egregor | aee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7 | Triage

Analysis

max time kernel
11s
max time network
68s
platform
windows10_x64
resource
win10v200722
submitted
05-10-2020 13:32

Sharing

Report Analysis Logs

General

Target

b.dll
Size

788KB
MD5

4c36c3533a283e1aa199f80e20d264b9
SHA1

f73e31d11f462f522a883c8f8f06d44f8d3e2f01
SHA256

aee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7
SHA512

b2bae09cf2cce6c51b927aec9d9e3d66105337fbc81460350c5b2d255414f14e41c698f8ab4f06d2b98da684d854008bab78bf7a54cdf988969736ebb1272e50

Score

10^/10

ransomware egregor

Malware Config

Signatures

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2884 wrote to memory of 848	2884	rundll32.exe	rundll32.exe
PID 2884 wrote to memory of 848	2884	rundll32.exe	rundll32.exe
PID 2884 wrote to memory of 848	2884	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b.dll,#1
2⤵
PID:848

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/848-0-0x0000000000000000-mapping.dmp

Download