7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5

General
Target

7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dll

Filesize

789KB

Completed

20-10-2021 10:07

Score
10/10
MD5

64547ac671ff0b66fd75668fbc6ba756

SHA1

aa77a5cd30666369f10cf7faea85477b99c3ed66

SHA256

7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5

Malware Config
Signatures 2

Filter: none

  • Egregor Ransomware

    Description

    Variant of the Sekhmet ransomware first seen in September 2020.

  • Suspicious use of WriteProcessMemory
    regsvr32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3116 wrote to memory of 13083116regsvr32.exeregsvr32.exe
    PID 3116 wrote to memory of 13083116regsvr32.exeregsvr32.exe
    PID 3116 wrote to memory of 13083116regsvr32.exeregsvr32.exe
Processes 3
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dll
    Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dll
      PID:1308
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    PID:1352
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1308-115-0x0000000000000000-mapping.dmp

                          • memory/1308-118-0x0000000000700000-0x000000000073F000-memory.dmp

                          • memory/1308-121-0x0000000000600000-0x000000000074A000-memory.dmp