Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-11-2020 18:31
Static task
static1
Behavioral task
behavioral1
Sample
sm.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
sm.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
spr3.bat
Resource
win7v20201028
Behavioral task
behavioral4
Sample
spr3.bat
Resource
win10v20201028
General
-
Target
spr3.bat
-
Size
120B
-
MD5
5a93bebc658e9839cd95d418708fc5d8
-
SHA1
36f5d83b4f7fc32d85e086d14eb0187e4b09cea4
-
SHA256
cf874be4989a99d539cef4c00c73213ac3d0a9aff044927d175eb6a37d7a3a59
-
SHA512
f6231d0bce100ac26e41d3b7486a1e7ad6296b967b33c75aa13686800c187e9ac72e98e02c35f7284bf96542bb62da38e9ec2544d6a56c8888b7cbf75d482ee8
Malware Config
Extracted
C:\RECOVER-FILES.txt
http://egregor4u5ipdzhv.onion/65358199A7B76337
https://egregor.top/65358199A7B76337
Signatures
-
Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\FindAssert.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\FindAssert.tiff => C:\Users\Admin\Pictures\FindAssert.tiff.antani rundll32.exe File opened for modification C:\Users\Admin\Pictures\MergeRequest.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\MergeRequest.tiff => C:\Users\Admin\Pictures\MergeRequest.tiff.antani rundll32.exe File renamed C:\Users\Admin\Pictures\MountMeasure.tif => C:\Users\Admin\Pictures\MountMeasure.tif.antani rundll32.exe File renamed C:\Users\Admin\Pictures\ResetRestore.png => C:\Users\Admin\Pictures\ResetRestore.png.antani rundll32.exe File renamed C:\Users\Admin\Pictures\SendCompress.tif => C:\Users\Admin\Pictures\SendCompress.tif.antani rundll32.exe -
Drops startup file 4 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e6189640.lnk rundll32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECOVER-FILES.txt rundll32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\e6189640.lnk rundll32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RECOVER-FILES.txt rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 2 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Program Files\RECOVER-FILES.txt rundll32.exe File created C:\Program Files (x86)\RECOVER-FILES.txt rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\RECOVER-FILES.txt rundll32.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
rundll32.exepid process 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2332 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
vssvc.exerundll32.exedescription pid process Token: SeBackupPrivilege 3732 vssvc.exe Token: SeRestorePrivilege 3732 vssvc.exe Token: SeAuditPrivilege 3732 vssvc.exe Token: SeDebugPrivilege 2332 rundll32.exe Token: SeDebugPrivilege 2332 rundll32.exe Token: SeDebugPrivilege 2332 rundll32.exe Token: SeDebugPrivilege 2332 rundll32.exe Token: SeDebugPrivilege 2332 rundll32.exe Token: SeDebugPrivilege 2332 rundll32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 636 wrote to memory of 1624 636 cmd.exe rundll32.exe PID 636 wrote to memory of 1624 636 cmd.exe rundll32.exe PID 1624 wrote to memory of 2332 1624 rundll32.exe rundll32.exe PID 1624 wrote to memory of 2332 1624 rundll32.exe rundll32.exe PID 1624 wrote to memory of 2332 1624 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc3⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken