Malware Analysis Report

2024-10-16 03:26

Sample ID 210726-m7wv2wbjkx
Target 28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6.sample
SHA256 28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6
Tags
egregor ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6

Threat Level: Known bad

The file 28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6.sample was found to be: Known bad.

Malicious Activity Summary

egregor ransomware

Egregor Ransomware

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-07-26 12:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-07-26 12:40

Reported

2021-07-26 12:48

Platform

win7v20210408

Max time kernel

20s

Max time network

32s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6.sample.dll

Signatures

Egregor Ransomware

ransomware egregor

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1840 wrote to memory of 1408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1840 wrote to memory of 1408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1840 wrote to memory of 1408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1840 wrote to memory of 1408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1840 wrote to memory of 1408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1840 wrote to memory of 1408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1840 wrote to memory of 1408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6.sample.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6.sample.dll

Network

N/A

Files

memory/1840-60-0x000007FEFB681000-0x000007FEFB683000-memory.dmp

memory/1408-61-0x0000000000000000-mapping.dmp

memory/1408-62-0x0000000074D91000-0x0000000074D93000-memory.dmp

memory/1408-64-0x00000000001F0000-0x000000000022F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-07-26 12:40

Reported

2021-07-26 12:48

Platform

win10v20210408

Max time kernel

33s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6.sample.dll

Signatures

Egregor Ransomware

ransomware egregor

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1000 wrote to memory of 3088 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1000 wrote to memory of 3088 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1000 wrote to memory of 3088 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6.sample.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6.sample.dll

Network

N/A

Files

memory/3088-114-0x0000000000000000-mapping.dmp

memory/3088-115-0x0000000000F00000-0x0000000000F3F000-memory.dmp