SHA512

17ad6c4085a3688ccd11cf4e262b637cfa1cfcf84f98aa4ade4a1b472df87f424d5aeb8ccef9d5eebbde99bbac69a7793ef128edca74a1b7800f38d284063276

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

SessionManager.exedllhost.exe

pid process

3384 SessionManager.exe
1940 dllhost.exe
Drops file in Windows directory 2 IoCs

Processes:

SessionManager.exe

description ioc process

File created C:\Windows\dllhost.exe SessionManager.exe
File opened for modification C:\Windows\dllhost.exe SessionManager.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SessionManager.exe

pid process

3384 SessionManager.exe
3384 SessionManager.exe

pid	process
3384	SessionManager.exe
1940	dllhost.exe

description	ioc	process
File created	C:\Windows\dllhost.exe	SessionManager.exe
File opened for modification	C:\Windows\dllhost.exe	SessionManager.exe

pid	process
3384	SessionManager.exe
3384	SessionManager.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

TLL.exeSessionManager.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	900	TLL.exe
Token: SeDebugPrivilege	3384	SessionManager.exe
Token: SeDebugPrivilege	1940	dllhost.exe
Token: SeDebugPrivilege	1940	dllhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SessionManager.exedllhost.exe

pid process

3384 SessionManager.exe
1940 dllhost.exe

pid	process
3384	SessionManager.exe
1940	dllhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

TLL.exeSessionManager.exe

description	pid	process	target process
PID 900 wrote to memory of 3384	900	TLL.exe	SessionManager.exe
PID 900 wrote to memory of 3384	900	TLL.exe	SessionManager.exe
PID 900 wrote to memory of 3384	900	TLL.exe	SessionManager.exe
PID 3384 wrote to memory of 1940	3384	SessionManager.exe	dllhost.exe
PID 3384 wrote to memory of 1940	3384	SessionManager.exe	dllhost.exe
PID 3384 wrote to memory of 1940	3384	SessionManager.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\TLL.exe
"C:\Users\Admin\AppData\Local\Temp\TLL.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Roaming\Microsoft\MMC\SessionManager.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\MMC\SessionManager.exe" 900
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\dllhost.exe
"C:\Windows\dllhost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\MMC\SessionManager.exe
MD5
5636b827940a35459b1da7d2134d2eda

SHA1
440239dfd292d496f1b1e76541168768e9d9abd3

SHA256
5f15219a3137edce6d551f39a939d0d31fefb8b87d82f38be81c5ff6c7f60ce7

SHA512
17ad6c4085a3688ccd11cf4e262b637cfa1cfcf84f98aa4ade4a1b472df87f424d5aeb8ccef9d5eebbde99bbac69a7793ef128edca74a1b7800f38d284063276

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\SessionManager.exe
MD5
5636b827940a35459b1da7d2134d2eda

SHA1
440239dfd292d496f1b1e76541168768e9d9abd3

SHA256
5f15219a3137edce6d551f39a939d0d31fefb8b87d82f38be81c5ff6c7f60ce7

SHA512
17ad6c4085a3688ccd11cf4e262b637cfa1cfcf84f98aa4ade4a1b472df87f424d5aeb8ccef9d5eebbde99bbac69a7793ef128edca74a1b7800f38d284063276

Download Submit
C:\Windows\dllhost.exe
MD5
5636b827940a35459b1da7d2134d2eda

SHA1
440239dfd292d496f1b1e76541168768e9d9abd3

SHA256
5f15219a3137edce6d551f39a939d0d31fefb8b87d82f38be81c5ff6c7f60ce7

SHA512
17ad6c4085a3688ccd11cf4e262b637cfa1cfcf84f98aa4ade4a1b472df87f424d5aeb8ccef9d5eebbde99bbac69a7793ef128edca74a1b7800f38d284063276

Download Submit
C:\Windows\dllhost.exe
MD5
5636b827940a35459b1da7d2134d2eda

SHA1
440239dfd292d496f1b1e76541168768e9d9abd3

SHA256
5f15219a3137edce6d551f39a939d0d31fefb8b87d82f38be81c5ff6c7f60ce7

SHA512
17ad6c4085a3688ccd11cf4e262b637cfa1cfcf84f98aa4ade4a1b472df87f424d5aeb8ccef9d5eebbde99bbac69a7793ef128edca74a1b7800f38d284063276

Download Submit
memory/900-116-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/900-117-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/900-118-0x0000000005460000-0x00000000054A5000-memory.dmp

Filesize
276KB

Download
memory/900-114-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1940-142-0x0000000005911000-0x0000000005912000-memory.dmp

Filesize
4KB

Download
memory/1940-137-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/1940-127-0x0000000000000000-mapping.dmp

Download
memory/3384-129-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

Filesize
4KB

Download
memory/3384-135-0x0000000007A30000-0x0000000007A31000-memory.dmp

Filesize
4KB

Download
memory/3384-126-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/3384-136-0x0000000005701000-0x0000000005702000-memory.dmp

Filesize
4KB

Download
memory/3384-140-0x0000000008440000-0x0000000008441000-memory.dmp

Filesize
4KB

Download
memory/3384-119-0x0000000000000000-mapping.dmp

Download
memory/3384-143-0x0000000001410000-0x00000000014BC000-memory.dmp

Filesize
688KB

Download
memory/3384-144-0x0000000006680000-0x0000000006681000-memory.dmp

Filesize
4KB

Download
memory/3384-145-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing