Analysis
-
max time kernel
101s -
max time network
102s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-11-2020 20:44
Static task
static1
Behavioral task
behavioral1
Sample
sm.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
sm.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
spr3.bat
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
spr3.bat
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
spr3.bat
-
Size
104B
-
MD5
be24d1c626ab197263bd959d649a5f3c
-
SHA1
531babc643f30cbf124b8b851bc00aaed02d56f3
-
SHA256
c6f6c3193603de650e709bae9f31c3749859ba88fd71b678be264e2bb46efa10
-
SHA512
66c094d2ae497bc46eee18eff05bd2faf087ec21e6bd731328301b1d91828b58f86ca523b8ac78ebd57ee111b2cbfb3848e0bad4fa5f0a77c398dfbe4f4509f7
Score
10/10
Malware Config
Signatures
-
Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1072 wrote to memory of 1436 1072 cmd.exe rundll32.exe PID 1072 wrote to memory of 1436 1072 cmd.exe rundll32.exe PID 1072 wrote to memory of 1436 1072 cmd.exe rundll32.exe PID 1436 wrote to memory of 2028 1436 rundll32.exe rundll32.exe PID 1436 wrote to memory of 2028 1436 rundll32.exe rundll32.exe PID 1436 wrote to memory of 2028 1436 rundll32.exe rundll32.exe PID 1436 wrote to memory of 2028 1436 rundll32.exe rundll32.exe PID 1436 wrote to memory of 2028 1436 rundll32.exe rundll32.exe PID 1436 wrote to memory of 2028 1436 rundll32.exe rundll32.exe PID 1436 wrote to memory of 2028 1436 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --append="antani" --multiproc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sm.dll",DllRegisterServer --append="antani" --multiproc3⤵