Analysis Overview
SHA256
f1d57ed2b3e2deff7a13ddb4682a81d2543bc5bdca1ec934833a38b8e9f18077
Threat Level: Known bad
The file t5.zip was found to be: Known bad.
Malicious Activity Summary
Egregor Ransomware
Modifies extensions of user files
Reads user/profile data of web browsers
Drops startup file
Modifies service
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-04 18:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-04 18:31
Reported
2020-11-04 18:34
Platform
win7v20201028
Max time kernel
3s
Max time network
12s
Command Line
Signatures
Egregor Ransomware
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1808 wrote to memory of 1192 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1808 wrote to memory of 1192 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1808 wrote to memory of 1192 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1808 wrote to memory of 1192 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1808 wrote to memory of 1192 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1808 wrote to memory of 1192 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1808 wrote to memory of 1192 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\sm.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\sm.dll
Network
Files
memory/1192-0-0x0000000000000000-mapping.dmp
memory/1192-1-0x0000000000280000-0x00000000002BF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-04 18:31
Reported
2020-11-04 18:34
Platform
win10v20201028
Max time kernel
135s
Max time network
135s
Command Line
Signatures
Egregor Ransomware
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 936 wrote to memory of 1956 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 936 wrote to memory of 1956 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 936 wrote to memory of 1956 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\sm.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\sm.dll
Network
Files
memory/1956-0-0x0000000000000000-mapping.dmp
memory/1956-1-0x0000000003110000-0x000000000314F000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2020-11-04 18:31
Reported
2020-11-04 18:34
Platform
win7v20201028
Max time kernel
19s
Max time network
12s
Command Line
Signatures
Egregor Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\EditStart.tif => C:\Users\Admin\Pictures\EditStart.tif.antani | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MeasureResolve.tiff | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MeasureResolve.tiff => C:\Users\Admin\Pictures\MeasureResolve.tiff.antani | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MountFind.tif => C:\Users\Admin\Pictures\MountFind.tif.antani | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResolveUnlock.raw => C:\Users\Admin\Pictures\ResolveUnlock.raw.antani | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WriteResolve.crw => C:\Users\Admin\Pictures\WriteResolve.crw.antani | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e6189640.lnk | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECOVER-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Modifies service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer | C:\Windows\system32\vssvc.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\RECOVER-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\e6189640.lnk | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RECOVER-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\e6189640.lnk | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RECOVER-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\e6189640.lnk | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RECOVER-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files\RECOVER-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\RECOVER-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
memory/1508-0-0x0000000000000000-mapping.dmp
memory/2000-1-0x0000000000000000-mapping.dmp
memory/2000-2-0x0000000000900000-0x000000000093F000-memory.dmp
memory/2000-4-0x0000000000770000-0x000000000079A000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2020-11-04 18:31
Reported
2020-11-04 18:34
Platform
win10v20201028
Max time kernel
147s
Max time network
147s
Command Line
Signatures
Egregor Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\FindAssert.tiff | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\FindAssert.tiff => C:\Users\Admin\Pictures\FindAssert.tiff.antani | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MergeRequest.tiff | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MergeRequest.tiff => C:\Users\Admin\Pictures\MergeRequest.tiff.antani | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MountMeasure.tif => C:\Users\Admin\Pictures\MountMeasure.tif.antani | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResetRestore.png => C:\Users\Admin\Pictures\ResetRestore.png.antani | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SendCompress.tif => C:\Users\Admin\Pictures\SendCompress.tif.antani | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e6189640.lnk | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECOVER-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\e6189640.lnk | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RECOVER-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Modifies service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer | C:\Windows\system32\vssvc.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\RECOVER-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\RECOVER-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\RECOVER-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 636 wrote to memory of 1624 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 636 wrote to memory of 1624 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1624 wrote to memory of 2332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1624 wrote to memory of 2332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1624 wrote to memory of 2332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --passegregor10 --append="antani" --multiproc
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
memory/1624-0-0x0000000000000000-mapping.dmp
memory/2332-1-0x0000000000000000-mapping.dmp
memory/2332-2-0x0000000003560000-0x000000000359F000-memory.dmp
memory/2332-4-0x0000000004ED0000-0x0000000004EFA000-memory.dmp