Malware Analysis Report

2024-10-16 03:25

Sample ID 201011-qqqpw6macj
Target KB0018463.bin
SHA256 967422de1acc14deb7e7ce803d86aff44e2652bfcd550e3a34c2e37abc883dee
Tags
ransomware egregor
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

967422de1acc14deb7e7ce803d86aff44e2652bfcd550e3a34c2e37abc883dee

Threat Level: Known bad

The file KB0018463.bin was found to be: Known bad.

Malicious Activity Summary

ransomware egregor

Egregor Ransomware

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2020-10-11 23:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-10-11 23:33

Reported

2020-10-11 23:35

Platform

win7

Max time kernel

2s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\KB0018463.bin.dll,#1

Signatures

Egregor Ransomware

ransomware egregor

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1456 wrote to memory of 1076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1456 wrote to memory of 1076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1456 wrote to memory of 1076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1456 wrote to memory of 1076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1456 wrote to memory of 1076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1456 wrote to memory of 1076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1456 wrote to memory of 1076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\KB0018463.bin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\KB0018463.bin.dll,#1

Network

N/A

Files

memory/1076-0-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-10-11 23:33

Reported

2020-10-11 23:35

Platform

win10v200722

Max time kernel

12s

Max time network

110s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\KB0018463.bin.dll,#1

Signatures

Egregor Ransomware

ransomware egregor

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3952 wrote to memory of 628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3952 wrote to memory of 628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\KB0018463.bin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\KB0018463.bin.dll,#1

Network

N/A

Files

memory/628-0-0x0000000000000000-mapping.dmp