Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

b.dll

windows7_x64

10

b.dll

windows10_x64

10

spr3.bat

windows7_x64

10

spr3.bat

windows10_x64

10

Analysis

  • max time kernel
    12s
  • max time network
    118s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04/11/2020, 19:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    spr3.bat

  • Size

    119B

  • MD5

    8e984ff00771127e5479f5b8b4e4578c

  • SHA1

    943246b1d46a5e5f7b4628d40b328db127b031ce

  • SHA256

    21dc9a270b28598acff210266309ccdd4dd12eeeb3c90bcdda516d1f5a9aabbc

  • SHA512

    0721dc7c57aa5fd8adb9f0796f2dc9604a0517d5f563583d48b07f3f2d5b95105ec23cfb26bd1d79344bd99e09620fb0eb5d18767eaf0e6cb7421e56e06f5bae

Score
10/10
egregorransomware

Malware Config

Signatures

  • Egregor Ransomware

    Variant of the Sekhmet ransomware first seen in September 2020.

    ransomwareegregor
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3936
    • C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\b.dll",DllRegisterServer --passegregor09 --append="antani" --multiproc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:652
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\b.dll",DllRegisterServer --passegregor09 --append="antani" --multiproc
        3⤵
          PID:588

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/588-2-0x0000000002E90000-0x0000000002ECF000-memory.dmp

      Filesize

      252KB

      Download