egregor | 61b8878801a2967f58f306223b60ab54575a879bf07884f806501b4d01e9106a | Triage

Analysis

max time kernel
135s
max time network
136s
platform
windows7_x64
resource
win7v20201028
submitted
04-11-2020 21:59

Sharing

Report Analysis Logs

General

Target

b.dll
Size

788KB
MD5

4c36c3533a283e1aa199f80e20d264b9
SHA1

f73e31d11f462f522a883c8f8f06d44f8d3e2f01
SHA256

aee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7
SHA512

b2bae09cf2cce6c51b927aec9d9e3d66105337fbc81460350c5b2d255414f14e41c698f8ab4f06d2b98da684d854008bab78bf7a54cdf988969736ebb1272e50

Score

10^/10

egregor ransomware

Malware Config

Signatures

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1228	1080	regsvr32.exe	26
PID 1080 wrote to memory of 1228	1080	regsvr32.exe	26
PID 1080 wrote to memory of 1228	1080	regsvr32.exe	26
PID 1080 wrote to memory of 1228	1080	regsvr32.exe	26
PID 1080 wrote to memory of 1228	1080	regsvr32.exe	26
PID 1080 wrote to memory of 1228	1080	regsvr32.exe	26
PID 1080 wrote to memory of 1228	1080	regsvr32.exe	26

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\b.dll
  2⤵
  PID:1228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1228-1-0x00000000005D0000-0x000000000060F000-memory.dmp

Filesize
252KB

Download