egregor | f1d57ed2b3e2deff7a13ddb4682a81d2543bc5bdca1ec934833a38b8e9f18077

General

Target

spr3.bat
Size

120B
MD5

5a93bebc658e9839cd95d418708fc5d8
SHA1

36f5d83b4f7fc32d85e086d14eb0187e4b09cea4
SHA256

cf874be4989a99d539cef4c00c73213ac3d0a9aff044927d175eb6a37d7a3a59
SHA512

f6231d0bce100ac26e41d3b7486a1e7ad6296b967b33c75aa13686800c187e9ac72e98e02c35f7284bf96542bb62da38e9ec2544d6a56c8888b7cbf75d482ee8

Score

10^/10

egregor persistence ransomware spyware

Malware Config

Extracted

Path

C:\RECOVER-FILES.txt

Ransom Note

------------------ | What happened? | ------------------ Your network was ATTACKED, your computers and servers were LOCKED, Your private data was DOWNLOADED. ---------------------- | What does it mean? | ---------------------- It means that soon mass media, your partners and clients WILL KNOW about your PROBLEM. -------------------------- | How it can be avoided? | -------------------------- In order to avoid this issue, you are to COME IN TOUCH WITH US no later than within 3 DAYS and conclude the data recovery and breach fixing AGREEMENT. ------------------------------------------- | What if I do not contact you in 3 days? | ------------------------------------------- If you do not contact us in the next 3 DAYS we will begin DATA publication. ----------------------------- | I can handle it by myself | ----------------------------- It is your RIGHT, but in this case all your data will be published for public USAGE. ------------------------------- | I do not fear your threats! | ------------------------------- That is not the threat, but the algorithm of our actions. If you have hundreds of millions of UNWANTED dollars, there is nothing to FEAR for you. That is the EXACT AMOUNT of money you will spend for recovery and payouts because of PUBLICATION. -------------------------- | You have convinced me! | -------------------------- Then you need to CONTACT US, there is few ways to DO that. I. Recommended (the most secure method) a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR browser c) Open our website with LIVE CHAT in the TOR browser: http://egregor4u5ipdzhv.onion/2A8DF942B436BE75 d) Follow the instructions on this page. II. If the first method is not suitable for you a) Open our website with LIVE CHAT: https://egregor.top/2A8DF942B436BE75 b) Follow the instructions on this page. Our LIVE SUPPORT is ready to ASSIST YOU on this website. ---------------------------------------- | What will I get in case of agreement | ---------------------------------------- You WILL GET full DECRYPTION of your machines in the network, FULL FILE LISTING of downloaded data, confirmation of downloaded data DELETION from our servers, RECOMMENDATIONS for securing your network perimeter. And the FULL CONFIDENTIALITY ABOUT INCIDENT. ---------------------------------------------------------------------------------- Do not redact this special technical block, we need this to authorize you. ---EGREGOR--- ImUmG+NryUv0wnauPV5t7V66CoWeykgo5jwYQcSBvPmZR/vkOTrQkvAkwJCg84p49Ehy8ockgfvgSYJEwH3lUQieRb9UVfuTbBJAQHBUhKDakAAJrAYUfneO/2FwH0bcufvAvebtuuU6cLZeBqUKsU6TlLEaNY3sYIhgv2ift4/eV3Th/iKhS8IhyQ9qfDod5Z81n/50q7xiGylwbvwfT+2IWvAApXJSRnlWn9f5Sv4mZ8aVE1cO0Cer2u0ViZ1Hnso3dV66Oa8LnX0gtRanTs70CW/LCeub+QYob1zh2anxDpYRcJ3u9yHVVJJxK2Viqu60BSiX+KoD8JFM4VL9kAlbi3i6I4MLp0IMQVbDDpviPXpH4ceFOZ3ufWELKugYnKgjV8PDUoJu0EDVUWjRqg5Po4mAy7LWXg7TT9Xrk9dMBswP3v8dDg8/EemJyMTW29VeCuepPrA7BejkZpRsw7/kM94x3XWOTDO/LNICbGUxC1ZKnv60hJL5jONzHPMuPmVo+dh2CxDJ5cr/xjjXqeFYAxBQay1NGf6GNfj6pSUQJ5AkCqYqCAHSXdKC2qbn8l14e4UsDup5CVA4Y8nkKcdvmm00QXutIT0lRYgNOR0NyvdfLA/AVPiT9HJ1OeynpEbZ72Ql/eZNE02XLEZogwtxgteSkD5gL/an9fCfTWwWajThgA1V2q+1+POYIBpsLLy9oySbAZJaKXF0MxCfe91vVnRUp3fFiOQbIseZtcW5n0J1BwvMAm2ec/zzspEAzUApOTLAfOUCGPueGbnc3afJSwVMyNu9xGKIvwpNxWHiGzpaEiUa95nlrMwRFB8Tm1oWHfOSxJpK375PTu9I1gbqiOrQ2lFH0PrlQdHFYvGdJ3IXuVmOK7hzLKiIpk6uECa41kyiq/WCL3zE7hfY9pPNL3tX58bf+HyXoXHMJpkbXfsELE+Tvk+Wtbe3vYusEx4Ls7y1SdsKOEd+VLTA8MUVRo4ErQ4R+cnrQZQwHIOinqFT9WIP9UNcKmbZK8S/VAPR/X0GXIYAlL9itXlA9acjf6OWXIgLeFrWquCVEgfpPmx7sur5thMA1OvyV0JP66lFTCRrzR62MYm5MipRZwfl9FiutmIl4HSRRngMSddennuOJiF4IuMbryIt4Ox1t+Dic7SIP2isXvE5ng0w5VicOuscHhfISL5Dgi7Ra/qNicAnGaG2TLaqNKZVhg8W5CAceNdevjvuTJXdcBoynhXsjNjfiAw083NGX1EvqhSg7mT2vHoUF/Emrg23EJvXJmBL5KdHsiYiS+h+lSztlyH2KY1Dz6KZfFxt59OeZ1GNRBiO/O1AGZNnesP2Wez70b7Eu7y3e+8U1OB8lL5Yc9Q1JYp9CBDttOuMqLF37H1rpkIM23zXPA7AkPsVNDcAsroPAIyney1NpPiqZGd4JZPrhJu0l5dTakTHYl2lLaoGYHqdIlQLMjTkNzSS7hWvWtdepYSPOVn/eOJ90q/2T9SB/oSi6QWzOSPei0vldD6Ii08a0KuuIxITl1q6dOuaqOlw5NrRB2yqZGDew4Z1kLaUwXlWN72bQBJohR3BtSwmNcburipcExwfUuIr0KIaWSeK3IMJgscQtqgqKdIPTNyozEyOdZXCQPuuAa+iARI9pSuEonVi/lmsejWKKO5OBWTKeQ31AiOd30bSCHaqyjeJJ/YbxG5TigWgJ/AQzVUoQuco/5PjyGCMxHeJGLQ/y4yNqkrBmCrwk2jx5MddMdAjcfTPKaDMycvSBie76VbJrnW5I8IajbcmRW6diBm1xDr20Ftluc5SDPq8WvivlE/G9iOn8ulAI5I39W69YCKDxciFG8VITfaCr/8eojIctNvDpNs6qOQsLF3jPDPWwz/E1LTq84ENt1+qFdQVnznpRDaZUXvAkDkNB4WYgedVVpLFlXeuQgnQg+3FBSnWcyycLZmmnNrR6I6A8iJuEHnCv/o4YWiLtMUP+/pCt5G6owdu1PJKbpxyN0K0In5pziJJMRmbGALOMROp9jhRLT+UP1yMHYdx2ChL33DcIKQdLYbsauSPeEG9cnIxBQjPSfwUOMtPHf5qZUZiGmN/dUL5eGzuUJIdfCgoWMw4qq+izi6ejri0A2TpMUfphKLHK0ExzZU41j/+7S3DQuGlNdQnqb//yNBIyTCMYD424EfH+qN+bLC8pDEABMsfM+cPTYJaxg/S4VD+m4kzzJEi+pao9mFvwKhRYlxQIAzzgPrDpKZQCQgKEAEYASCAAigAOhJFAEkARABRAEgAUgBSAEwAAABCIjIAQQA4AEQARgA5ADQAMgBCADQAMwA2AEIARQA3ADUAAABKOHwAQwA6AEYAXwAyADQANAAwADUANwAvADIANgAxADgANAAxAHwARAA6AEMAXwAwAC8AMAB8AAAAUgxBAGQAbQBpAG4AAABoAHIuVwBpAG4AZABvAHcAcwAgADcAIABQAHIAbwBmAGUAcwBzAGkAbwBuAGEAbAAAAHoUVwBPAFIASwBHAFIATwBVAFAAAAA= ---EGREGOR---

URLs

http://egregor4u5ipdzhv.onion/2A8DF942B436BE75

https://egregor.top/2A8DF942B436BE75

Signatures

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\EditStart.tif => C:\Users\Admin\Pictures\EditStart.tif.antani	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\MeasureResolve.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\MeasureResolve.tiff => C:\Users\Admin\Pictures\MeasureResolve.tiff.antani	rundll32.exe
File renamed	C:\Users\Admin\Pictures\MountFind.tif => C:\Users\Admin\Pictures\MountFind.tif.antani	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ResolveUnlock.raw => C:\Users\Admin\Pictures\ResolveUnlock.raw.antani	rundll32.exe
File renamed	C:\Users\Admin\Pictures\WriteResolve.crw => C:\Users\Admin\Pictures\WriteResolve.crw.antani	rundll32.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e6189640.lnk	rundll32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECOVER-FILES.txt	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\RECOVER-FILES.txt	rundll32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\e6189640.lnk	rundll32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RECOVER-FILES.txt	rundll32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\e6189640.lnk	rundll32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RECOVER-FILES.txt	rundll32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\e6189640.lnk	rundll32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RECOVER-FILES.txt	rundll32.exe
File created	C:\Program Files\RECOVER-FILES.txt	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\RECOVER-FILES.txt	rundll32.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2000	rundll32.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1692	vssvc.exe
Token: SeRestorePrivilege	1692	vssvc.exe
Token: SeAuditPrivilege	1692	vssvc.exe
Token: SeDebugPrivilege	2000	rundll32.exe
Token: SeDebugPrivilege	2000	rundll32.exe
Token: SeDebugPrivilege	2000	rundll32.exe
Token: SeDebugPrivilege	2000	rundll32.exe
Token: SeDebugPrivilege	2000	rundll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1508	1700	cmd.exe	27
PID 1700 wrote to memory of 1508	1700	cmd.exe	27
PID 1700 wrote to memory of 1508	1700	cmd.exe	27
PID 1508 wrote to memory of 2000	1508	rundll32.exe	28
PID 1508 wrote to memory of 2000	1508	rundll32.exe	28
PID 1508 wrote to memory of 2000	1508	rundll32.exe	28
PID 1508 wrote to memory of 2000	1508	rundll32.exe	28
PID 1508 wrote to memory of 2000	1508	rundll32.exe	28
PID 1508 wrote to memory of 2000	1508	rundll32.exe	28
PID 1508 wrote to memory of 2000	1508	rundll32.exe	28

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc
    3⤵
    - Modifies extensions of user files
    - Drops startup file
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of AdjustPrivilegeToken
    PID:2000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2000-2-0x0000000000900000-0x000000000093F000-memory.dmp

Filesize
252KB

Download
memory/2000-4-0x0000000000770000-0x000000000079A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing