Triage | Behavioral Report

Analysis

max time kernel
137s
max time network
135s
platform
windows10_x64
resource
win10-en-20210920
submitted
20-10-2021 10:04

Sharing

Report Analysis Logs

General

Target

7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dll
Size

789KB
MD5

64547ac671ff0b66fd75668fbc6ba756
SHA1

aa77a5cd30666369f10cf7faea85477b99c3ed66
SHA256

7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5
SHA512

48cd4ad393977057af626ec9a48f16e818cb370d1410ec79ff3ec97b7442cde5a88f7acb98667aa85d401c8ab3a8760d224a055163239909bd83e51df398b3a5

Score

10^/10

egregor ransomware

Malware Config

Signatures

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3116 wrote to memory of 1308	3116	regsvr32.exe	regsvr32.exe
PID 3116 wrote to memory of 1308	3116	regsvr32.exe	regsvr32.exe
PID 3116 wrote to memory of 1308	3116	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dll
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dll
PID:1308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
PID:1352

Network

MITRE ATT&CK Matrix

Replay Monitor

00:00 00:00

Downloads

memory/1308-115-0x0000000000000000-mapping.dmp

Download
memory/1308-118-0x0000000000700000-0x000000000073F000-memory.dmp

Filesize
252KB

Download
memory/1308-121-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1MB

Download