Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
12s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04/11/2020, 19:17
Static task
static1
Behavioral task
behavioral1
Sample
b.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
b.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
spr3.bat
Resource
win7v20201028
Behavioral task
behavioral4
Sample
spr3.bat
Resource
win10v20201028
General
-
Target
spr3.bat
-
Size
119B
-
MD5
8e984ff00771127e5479f5b8b4e4578c
-
SHA1
943246b1d46a5e5f7b4628d40b328db127b031ce
-
SHA256
21dc9a270b28598acff210266309ccdd4dd12eeeb3c90bcdda516d1f5a9aabbc
-
SHA512
0721dc7c57aa5fd8adb9f0796f2dc9604a0517d5f563583d48b07f3f2d5b95105ec23cfb26bd1d79344bd99e09620fb0eb5d18767eaf0e6cb7421e56e06f5bae
Malware Config
Signatures
-
Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
-
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3936 wrote to memory of 652 3936 cmd.exe 72 PID 3936 wrote to memory of 652 3936 cmd.exe 72 PID 652 wrote to memory of 588 652 rundll32.exe 74 PID 652 wrote to memory of 588 652 rundll32.exe 74 PID 652 wrote to memory of 588 652 rundll32.exe 74
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\b.dll",DllRegisterServer --passegregor09 --append="antani" --multiproc2⤵
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\b.dll",DllRegisterServer --passegregor09 --append="antani" --multiproc3⤵PID:588
-
-