Analysis Overview
SHA256
28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6
Threat Level: Known bad
The file 28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6.sample was found to be: Known bad.
Malicious Activity Summary
Egregor Ransomware
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2021-07-26 12:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-07-26 12:40
Reported
2021-07-26 12:48
Platform
win7v20210408
Max time kernel
20s
Max time network
32s
Command Line
Signatures
Egregor Ransomware
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1840 wrote to memory of 1408 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1840 wrote to memory of 1408 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1840 wrote to memory of 1408 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1840 wrote to memory of 1408 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1840 wrote to memory of 1408 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1840 wrote to memory of 1408 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1840 wrote to memory of 1408 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6.sample.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6.sample.dll
Network
Files
memory/1840-60-0x000007FEFB681000-0x000007FEFB683000-memory.dmp
memory/1408-61-0x0000000000000000-mapping.dmp
memory/1408-62-0x0000000074D91000-0x0000000074D93000-memory.dmp
memory/1408-64-0x00000000001F0000-0x000000000022F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-07-26 12:40
Reported
2021-07-26 12:48
Platform
win10v20210408
Max time kernel
33s
Max time network
125s
Command Line
Signatures
Egregor Ransomware
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1000 wrote to memory of 3088 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1000 wrote to memory of 3088 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1000 wrote to memory of 3088 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6.sample.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6.sample.dll
Network
Files
memory/3088-114-0x0000000000000000-mapping.dmp
memory/3088-115-0x0000000000F00000-0x0000000000F3F000-memory.dmp