egregor | f1d57ed2b3e2deff7a13ddb4682a81d2543bc5bdca1ec934833a38b8e9f18077

General

Target

spr3.bat
Size

120B
MD5

5a93bebc658e9839cd95d418708fc5d8
SHA1

36f5d83b4f7fc32d85e086d14eb0187e4b09cea4
SHA256

cf874be4989a99d539cef4c00c73213ac3d0a9aff044927d175eb6a37d7a3a59
SHA512

f6231d0bce100ac26e41d3b7486a1e7ad6296b967b33c75aa13686800c187e9ac72e98e02c35f7284bf96542bb62da38e9ec2544d6a56c8888b7cbf75d482ee8

Score

10^/10

egregor persistence ransomware spyware

Malware Config

Extracted

Path

C:\RECOVER-FILES.txt

Ransom Note

------------------ | What happened? | ------------------ Your network was ATTACKED, your computers and servers were LOCKED, Your private data was DOWNLOADED. ---------------------- | What does it mean? | ---------------------- It means that soon mass media, your partners and clients WILL KNOW about your PROBLEM. -------------------------- | How it can be avoided? | -------------------------- In order to avoid this issue, you are to COME IN TOUCH WITH US no later than within 3 DAYS and conclude the data recovery and breach fixing AGREEMENT. ------------------------------------------- | What if I do not contact you in 3 days? | ------------------------------------------- If you do not contact us in the next 3 DAYS we will begin DATA publication. ----------------------------- | I can handle it by myself | ----------------------------- It is your RIGHT, but in this case all your data will be published for public USAGE. ------------------------------- | I do not fear your threats! | ------------------------------- That is not the threat, but the algorithm of our actions. If you have hundreds of millions of UNWANTED dollars, there is nothing to FEAR for you. That is the EXACT AMOUNT of money you will spend for recovery and payouts because of PUBLICATION. -------------------------- | You have convinced me! | -------------------------- Then you need to CONTACT US, there is few ways to DO that. I. Recommended (the most secure method) a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR browser c) Open our website with LIVE CHAT in the TOR browser: http://egregor4u5ipdzhv.onion/6C7E94CDB436BE75 d) Follow the instructions on this page. II. If the first method is not suitable for you a) Open our website with LIVE CHAT: https://egregor.top/6C7E94CDB436BE75 b) Follow the instructions on this page. Our LIVE SUPPORT is ready to ASSIST YOU on this website. ---------------------------------------- | What will I get in case of agreement | ---------------------------------------- You WILL GET full DECRYPTION of your machines in the network, FULL FILE LISTING of downloaded data, confirmation of downloaded data DELETION from our servers, RECOMMENDATIONS for securing your network perimeter. And the FULL CONFIDENTIALITY ABOUT INCIDENT. ---------------------------------------------------------------------------------- Do not redact this special technical block, we need this to authorize you. ---EGREGOR--- IzDPuxX6uwisj3H6RtJ9SuoGRk4Xvz1lWktmb15NiVwt2CHijBaQvPeyWwqg8nYTa+uf1HFjQWBd8adPKsh2oJYJF0UH6HCIKxUInF4LNTVy22s7E/dSj4cox+t9+aOo3/CiMSma5R/hKrzkKpoSU9WyCj6RY9GGBgLXcXmrx62pI+TgWnUwfGCdMUQZWFcqjn223JsxZP1eMl0VLVufOLBo+Sjt2i+Xxk5zv5+mI+EAJ+pr7LjmPLSja7L44dep+R+Hciv9mCHdCKfWNEX4lTDJ8VgVcLbPXYq+sQCXBF5t8gklNhtn5TpCvBZgweyw6jWsB10bPF9SjaFta+8lTSp9c37p+As3gtQb0/3vGgsJMRpnmhWhyxemiTyiVLW7wQv55Ij3sdL9Je1xokHsabMAKRY6PqsFQ/PNn8d9tzzqiUhTgdpOkEx6UvmvDsQG8M7GXsr3DK9IVPz4Eai+nDYIvwB+498jRRvGWDvDTsN0Qh3fYM2vlSFSOnxj5XUDHy0GMX2dJhL76Yzf1+hVjzC2LhvNfSGreyxy8RLUzUcNqQRcaFSi9duxTYWauEbhZ7w5OdMLqBg3nbdG3qybv/dUy0ZFc/HdQ1PN4evGA6MuE2a5QQwCu8S4oN6XCIOUQklr+OM/5sBDBR/yTjrf7U2NuTC/dLw83kqPiXWtIrHQPlFEQGtL5rHRyKQV3WmTULD5jEKIW4XdwluEhehumKK0lQGEQv1bivlaaBYyJFzbEvk9hkpIX7nSwz9My0ztb1sM3pewi3a772Q2bgeaEJyO6nE5hnLqSIsAQ6PeUxhXVIgbroa3fgECUVfE0iBjWFmyiBFtPR2u2cVz/Lt1abPGXsoxx49mqNPvV4e3yg9CI2MFmOr+a4ZI5+BVHcn5l2A12gr3hT9GVgqw6242PlsHUlkT3LyMXoWE2B78SSdfTf5VCdeSeelLcjeNAen0DpYf2FEryuWsyIAYViXMy5eGJ/nJipgkTUrVbbybsBom6l7E8rhfRX6VdEz5KsVdwu4mbNmlGfEoWZpmz+2pNGs8a/gnO94knMoAYdLebSugUkfDuwlR2KQjeUDNekU84AXgv16LAqi7C1i4tS9mhzYvECsKFzatWWUT72OuhGqW+SZr6kJ5jF+lXmPwKe9YcnijEoffUgxwshZT9z3HxAJlPQJ+bxb9lpW2nRl8ZLwFZfJnwoUFK8/Nj1swMJ1x6eMc3fz4xkSHzYMLhkIs8rhJotFutzimdyO5kgsOXqJ6Qnawh7YSH16n/VDp6zIdiPj12ammSU+8p3q1vYOOH7Zq3sKStmqKXfk1MceClq9Lu+lk6pCUcliGpQV3WKj0w6mc+E43jTTi7N25EG82Rd6pP71bMnoikjY6bh834ct7Oi6Ny+TqnfOhQ9T1nqjHHkbMWU2QQl4j6D43yKHr6dayLvZ7u9D1Et88MiZReXcxGn1jDJSBO93pzspeLuRVD5hoOaQ1G+A4CI8U2DHAJLQ4DWH8810OivFnHby6XtNA1LQ2sy9TRRr0edbtQBm7r5K0oEBS+RSrsfhSYFvv+N4plL1+f8xunm4+xHH/rf6XWabhbFmhrfsmqvkWSR2K5AQhMteJKvWk0ioXIMBteZnFimcmTOYHEuukjX3uyWHxm36uh5dzD/W1aigoDsRQ5BNV2wEI4VdMwN+eU4OJcDcQ+uJwwyN7vAJpdvU8o4feXL4p1r8Ad54otWfsLmY79USW5WKnLVM4WK5WIlhuvin9O9Iaav1Bzm2yBrkdI/27gLwhtFHqtHYfEwg3KwhEwK8FxEHvSFlkuD3VTDVma66IYenDshRNJwsdSibvnMKLMWHveVPPxCLDjpsWryz8rLJvxrhZyx80U38vZFwgm4uvJiAsGDyOUcoOhkRCB7iwxeqlHUW1CPa5UNnN4SoZ16m71avpLlJ0B2PvquKqoVVR1nUIopYnhWMEsLd77ArRjMIofnq2JWErcaqDZhKpsCux1d5QM6lTavZ10PxlQBz7llpmgZD6fnmhmXz70vtK1aRbVl9pM8y4jrK24B5Udat59Z0tphy8BE14xhccxJjOl9enU+unfLzyco3SNJo+YmZFsrHTJiWegDp+OiPQGsvNxUm+FUv2vneJYdaQmHJDD/tAOhaFzHy97NDB7H8mNFZuZccHrsRqdM7XlixDxpXhSNwNJMZsLiC4NG/XcDftGKODIbH8HhH32NESV1W7ggsol4z3w/ixjWT8jl1WqtegaggKEAEYASCAAigAOhJFAEkARABRAEgAUgBSAEwAAABCIjYAQwA3AEUAOQA0AEMARABCADQAMwA2AEIARQA3ADUAAABKOHwAQwA6AEYAXwAyADQANAAwADQAMwAvADIANgAxADgANAAxAHwARAA6AEMAXwAwAC8AMAB8AAAAUgxBAGQAbQBpAG4AAABoAHIuVwBpAG4AZABvAHcAcwAgADcAIABQAHIAbwBmAGUAcwBzAGkAbwBuAGEAbAAAAHoUVwBPAFIASwBHAFIATwBVAFAAAAA= ---EGREGOR---

URLs

http://egregor4u5ipdzhv.onion/6C7E94CDB436BE75

https://egregor.top/6C7E94CDB436BE75

Signatures

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Modifies extensions of user files 11 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

rundll32.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\EnterGroup.crw => C:\Users\Admin\Pictures\EnterGroup.crw.antani	rundll32.exe
File renamed	C:\Users\Admin\Pictures\RedoRead.tif => C:\Users\Admin\Pictures\RedoRead.tif.antani	rundll32.exe
File renamed	C:\Users\Admin\Pictures\RequestRegister.crw => C:\Users\Admin\Pictures\RequestRegister.crw.antani	rundll32.exe
File renamed	C:\Users\Admin\Pictures\StepComplete.tif => C:\Users\Admin\Pictures\StepComplete.tif.antani	rundll32.exe
File renamed	C:\Users\Admin\Pictures\UnpublishReceive.tif => C:\Users\Admin\Pictures\UnpublishReceive.tif.antani	rundll32.exe
File renamed	C:\Users\Admin\Pictures\AddRegister.crw => C:\Users\Admin\Pictures\AddRegister.crw.antani	rundll32.exe
File renamed	C:\Users\Admin\Pictures\JoinUse.raw => C:\Users\Admin\Pictures\JoinUse.raw.antani	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveEnter.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ReceiveEnter.tiff => C:\Users\Admin\Pictures\ReceiveEnter.tiff.antani	rundll32.exe
File renamed	C:\Users\Admin\Pictures\SetOut.crw => C:\Users\Admin\Pictures\SetOut.crw.antani	rundll32.exe
File renamed	C:\Users\Admin\Pictures\SplitRegister.crw => C:\Users\Admin\Pictures\SplitRegister.crw.antani	rundll32.exe

Drops startup file 2 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e6189640.lnk	rundll32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECOVER-FILES.txt	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe

Drops file in Program Files directory 8 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\e6189640.lnk	rundll32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RECOVER-FILES.txt	rundll32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\e6189640.lnk	rundll32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RECOVER-FILES.txt	rundll32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\e6189640.lnk	rundll32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RECOVER-FILES.txt	rundll32.exe
File created	C:\Program Files\RECOVER-FILES.txt	rundll32.exe
File created	C:\Program Files (x86)\RECOVER-FILES.txt	rundll32.exe

Drops file in Windows directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\RECOVER-FILES.txt rundll32.exe

description	ioc	process
File created	C:\Windows\RECOVER-FILES.txt	rundll32.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

rundll32.exe

pid	process
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

rundll32.exe

pid process

1584 rundll32.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

vssvc.exerundll32.exe

description	pid	process
Token: SeBackupPrivilege	2016	vssvc.exe
Token: SeRestorePrivilege	2016	vssvc.exe
Token: SeAuditPrivilege	2016	vssvc.exe
Token: SeDebugPrivilege	1584	rundll32.exe
Token: SeDebugPrivilege	1584	rundll32.exe
Token: SeDebugPrivilege	1584	rundll32.exe
Token: SeDebugPrivilege	1584	rundll32.exe
Token: SeDebugPrivilege	1584	rundll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2028 wrote to memory of 1552	2028	cmd.exe	rundll32.exe
PID 2028 wrote to memory of 1552	2028	cmd.exe	rundll32.exe
PID 2028 wrote to memory of 1552	2028	cmd.exe	rundll32.exe
PID 1552 wrote to memory of 1584	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 1584	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 1584	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 1584	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 1584	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 1584	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 1584	1552	rundll32.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc
2⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc
3⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVER-FILES.txt
1⤵
PID:1920

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\RECOVER-FILES.txt
MD5
4451a81a5390d9a46e4eb5490b3d0489

SHA1
3dec0a56d08da7feba75aa555fdf831ea189fd31

SHA256
eebf20ec05d09a8bedcd1013c20359e6daad8ea4b96c817775077ac2dbde1ed8

SHA512
587fa974433fe91d7caedb5d2f6dc60be45948c860ae76ef718f8ee8e4f17521773ec7989f2ac8d617f8118c0436e91b675872cada1016264209fba8fc9b6926

Download Submit
memory/1320-7-0x000007FEF63F0000-0x000007FEF666A000-memory.dmp

Filesize
2.5MB

Download
memory/1552-0-0x0000000000000000-mapping.dmp

Download
memory/1584-1-0x0000000000000000-mapping.dmp

Download
memory/1584-2-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1584-4-0x00000000008A0000-0x00000000008CA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads