egregor | b9b71eb04d255b21e3272eef5f4c15d1c208183748dfad3569efd455d87879c6 | Triage

Analysis

max time kernel
15s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
09-12-2020 18:28

Sharing

Report Analysis Logs

General

Target

b9b71eb04d255b21e3272eef5f4c15d1c208183748dfad3569efd455d87879c6.dll
Size

788KB
MD5

e5c83994fb7a6ab58291ac93755d93a6
SHA1

e393e791368c34cf4aecc87760f3eee90d946946
SHA256

b9b71eb04d255b21e3272eef5f4c15d1c208183748dfad3569efd455d87879c6
SHA512

7b9c7af34c1adb502ab3845bf0a32cd3f6838b7afac2a4c85c588a889caa8f2e4e79c77ee2c1ef35baf83fa8adb9fbb1953cd432444e7fed47d1ed44b170d411

Score

10^/10

egregor ransomware

Malware Config

Signatures

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 816 wrote to memory of 1940	816	regsvr32.exe	regsvr32.exe
PID 816 wrote to memory of 1940	816	regsvr32.exe	regsvr32.exe
PID 816 wrote to memory of 1940	816	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b9b71eb04d255b21e3272eef5f4c15d1c208183748dfad3569efd455d87879c6.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\b9b71eb04d255b21e3272eef5f4c15d1c208183748dfad3569efd455d87879c6.dll
2⤵
PID:1940

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1940-2-0x0000000000000000-mapping.dmp

Download
memory/1940-3-0x0000000000CB0000-0x0000000000CEF000-memory.dmp

Filesize
252KB

Download