Analysis Overview
SHA256
b3abb809747d096e3709cf2ff3cd6860f66566d91c8166421552d70e324da276
Threat Level: Known bad
The file t4.zip was found to be: Known bad.
Malicious Activity Summary
Egregor Ransomware
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2020-11-04 18:18
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-04 18:18
Reported
2020-11-04 18:28
Platform
win10v20201028
Max time kernel
438s
Max time network
374s
Command Line
Signatures
Egregor Ransomware
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1144 wrote to memory of 2412 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1144 wrote to memory of 2412 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1924 wrote to memory of 1424 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1924 wrote to memory of 1424 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1424 wrote to memory of 1640 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1424 wrote to memory of 1640 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1424 wrote to memory of 1640 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spr2.bat"
C:\Windows\system32\rundll32.exe
rundll32.exe "\\SRV01QW\sp\b.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\spr2.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\spr2.bat" "
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\b.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\b.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc
Network
Files
memory/2412-0-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\spr2.bat
| MD5 | 06601f912c2218111426670b30510d68 |
| SHA1 | fd4c25dd29d0a7dab5e095d4317a983fe9615caf |
| SHA256 | 9a97e6034d4c7cc94ba3c6ac6306f7e278609d7e3fcc50e6d3afc0b972cb8549 |
| SHA512 | e614ed7a62b81c1ccaecb4a9a70158568db1fb50b85d41607d9d6b1628f015c8fd7e655f5ff613047e0ba918f5588508ac7a42f323f814e51b3a8b7f0859d214 |
memory/1424-2-0x0000000000000000-mapping.dmp
memory/1640-3-0x0000000000000000-mapping.dmp
memory/1640-4-0x0000000004A20000-0x0000000004A5F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-04 18:18
Reported
2020-11-04 18:28
Platform
win10v20201028
Max time kernel
330s
Max time network
405s
Command Line
Signatures
Egregor Ransomware
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3284 wrote to memory of 3480 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3284 wrote to memory of 3480 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3284 wrote to memory of 3480 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\b.dll
Network
Files
memory/3480-0-0x0000000000000000-mapping.dmp
memory/3480-1-0x00000000005B0000-0x00000000005EF000-memory.dmp