Malware Analysis Report

2024-10-16 03:25

Sample ID 201104-8fnztd16dj
Target t5.zip
SHA256 f1d57ed2b3e2deff7a13ddb4682a81d2543bc5bdca1ec934833a38b8e9f18077
Tags
egregor persistence ransomware spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1d57ed2b3e2deff7a13ddb4682a81d2543bc5bdca1ec934833a38b8e9f18077

Threat Level: Known bad

The file t5.zip was found to be: Known bad.

Malicious Activity Summary

egregor persistence ransomware spyware

Egregor Ransomware

Modifies extensions of user files

Reads user/profile data of web browsers

Drops startup file

Modifies service

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-11-04 21:31

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2020-11-04 21:31

Reported

2020-11-04 21:34

Platform

win10v20201028

Max time kernel

19s

Max time network

117s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"

Signatures

Egregor Ransomware

ransomware egregor

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\e6189640.lnk C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e6189640.lnk C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware

Modifies service

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer C:\Windows\system32\vssvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 4928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4768 wrote to memory of 4928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4928 wrote to memory of 4976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4928 wrote to memory of 4976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4928 wrote to memory of 4976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/4928-0-0x0000000000000000-mapping.dmp

memory/4976-1-0x0000000000000000-mapping.dmp

memory/4976-2-0x0000000004980000-0x00000000049BF000-memory.dmp

memory/4976-4-0x0000000004AA0000-0x0000000004ACA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-04 21:31

Reported

2020-11-04 21:34

Platform

win7v20201028

Max time kernel

135s

Max time network

137s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\sm.dll

Signatures

Egregor Ransomware

ransomware egregor

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1080 wrote to memory of 1128 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1080 wrote to memory of 1128 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1080 wrote to memory of 1128 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1080 wrote to memory of 1128 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1080 wrote to memory of 1128 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1080 wrote to memory of 1128 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1080 wrote to memory of 1128 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\sm.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\sm.dll

Network

N/A

Files

memory/1128-0-0x0000000000000000-mapping.dmp

memory/1128-1-0x0000000000240000-0x000000000027F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-04 21:31

Reported

2020-11-04 21:34

Platform

win10v20201028

Max time kernel

11s

Max time network

110s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\sm.dll

Signatures

Egregor Ransomware

ransomware egregor

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3272 wrote to memory of 1512 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3272 wrote to memory of 1512 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3272 wrote to memory of 1512 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\sm.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\sm.dll

Network

N/A

Files

memory/1512-0-0x0000000000000000-mapping.dmp

memory/1512-1-0x0000000000C80000-0x0000000000CBF000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2020-11-04 21:31

Reported

2020-11-04 21:34

Platform

win7v20201028

Max time kernel

47s

Max time network

32s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"

Signatures

Egregor Ransomware

ransomware egregor

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\EnterGroup.crw => C:\Users\Admin\Pictures\EnterGroup.crw.antani C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\RedoRead.tif => C:\Users\Admin\Pictures\RedoRead.tif.antani C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\RequestRegister.crw => C:\Users\Admin\Pictures\RequestRegister.crw.antani C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\StepComplete.tif => C:\Users\Admin\Pictures\StepComplete.tif.antani C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\UnpublishReceive.tif => C:\Users\Admin\Pictures\UnpublishReceive.tif.antani C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\AddRegister.crw => C:\Users\Admin\Pictures\AddRegister.crw.antani C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\JoinUse.raw => C:\Users\Admin\Pictures\JoinUse.raw.antani C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Pictures\ReceiveEnter.tiff C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\ReceiveEnter.tiff => C:\Users\Admin\Pictures\ReceiveEnter.tiff.antani C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\SetOut.crw => C:\Users\Admin\Pictures\SetOut.crw.antani C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\SplitRegister.crw => C:\Users\Admin\Pictures\SplitRegister.crw.antani C:\Windows\SysWOW64\rundll32.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e6189640.lnk C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware

Modifies service

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} C:\Windows\system32\vssvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\e6189640.lnk C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\e6189640.lnk C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\e6189640.lnk C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVER-FILES.txt

Network

N/A

Files

memory/1552-0-0x0000000000000000-mapping.dmp

memory/1584-1-0x0000000000000000-mapping.dmp

memory/1584-2-0x0000000000220000-0x000000000025F000-memory.dmp

memory/1584-4-0x00000000008A0000-0x00000000008CA000-memory.dmp

C:\Users\Admin\Desktop\RECOVER-FILES.txt

MD5 4451a81a5390d9a46e4eb5490b3d0489
SHA1 3dec0a56d08da7feba75aa555fdf831ea189fd31
SHA256 eebf20ec05d09a8bedcd1013c20359e6daad8ea4b96c817775077ac2dbde1ed8
SHA512 587fa974433fe91d7caedb5d2f6dc60be45948c860ae76ef718f8ee8e4f17521773ec7989f2ac8d617f8118c0436e91b675872cada1016264209fba8fc9b6926

memory/1320-7-0x000007FEF63F0000-0x000007FEF666A000-memory.dmp