Malware Analysis Report

2024-10-16 03:26

Sample ID 201104-azbsadahlx
Target t4.zip
SHA256 b3abb809747d096e3709cf2ff3cd6860f66566d91c8166421552d70e324da276
Tags
egregor ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b3abb809747d096e3709cf2ff3cd6860f66566d91c8166421552d70e324da276

Threat Level: Known bad

The file t4.zip was found to be: Known bad.

Malicious Activity Summary

egregor ransomware

Egregor Ransomware

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2020-11-04 18:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-04 18:18

Reported

2020-11-04 18:28

Platform

win10v20201028

Max time kernel

438s

Max time network

374s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spr2.bat"

Signatures

Egregor Ransomware

ransomware egregor

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1144 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1924 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1924 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1424 wrote to memory of 1640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1424 wrote to memory of 1640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1424 wrote to memory of 1640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spr2.bat"

C:\Windows\system32\rundll32.exe

rundll32.exe "\\SRV01QW\sp\b.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\spr2.bat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\spr2.bat" "

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\b.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\b.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc

Network

N/A

Files

memory/2412-0-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\spr2.bat

MD5 06601f912c2218111426670b30510d68
SHA1 fd4c25dd29d0a7dab5e095d4317a983fe9615caf
SHA256 9a97e6034d4c7cc94ba3c6ac6306f7e278609d7e3fcc50e6d3afc0b972cb8549
SHA512 e614ed7a62b81c1ccaecb4a9a70158568db1fb50b85d41607d9d6b1628f015c8fd7e655f5ff613047e0ba918f5588508ac7a42f323f814e51b3a8b7f0859d214

memory/1424-2-0x0000000000000000-mapping.dmp

memory/1640-3-0x0000000000000000-mapping.dmp

memory/1640-4-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-04 18:18

Reported

2020-11-04 18:28

Platform

win10v20201028

Max time kernel

330s

Max time network

405s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b.dll

Signatures

Egregor Ransomware

ransomware egregor

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3284 wrote to memory of 3480 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3284 wrote to memory of 3480 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3284 wrote to memory of 3480 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\b.dll

Network

N/A

Files

memory/3480-0-0x0000000000000000-mapping.dmp

memory/3480-1-0x00000000005B0000-0x00000000005EF000-memory.dmp