Analysis

  • max time kernel
    137s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    20-10-2021 10:04

General

  • Target

    7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dll

  • Size

    789KB

  • Sample

    211020-l37l2ahggj

  • MD5

    64547ac671ff0b66fd75668fbc6ba756

  • SHA1

    aa77a5cd30666369f10cf7faea85477b99c3ed66

  • SHA256

    7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5

  • SHA512

    48cd4ad393977057af626ec9a48f16e818cb370d1410ec79ff3ec97b7442cde5a88f7acb98667aa85d401c8ab3a8760d224a055163239909bd83e51df398b3a5

Score
10/10

Malware Config

Signatures 2

  • Egregor Ransomware

    Variant of the Sekhmet ransomware first seen in September 2020.

  • Suspicious use of WriteProcessMemory ⋅ 3 IoCs

Processes 3

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dll
    Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dll
      PID:1308
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    PID:1352

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                        Privilege Escalation

                          Replay Monitor

                          00:00 00:00

                          Downloads

                          • memory/1308-115-0x0000000000000000-mapping.dmp
                          • memory/1308-118-0x0000000000700000-0x000000000073F000-memory.dmp
                          • memory/1308-121-0x0000000000600000-0x000000000074A000-memory.dmp