egregor | aee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7 | Triage

Analysis

max time kernel
4s
max time network
12s
platform
windows7_x64
resource
win7v200722
submitted
07/10/2020, 06:08

Sharing

Report Analysis Logs

General

Target

dmocx.dll
Size

788KB
MD5

4c36c3533a283e1aa199f80e20d264b9
SHA1

f73e31d11f462f522a883c8f8f06d44f8d3e2f01
SHA256

aee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7
SHA512

b2bae09cf2cce6c51b927aec9d9e3d66105337fbc81460350c5b2d255414f14e41c698f8ab4f06d2b98da684d854008bab78bf7a54cdf988969736ebb1272e50

Score

10^/10

ransomware egregor

Malware Config

Signatures

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 1656	1280	rundll32.exe	24
PID 1280 wrote to memory of 1656	1280	rundll32.exe	24
PID 1280 wrote to memory of 1656	1280	rundll32.exe	24
PID 1280 wrote to memory of 1656	1280	rundll32.exe	24
PID 1280 wrote to memory of 1656	1280	rundll32.exe	24
PID 1280 wrote to memory of 1656	1280	rundll32.exe	24
PID 1280 wrote to memory of 1656	1280	rundll32.exe	24

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dmocx.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\dmocx.dll,#1
  2⤵
  PID:1656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads