Malware Analysis Report

2024-10-16 03:26

Sample ID 201104-tbsnadsazx
Target t6-zip.zip
SHA256 260b414641d3cb4105b2728c88965bffad88f63460f0cab4bcb8bbb9a1c2f8ca
Tags
egregor ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

260b414641d3cb4105b2728c88965bffad88f63460f0cab4bcb8bbb9a1c2f8ca

Threat Level: Known bad

The file t6-zip.zip was found to be: Known bad.

Malicious Activity Summary

egregor ransomware

Egregor Ransomware

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2020-11-04 18:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-04 18:50

Reported

2020-11-04 18:52

Platform

win7v20201028

Max time kernel

138s

Max time network

137s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b.dll

Signatures

Egregor Ransomware

ransomware egregor

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 1436 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1660 wrote to memory of 1436 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1660 wrote to memory of 1436 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1660 wrote to memory of 1436 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1660 wrote to memory of 1436 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1660 wrote to memory of 1436 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1660 wrote to memory of 1436 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\b.dll

Network

N/A

Files

memory/1436-0-0x0000000000000000-mapping.dmp

memory/1436-1-0x00000000008C0000-0x00000000008FF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-04 18:50

Reported

2020-11-04 18:52

Platform

win10v20201028

Max time kernel

10s

Max time network

111s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b.dll

Signatures

Egregor Ransomware

ransomware egregor

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4720 wrote to memory of 4868 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4720 wrote to memory of 4868 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4720 wrote to memory of 4868 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\b.dll

Network

N/A

Files

memory/4868-0-0x0000000000000000-mapping.dmp

memory/4868-1-0x0000000002F30000-0x0000000002F6F000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2020-11-04 18:50

Reported

2020-11-04 18:52

Platform

win7v20201028

Max time kernel

5s

Max time network

14s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"

Signatures

Egregor Ransomware

ransomware egregor

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\b.dll",DllRegisterServer --passegregor11 --append="antani" --multiproc

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\b.dll",DllRegisterServer --passegregor11 --append="antani" --multiproc

Network

N/A

Files

memory/1640-0-0x0000000000000000-mapping.dmp

memory/1840-1-0x0000000000000000-mapping.dmp

memory/1840-2-0x00000000003C0000-0x00000000003FF000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2020-11-04 18:50

Reported

2020-11-04 18:52

Platform

win10v20201028

Max time kernel

15s

Max time network

113s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"

Signatures

Egregor Ransomware

ransomware egregor

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 1884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2484 wrote to memory of 1884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1884 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1884 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1884 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spr3.bat"

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\b.dll",DllRegisterServer --passegregor11 --append="antani" --multiproc

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\b.dll",DllRegisterServer --passegregor11 --append="antani" --multiproc

Network

N/A

Files

memory/1884-0-0x0000000000000000-mapping.dmp

memory/2732-1-0x0000000000000000-mapping.dmp

memory/2732-2-0x0000000000DF0000-0x0000000000E2F000-memory.dmp