egregor | 9c900078cc6061fb7ba038ee5c065a45112665f214361d433fc3906bf288e0eb | Triage

Analysis

max time kernel
2s
max time network
16s
platform
windows7_x64
resource
win7
submitted
11-10-2020 22:16

Sharing

Report Analysis Logs

General

Target

sm.bin.dll
Size

790KB
MD5

d6fa64f36eab990669f0b81f84b9a78a
SHA1

ed5b60a640a19afe8d1281bf691f40bac34eba8a
SHA256

9c900078cc6061fb7ba038ee5c065a45112665f214361d433fc3906bf288e0eb
SHA512

de1a28c2110af3fec74ca62fbf0f641b0d731b470a1ebff5b2ec0d8dac336f92414e3c577512e716275a11a8ddd3897db620925122774b1849b954efc0f975e1

Score

10^/10

ransomware egregor

Malware Config

Signatures

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1424 wrote to memory of 1100	1424	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 1100	1424	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 1100	1424	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 1100	1424	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 1100	1424	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 1100	1424	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 1100	1424	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sm.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sm.bin.dll,#1
2⤵
PID:1100

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1100-0-0x0000000000000000-mapping.dmp

Download