Overview

overview

9

Static

static

Windows Se...er.exe

windows10-1703-x64

9

Resubmissions

21/09/2022, 15:35

220921-s1bj5scbfr 9

18/06/2021, 06:44

210618-hbnfahrlfa 10

18/06/2021, 06:16

210618-zl79572kwa 10

Analysis

  • max time kernel
    192s
  • max time network
    179s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21/09/2022, 15:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Windows Session Manager.exe

  • Size

    278KB

  • MD5

    6736b48ac9b71f21d8e41d5a1f27a0a6

  • SHA1

    45eb63e779cb9f33209b29a175199a9048bd9035

  • SHA256

    5ad38d579fb249b3326a25cffb6f5ffea11b125cda7b61205893432f59a02101

  • SHA512

    c009278cd156d72957b5a29cec68eb97a0aad8dba7dc3c7a3bb1bba2c96779c41a89a106d65dcb91880fb5e2a639c1b89c87ba3906dd11f4aa7f76fe1f5de8ad

  • SSDEEP

    6144:AhyeUdWgyNuXCphsogRi+xB+jyVEdIcbvjb7DiPQZu7xsyPD:AhyldyFp6e++yVDcbbX2PQgVsy

Score
9/10
ransomware

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 3 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops autorun.inf file
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2728
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:4284
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2184
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4564
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3884
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3244
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3244.0.720600280\1544405978" -parentBuildID 20200403170909 -prefsHandle 1528 -prefMapHandle 1520 -prefsLen 1 -prefMapSize 220115 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3244 "\\.\pipe\gecko-crash-server-pipe.3244" 1612 gpu
          3⤵
            PID:4772
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3244.3.1751154567\232861042" -childID 1 -isForBrowser -prefsHandle 2232 -prefMapHandle 2156 -prefsLen 156 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3244 "\\.\pipe\gecko-crash-server-pipe.3244" 2244 tab
            3⤵
              PID:1576
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3244.13.883416061\1593369347" -childID 2 -isForBrowser -prefsHandle 3404 -prefMapHandle 3400 -prefsLen 6938 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3244 "\\.\pipe\gecko-crash-server-pipe.3244" 3380 tab
              3⤵
                PID:2256
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\readme.txt
            1⤵
            • Opens file in notepad (likely ransom note)
            PID:3552
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Favorites\Links\readme.txt
            1⤵
            • Opens file in notepad (likely ransom note)
            PID:2308
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Pictures\Saved Pictures\readme.txt
            1⤵
              PID:4488
            • C:\Windows\system32\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\readme.txt
              1⤵
              • Opens file in notepad (likely ransom note)
              PID:4160

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\Favorites\Links\readme.txt
              Filesize

              830B

              MD5

              3e81ce33f7337732047e7843861cc072

              SHA1

              9a463370970f8a804538e74648508622af274e57

              SHA256

              c006a7093280d66b712a0bbefcdd9a858c85186beebd763989c24fc7d67d5e56

              SHA512

              3fe9e670fb92c4559488827f35558c811cec129d52db51e1a5aceda10cda9f2f0853e9e6da6ee1fe97d281d98b8414eef4889718c5fa4dc9d786e166236fcda8

              Download Submit

            • C:\Users\Admin\Pictures\Saved Pictures\readme.txt
              Filesize

              830B

              MD5

              3e81ce33f7337732047e7843861cc072

              SHA1

              9a463370970f8a804538e74648508622af274e57

              SHA256

              c006a7093280d66b712a0bbefcdd9a858c85186beebd763989c24fc7d67d5e56

              SHA512

              3fe9e670fb92c4559488827f35558c811cec129d52db51e1a5aceda10cda9f2f0853e9e6da6ee1fe97d281d98b8414eef4889718c5fa4dc9d786e166236fcda8

              Download Submit

            • C:\readme.txt
              Filesize

              830B

              MD5

              3e81ce33f7337732047e7843861cc072

              SHA1

              9a463370970f8a804538e74648508622af274e57

              SHA256

              c006a7093280d66b712a0bbefcdd9a858c85186beebd763989c24fc7d67d5e56

              SHA512

              3fe9e670fb92c4559488827f35558c811cec129d52db51e1a5aceda10cda9f2f0853e9e6da6ee1fe97d281d98b8414eef4889718c5fa4dc9d786e166236fcda8

              Download Submit

            • memory/2648-153-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-156-0x00000000022E0000-0x00000000022E6000-memory.dmp

              Filesize

              24KB

              Download

            • memory/2648-121-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-122-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-123-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-124-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-125-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-126-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-127-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-157-0x000000000A1C0000-0x000000000A25C000-memory.dmp

              Filesize

              624KB

              Download

            • memory/2648-128-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-130-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-131-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-132-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-133-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-134-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-135-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-136-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-137-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-138-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-139-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-140-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-141-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-142-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-143-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-144-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-145-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-146-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-147-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-148-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-149-0x0000000000160000-0x00000000001B0000-memory.dmp

              Filesize

              320KB

              Download

            • memory/2648-150-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-151-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-152-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-115-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-154-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-120-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-155-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-129-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-158-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-159-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-160-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-161-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-162-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-163-0x000000000A760000-0x000000000AC5E000-memory.dmp

              Filesize

              5.0MB

              Download

            • memory/2648-164-0x000000000A2E0000-0x000000000A346000-memory.dmp

              Filesize

              408KB

              Download

            • memory/2648-165-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-166-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-167-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-168-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-169-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-170-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-171-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-172-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-177-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-180-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-175-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-181-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-116-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-117-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-118-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-183-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-185-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2648-249-0x000000000AEE0000-0x000000000AF72000-memory.dmp

              Filesize

              584KB

              Download

            • memory/2648-119-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/4620-179-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/4620-182-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/4620-178-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/4620-176-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/4620-174-0x0000000077C70000-0x0000000077DFE000-memory.dmp

              Filesize

              1.6MB

              Download