Overview

overview

10

Static

static

test

windows7_x64

10

Analysis

  • max time kernel
    241s
  • max time network
    240s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    08-12-2020 16:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    exec.bat

  • Size

    91B

  • MD5

    4804ff55b6d42529e570c4133b0df987

  • SHA1

    d4ea6ffa38244ca4e2f6fb3f46d383bb0b32f689

  • SHA256

    47ef845da3ad6d91e3737f382fad54cde9a6a1671c8a1a012525141f38614c4a

  • SHA512

    0ba598a394d007bccf2f6ea923f0ee348be1ea3707bca5a45a1be63b3846d3eb259383fa18c3dbf1fda28c42f70224a97a019a1fe8a6be30f56e49587748cb1c

Score
10/10
egregorransomwarespyware

Malware Config

Extracted

Path

C:\RECOVER-FILES.txt

Ransom Note
------------------ | What happened? | ------------------ Your network was ATTACKED, your computers and servers were LOCKED, Your private data was DOWNLOADED. ---------------------- | What does it mean? | ---------------------- It means that soon mass media, your partners and clients WILL KNOW about your PROBLEM. -------------------------- | How it can be avoided? | -------------------------- In order to avoid this issue, you are to COME IN TOUCH WITH US no later than within 3 DAYS and conclude the data recovery and breach fixing AGREEMENT. ------------------------------------------- | What if I do not contact you in 3 days? | ------------------------------------------- If you do not contact us in the next 3 DAYS we will begin DATA publication. ----------------------------- | I can handle it by myself | ----------------------------- It is your RIGHT, but in this case all your data will be published for public USAGE. ------------------------------- | I do not fear your threats! | ------------------------------- That is not the threat, but the algorithm of our actions. If you have hundreds of millions of UNWANTED dollars, there is nothing to FEAR for you. That is the EXACT AMOUNT of money you will spend for recovery and payouts because of PUBLICATION. -------------------------- | You have convinced me! | -------------------------- Then you need to CONTACT US, there is few ways to DO that. I. Recommended (the most secure method) a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR browser c) Open our website with LIVE CHAT in the TOR browser: http://egregor4u5ipdzhv.onion/EF07F95C874E8BF1 d) Follow the instructions on this page. II. If the first method is not suitable for you a) Open our website with LIVE CHAT: https://egregor.top/EF07F95C874E8BF1 b) Follow the instructions on this page. Our LIVE SUPPORT is ready to ASSIST YOU on this website. ---------------------------------------- | What will I get in case of agreement | ---------------------------------------- You WILL GET full DECRYPTION of your machines in the network, FULL FILE LISTING of downloaded data, confirmation of downloaded data DELETION from our servers, RECOMMENDATIONS for securing your network perimeter. And the FULL CONFIDENTIALITY ABOUT INCIDENT. ---------------------------------------------------------------------------------- Do not redact this special technical block, we need this to authorize you. ---EGREGOR--- uSQs9xH3Gh2CxjbtrgxCzcORe0ncMjYw61pG7YAt8OI0dGIz8QNez/w6lWC5Ijf3KVAroVNaoRFTIzGX3VpgcsPunrA9Be0yDYRRj90e3LHGTYCHq4NVn2tJNpmeE7lddOveM/83dRkOTraiyPpe5hABr9kePqAu2Sko5TBkBmXwFqJotH+g4xRzM2OOL7UNPErLGGBOrd4xJMQrJEcI5W6bN3Njmd7MSVNd0bxuLobQNbwTlvq76sRnmw+xBJlYvtxs1/A4Clauh/DQyldYUjIxOMUmgue95npxm2WJeE19QmVRFXwzVblFB4OPfGIvMhULCU5rPve6I9PwsAZpl8k8xdlZ7vgMZzTdfBiqANOHs/0EthKSaSSZz0WE0UEuoawXIV65/PaGfuz0JeyCqlCvED0ZaDLM4gOWEssgUVW3K6ISqgWAcz+Bkf/Vn++benWktgwWNrx3Avru+KsOBz29q0SnCTtEhVu/MDBzSTNxNpfnkeioc4umSu24tu3zIwcBmTUtS1zabvepvvo1qLr50dIN3WoiHHdmJguxIi9AHs1cYBwiha+D7BJI3rXVDznBmzFkvWIWl1UW6OmncrATGYIMxQyIiLoYMeliYdLS8VdALPlg3p2A6Lx67NOU+7s3XaFKhCq4JwbPkq2NZ522qqd9k8OkbWrUpz/T6yex+5Uvz52UGTiZO9+h3TUVf9xUpcecf99/eY84mSknglEY9udaTkOibxlsPXGCicFyV1a6UnA2iexGjGYl3yNrHvmXRXmPog1D3IJZV14HeOmdeJjCf+YSMzYm7/+9YgBmHH1ZD/CRTf7vyz7YtNMRTli5SPYm8GKUezzA2s6jReDfRCfqAYCSKfwJ3T29lhC6fln2rDEcUqJMF+df+kvYVOYj8/wSrNFpEDT9LHdrQsqcAIMR3EnPIKcohIggPhnt1t6mD6tEVQEqlYAncdRl/dlESAgaaEztZQHc+pvm5cQ2AO9GhwTmRyM/wajmv35PgDtP5FxPZb0PmOsKRuaAVeDyKOWhwQS6ZbDchbtxpmYezffV7eaa63TqqkaK3D/dfqgw7u2Jb5j4pBnU5LjjIYmTRm6zEGgfhCKG6ez0RAtPIpSQa4SWiC1Y1TGW/fIqFIyayv8KpDRV3z19uZrRxgvAmNug9ARJaYwumNvhndSiRK69M02uvFO6f0y/1dsKSxQJ+ETBU9LaCp1AUXi6J9SD87Ddt+DtG8aACCdRtRGwOxtHqzCdl4S6FwhEAvwqcz+sGCdx/jbnck6/xOGUzhs9sOSTqDYtspFXllOi4UcX0Xuj5lenjdasXVg4x5iS/ApIMRSxQ9Ryb4561sj5gwc1EMcO2yJTn8Kd2kpsFYpr6hbJ0YFUcY9N2JOBXaTSE6pY2jR17EyjNp218DPCbShK7NATQWSVgYhJ1jrLLyhIiVF/j0DYygjU2k/OT2dqEMcYaEZw2vbwt5ukGHL56CsqkqM+FPu+RHcgihORU172HLnW0qUaSDbcUcAzhOfW7LJWn3OBBgV+H4sBJIUv5u3nWkuyZeveawglYh7io5F8+d0SwZDqInRUaMEQEGGD+eoOKwOBXreA9+OlXcS0T+dW5s2Tuc3fMfVhOWvNIKnHU+Ioy8pVKEQdEwudgrDSoU7HT2KQy4PE3zu3dNSnBukZfDqpcQEfGGJ5Q6SLCCNse2q/5+DxUR1nMEopzfNNVW4m9BQ08QXFhl5hxe0O9SqPGGq0TJXSICwUZBy6uWFRGh6WW/5MfF5tG5tGr+qRH1bpdflPrMXtbIWdLaz4QSc/ShCZ/2tWMZHLbsZv7C4p4D0X+z39xusZRYiYIG38+9fgSYijW9WUhi3Pzfd5gC5mKjsYIyZ899aU1RfbzxLXZqOzje1Jp6VHSLgy+NriOkarghAsusVcPBk36l9Ij6WpSMxucXeMLmMbQeTRMLLR21yJg5UG1BjGgtEaMQf7AzD1x4/7kTxU1ILCTbDG67sRX5HAyNcZSpN3fR82ggExGYXbuJNa+moqQNYrkLDhXwMscSwPFGsYe5XPpx6W/EjK1tXA5oyousykPXXETsGLTDqeq/xVx5WhUQL3onBFzdQ1YFLAt01wqydJL+nKHRZ5B50Ij7MZhQqLA4a35z3O+JkJ0erqFAZ81Eu5ITuy0MlocbThTdhl52JGvDjQu29NGKaVZrzwGU8tN/ARBEKCgtROLLit3Sjw+vf9pU6S3TiUW3J7VnWwvrHlr2IbJer0YAgFEAEYASAAKAA6ElQAVQBJAEMASgBGAFAARgAAAEIiRQBGADAANwBGADkANQBDADgANwA0AEUAOABCAEYAMQAAAEo4fABDADoARgBfADIANAAzADgAMAAwAC8AMgA2ADEAOAA0ADEAfABEADoAQwBfADAALwAwAHwAAABSDEEAZABtAGkAbgAAAGgAci5XAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsAAAAehRXAE8AUgBLAEcAUgBPAFUAUAAAAA== ---EGREGOR---
URLs

http://egregor4u5ipdzhv.onion/EF07F95C874E8BF1

https://egregor.top/EF07F95C874E8BF1

Signatures

  • Egregor Ransomware

    Variant of the Sekhmet ransomware first seen in September 2020.

    ransomwareegregor
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\exec.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b.dll,DllRegisterServer --pass2police --full
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1100
  • C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b.dll,DllRegisterServer --pass2police --full
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    PID:1228
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:976

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1228-4-0x0000000000240000-0x000000000027F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1228-6-0x0000000000370000-0x000000000039A000-memory.dmp

    Filesize

    168KB

    Download