Analysis
-
max time kernel
438s -
max time network
374s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-11-2020 18:18
Static task
static1
Behavioral task
behavioral1
Sample
spr2.bat
Resource
win10v20201028
Behavioral task
behavioral2
Sample
b.dll
Resource
win10v20201028
General
-
Target
spr2.bat
-
Size
98B
-
MD5
2d88b7d73bd4e059ecd6cc0e14f8f27e
-
SHA1
beca0cb2744e7b031434455e1725b378faa8ccf2
-
SHA256
7d744d7f6f2b68a9984afb859308e88dfcff1b03b2d8ab40cefcd448fda3d876
-
SHA512
36c21edd458398f7e2cf4e2a520c36546d246b2894e8b69443ff14ffda8613b5002d0fd110517e1e2800eca6106fec996d986781788f9ef0f2b8641396ff19ce
Malware Config
Signatures
-
Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 236 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.execmd.exerundll32.exedescription pid process target process PID 1144 wrote to memory of 2412 1144 cmd.exe rundll32.exe PID 1144 wrote to memory of 2412 1144 cmd.exe rundll32.exe PID 1924 wrote to memory of 1424 1924 cmd.exe rundll32.exe PID 1924 wrote to memory of 1424 1924 cmd.exe rundll32.exe PID 1424 wrote to memory of 1640 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1640 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1640 1424 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spr2.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "\\SRV01QW\sp\b.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\spr2.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\spr2.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\b.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\b.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\spr2.batMD5
06601f912c2218111426670b30510d68
SHA1fd4c25dd29d0a7dab5e095d4317a983fe9615caf
SHA2569a97e6034d4c7cc94ba3c6ac6306f7e278609d7e3fcc50e6d3afc0b972cb8549
SHA512e614ed7a62b81c1ccaecb4a9a70158568db1fb50b85d41607d9d6b1628f015c8fd7e655f5ff613047e0ba918f5588508ac7a42f323f814e51b3a8b7f0859d214
-
memory/1424-2-0x0000000000000000-mapping.dmp
-
memory/1640-3-0x0000000000000000-mapping.dmp
-
memory/1640-4-0x0000000004A20000-0x0000000004A5F000-memory.dmpFilesize
252KB
-
memory/2412-0-0x0000000000000000-mapping.dmp