egregor | 7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5 | Triage

Analysis

max time kernel
137s
max time network
135s
platform
windows10_x64
resource
win10-en-20210920
submitted
20-10-2021 10:04

Sharing

Report Analysis Logs

General

Target

7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dll
Size

789KB
MD5

64547ac671ff0b66fd75668fbc6ba756
SHA1

aa77a5cd30666369f10cf7faea85477b99c3ed66
SHA256

7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5
SHA512

48cd4ad393977057af626ec9a48f16e818cb370d1410ec79ff3ec97b7442cde5a88f7acb98667aa85d401c8ab3a8760d224a055163239909bd83e51df398b3a5

Score

10^/10

egregor ransomware

Malware Config

Signatures

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 1308	3116	regsvr32.exe	71
PID 3116 wrote to memory of 1308	3116	regsvr32.exe	71
PID 3116 wrote to memory of 1308	3116	regsvr32.exe	71

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dll
  2⤵
  PID:1308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1308-118-0x0000000000700000-0x000000000073F000-memory.dmp

Filesize
252KB

Download
memory/1308-121-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download