egregor | c497ed1d0a24ab346937b45b5ba1110eb0983251155e22fd13796be224d452ed

Analysis

Target

spr3.bat
Size

121B
MD5

0c126c56fc66b839998961859b7047c7
SHA1

f1079054aeb0d2c7b13f1bbf9d6bb2ec39d369a2
SHA256

0a92524512e6726c7a2839b9b8f0b904829f218054922ec64ea5c85918b13ddd
SHA512

c4acd93085ee0990a92a0af6ba37ddf6f7d73de4775d0fbfa98f1b0c1ee5fd6daa4729fe96d7283d20d9a8ab530a7caa3a4a936c5a7d3cba02109ee674e1182e

Score

10^/10

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 1344	1892	cmd.exe	27
PID 1892 wrote to memory of 1344	1892	cmd.exe	27
PID 1892 wrote to memory of 1344	1892	cmd.exe	27
PID 1344 wrote to memory of 1236	1344	rundll32.exe	28
PID 1344 wrote to memory of 1236	1344	rundll32.exe	28
PID 1344 wrote to memory of 1236	1344	rundll32.exe	28
PID 1344 wrote to memory of 1236	1344	rundll32.exe	28
PID 1344 wrote to memory of 1236	1344	rundll32.exe	28
PID 1344 wrote to memory of 1236	1344	rundll32.exe	28
PID 1344 wrote to memory of 1236	1344	rundll32.exe	28

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\b2.dll",DllRegisterServer --Password10Char --append="antani" --multiproc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\b2.dll",DllRegisterServer --Password10Char --append="antani" --multiproc
    3⤵
    PID:1236

memory/1236-2-0x0000000000330000-0x000000000036F000-memory.dmp

Filesize
252KB

Download