Analysis
-
max time kernel
137s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 10:04
Static task
static1
Behavioral task
behavioral1
Sample
7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dll
Resource
win10-en-20210920
General
-
Target
7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dll
-
Size
789KB
-
Sample
211020-l37l2ahggj
-
MD5
64547ac671ff0b66fd75668fbc6ba756
-
SHA1
aa77a5cd30666369f10cf7faea85477b99c3ed66
-
SHA256
7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5
-
SHA512
48cd4ad393977057af626ec9a48f16e818cb370d1410ec79ff3ec97b7442cde5a88f7acb98667aa85d401c8ab3a8760d224a055163239909bd83e51df398b3a5
Malware Config
Signatures 2
-
Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
-
Suspicious use of WriteProcessMemory ⋅ 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3116 wrote to memory of 1308 3116 regsvr32.exe regsvr32.exe PID 3116 wrote to memory of 1308 3116 regsvr32.exe regsvr32.exe PID 3116 wrote to memory of 1308 3116 regsvr32.exe regsvr32.exe
Processes 3
-
C:\Windows\system32\regsvr32.exePID:3116regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dllSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exePID:1308/s C:\Users\Admin\AppData\Local\Temp\7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dll
-
C:\Windows\System32\rundll32.exePID:1352C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation