egregor | 3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f | Triage

Analysis

max time kernel
26s
max time network
130s
platform
windows10_x64
resource
win10v20210408
submitted
26-07-2021 12:40

Sharing

Report Analysis Logs

General

Target

3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f.sample.dll
Size

790KB
MD5

65c320bc5258d8fa86aa9ffd876291d3
SHA1

f0215aac7be36a5fedeea51d34d8f8da2e98bf1b
SHA256

3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f
SHA512

897f7d24f6d9a53506ee73aaf692b8293906e1f1fe13539e6d3f88fb8bafa0467632233f2b0e5a2ee1de686667c8d10a6c07f27559ff0f0a382a073e71e575e6

Score

10^/10

egregor ransomware

Malware Config

Signatures

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 1296	3920	regsvr32.exe	74
PID 3920 wrote to memory of 1296	3920	regsvr32.exe	74
PID 3920 wrote to memory of 1296	3920	regsvr32.exe	74

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f.sample.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f.sample.dll
  2⤵
  PID:1296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1296-115-0x0000000003280000-0x00000000032BF000-memory.dmp

Filesize
252KB

Download