5f15219a3137edce6d551f39a939d0d31fefb8b87d82f38be81c5ff6c7f60ce7

General

Target

TLL.exe
Size

929KB
MD5

5636b827940a35459b1da7d2134d2eda
SHA1

440239dfd292d496f1b1e76541168768e9d9abd3
SHA256

5f15219a3137edce6d551f39a939d0d31fefb8b87d82f38be81c5ff6c7f60ce7
SHA512

17ad6c4085a3688ccd11cf4e262b637cfa1cfcf84f98aa4ade4a1b472df87f424d5aeb8ccef9d5eebbde99bbac69a7793ef128edca74a1b7800f38d284063276

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

SessionManager.exeSystemPropertiesPerformance.exe

pid process

1304 SessionManager.exe
1724 SystemPropertiesPerformance.exe
Loads dropped DLL 1 IoCs

Processes:

TLL.exe

pid process

1308 TLL.exe

pid	process
1304	SessionManager.exe
1724	SystemPropertiesPerformance.exe

pid	process
1308	TLL.exe

Drops file in Windows directory 2 IoCs

Processes:

SessionManager.exe

description	ioc	process
File created	C:\Windows\SystemPropertiesPerformance.exe	SessionManager.exe
File opened for modification	C:\Windows\SystemPropertiesPerformance.exe	SessionManager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SessionManager.exe

pid process

1304 SessionManager.exe
1304 SessionManager.exe

pid	process
1304	SessionManager.exe
1304	SessionManager.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

TLL.exeSessionManager.exeSystemPropertiesPerformance.exe

description	pid	process
Token: SeDebugPrivilege	1308	TLL.exe
Token: SeDebugPrivilege	1304	SessionManager.exe
Token: SeDebugPrivilege	1724	SystemPropertiesPerformance.exe
Token: SeDebugPrivilege	1724	SystemPropertiesPerformance.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SessionManager.exeSystemPropertiesPerformance.exe

pid process

1304 SessionManager.exe
1724 SystemPropertiesPerformance.exe

pid	process
1304	SessionManager.exe
1724	SystemPropertiesPerformance.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

TLL.exeSessionManager.exe

description	pid	process	target process
PID 1308 wrote to memory of 1304	1308	TLL.exe	SessionManager.exe
PID 1308 wrote to memory of 1304	1308	TLL.exe	SessionManager.exe
PID 1308 wrote to memory of 1304	1308	TLL.exe	SessionManager.exe
PID 1308 wrote to memory of 1304	1308	TLL.exe	SessionManager.exe
PID 1304 wrote to memory of 1724	1304	SessionManager.exe	SystemPropertiesPerformance.exe
PID 1304 wrote to memory of 1724	1304	SessionManager.exe	SystemPropertiesPerformance.exe
PID 1304 wrote to memory of 1724	1304	SessionManager.exe	SystemPropertiesPerformance.exe
PID 1304 wrote to memory of 1724	1304	SessionManager.exe	SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\Temp\TLL.exe
"C:\Users\Admin\AppData\Local\Temp\TLL.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Roaming\Microsoft\MMC\SessionManager.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\MMC\SessionManager.exe" 1308
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\SystemPropertiesPerformance.exe
    "C:\Windows\SystemPropertiesPerformance.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\MMC\SessionManager.exe

MD5
5636b827940a35459b1da7d2134d2eda

SHA1
440239dfd292d496f1b1e76541168768e9d9abd3

SHA256
5f15219a3137edce6d551f39a939d0d31fefb8b87d82f38be81c5ff6c7f60ce7

SHA512
17ad6c4085a3688ccd11cf4e262b637cfa1cfcf84f98aa4ade4a1b472df87f424d5aeb8ccef9d5eebbde99bbac69a7793ef128edca74a1b7800f38d284063276

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\SessionManager.exe

MD5
5636b827940a35459b1da7d2134d2eda

SHA1
440239dfd292d496f1b1e76541168768e9d9abd3

SHA256
5f15219a3137edce6d551f39a939d0d31fefb8b87d82f38be81c5ff6c7f60ce7

SHA512
17ad6c4085a3688ccd11cf4e262b637cfa1cfcf84f98aa4ade4a1b472df87f424d5aeb8ccef9d5eebbde99bbac69a7793ef128edca74a1b7800f38d284063276

Download Submit
C:\Windows\SystemPropertiesPerformance.exe

MD5
5636b827940a35459b1da7d2134d2eda

SHA1
440239dfd292d496f1b1e76541168768e9d9abd3

SHA256
5f15219a3137edce6d551f39a939d0d31fefb8b87d82f38be81c5ff6c7f60ce7

SHA512
17ad6c4085a3688ccd11cf4e262b637cfa1cfcf84f98aa4ade4a1b472df87f424d5aeb8ccef9d5eebbde99bbac69a7793ef128edca74a1b7800f38d284063276

Download Submit
C:\Windows\SystemPropertiesPerformance.exe

MD5
5636b827940a35459b1da7d2134d2eda

SHA1
440239dfd292d496f1b1e76541168768e9d9abd3

SHA256
5f15219a3137edce6d551f39a939d0d31fefb8b87d82f38be81c5ff6c7f60ce7

SHA512
17ad6c4085a3688ccd11cf4e262b637cfa1cfcf84f98aa4ade4a1b472df87f424d5aeb8ccef9d5eebbde99bbac69a7793ef128edca74a1b7800f38d284063276

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\MMC\SessionManager.exe

MD5
5636b827940a35459b1da7d2134d2eda

SHA1
440239dfd292d496f1b1e76541168768e9d9abd3

SHA256
5f15219a3137edce6d551f39a939d0d31fefb8b87d82f38be81c5ff6c7f60ce7

SHA512
17ad6c4085a3688ccd11cf4e262b637cfa1cfcf84f98aa4ade4a1b472df87f424d5aeb8ccef9d5eebbde99bbac69a7793ef128edca74a1b7800f38d284063276

Download Submit
memory/1304-82-0x0000000004E70000-0x0000000004F1C000-memory.dmp

Filesize
688KB

Download
memory/1304-80-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/1304-66-0x0000000000000000-mapping.dmp

Download
memory/1304-69-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/1308-65-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/1308-60-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1308-63-0x00000000004C0000-0x0000000000505000-memory.dmp

Filesize
276KB

Download
memory/1308-62-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1724-73-0x0000000000000000-mapping.dmp

Download
memory/1724-76-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/1724-81-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads