egregor | aee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7 | Triage

Analysis

max time kernel
3s
max time network
10s
platform
windows7_x64
resource
win7v20201028
submitted
30-10-2020 03:10

Sharing

Report Analysis Logs

General

Target

aee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7.dll
Size

788KB
MD5

4c36c3533a283e1aa199f80e20d264b9
SHA1

f73e31d11f462f522a883c8f8f06d44f8d3e2f01
SHA256

aee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7
SHA512

b2bae09cf2cce6c51b927aec9d9e3d66105337fbc81460350c5b2d255414f14e41c698f8ab4f06d2b98da684d854008bab78bf7a54cdf988969736ebb1272e50

Score

10^/10

egregor ransomware

Malware Config

Signatures

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 1512	288	regsvr32.exe	26
PID 288 wrote to memory of 1512	288	regsvr32.exe	26
PID 288 wrote to memory of 1512	288	regsvr32.exe	26
PID 288 wrote to memory of 1512	288	regsvr32.exe	26
PID 288 wrote to memory of 1512	288	regsvr32.exe	26
PID 288 wrote to memory of 1512	288	regsvr32.exe	26
PID 288 wrote to memory of 1512	288	regsvr32.exe	26

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\aee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:288
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\aee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7.dll
  2⤵
  PID:1512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1512-1-0x00000000002A0000-0x00000000002DF000-memory.dmp

Filesize
252KB

Download