Malware Analysis Report

2024-10-16 03:25

Sample ID 201104-mycxjhnhbs
Target t5.zip
SHA256 f1d57ed2b3e2deff7a13ddb4682a81d2543bc5bdca1ec934833a38b8e9f18077
Tags
egregor ransomware persistence spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1d57ed2b3e2deff7a13ddb4682a81d2543bc5bdca1ec934833a38b8e9f18077

Threat Level: Known bad

The file t5.zip was found to be: Known bad.

Malicious Activity Summary

egregor ransomware persistence spyware

Egregor Ransomware

Modifies extensions of user files

Reads user/profile data of web browsers

Drops startup file

Modifies service

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-11-04 18:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-04 18:31

Reported

2020-11-04 18:34

Platform

win7v20201028

Max time kernel

3s

Max time network

12s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\sm.dll

Signatures

Egregor Ransomware

ransomware egregor

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 1192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1808 wrote to memory of 1192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1808 wrote to memory of 1192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1808 wrote to memory of 1192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1808 wrote to memory of 1192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1808 wrote to memory of 1192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1808 wrote to memory of 1192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\sm.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\sm.dll

Network

N/A

Files

memory/1192-0-0x0000000000000000-mapping.dmp

memory/1192-1-0x0000000000280000-0x00000000002BF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-04 18:31

Reported

2020-11-04 18:34

Platform

win10v20201028

Max time kernel

135s

Max time network

135s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\sm.dll

Signatures

Egregor Ransomware

ransomware egregor

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 936 wrote to memory of 1956 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 936 wrote to memory of 1956 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 936 wrote to memory of 1956 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\sm.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\sm.dll

Network

N/A

Files

memory/1956-0-0x0000000000000000-mapping.dmp

memory/1956-1-0x0000000003110000-0x000000000314F000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2020-11-04 18:31

Reported

2020-11-04 18:34

Platform

win7v20201028

Max time kernel

19s

Max time network

12s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"

Signatures

Egregor Ransomware

ransomware egregor

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\EditStart.tif => C:\Users\Admin\Pictures\EditStart.tif.antani C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Pictures\MeasureResolve.tiff C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\MeasureResolve.tiff => C:\Users\Admin\Pictures\MeasureResolve.tiff.antani C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\MountFind.tif => C:\Users\Admin\Pictures\MountFind.tif.antani C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\ResolveUnlock.raw => C:\Users\Admin\Pictures\ResolveUnlock.raw.antani C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\WriteResolve.crw => C:\Users\Admin\Pictures\WriteResolve.crw.antani C:\Windows\SysWOW64\rundll32.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e6189640.lnk C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware

Modifies service

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer C:\Windows\system32\vssvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\e6189640.lnk C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\e6189640.lnk C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\e6189640.lnk C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/1508-0-0x0000000000000000-mapping.dmp

memory/2000-1-0x0000000000000000-mapping.dmp

memory/2000-2-0x0000000000900000-0x000000000093F000-memory.dmp

memory/2000-4-0x0000000000770000-0x000000000079A000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2020-11-04 18:31

Reported

2020-11-04 18:34

Platform

win10v20201028

Max time kernel

147s

Max time network

147s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"

Signatures

Egregor Ransomware

ransomware egregor

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\FindAssert.tiff C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\FindAssert.tiff => C:\Users\Admin\Pictures\FindAssert.tiff.antani C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Pictures\MergeRequest.tiff C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\MergeRequest.tiff => C:\Users\Admin\Pictures\MergeRequest.tiff.antani C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\MountMeasure.tif => C:\Users\Admin\Pictures\MountMeasure.tif.antani C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\ResetRestore.png => C:\Users\Admin\Pictures\ResetRestore.png.antani C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\SendCompress.tif => C:\Users\Admin\Pictures\SendCompress.tif.antani C:\Windows\SysWOW64\rundll32.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e6189640.lnk C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\e6189640.lnk C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware

Modifies service

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer C:\Windows\system32\vssvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RECOVER-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 636 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 636 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1624 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1624 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1624 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/1624-0-0x0000000000000000-mapping.dmp

memory/2332-1-0x0000000000000000-mapping.dmp

memory/2332-2-0x0000000003560000-0x000000000359F000-memory.dmp

memory/2332-4-0x0000000004ED0000-0x0000000004EFA000-memory.dmp