7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5
General
Target
Filesize
Completed
7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dll
789KB
20-10-2021 10:07
Score
10/10
MD5
SHA1
SHA256
64547ac671ff0b66fd75668fbc6ba756
aa77a5cd30666369f10cf7faea85477b99c3ed66
7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5
Malware Config
Signatures 2
Filter: none
-
Egregor Ransomware
Description
Variant of the Sekhmet ransomware first seen in September 2020.
Tags
-
Suspicious use of WriteProcessMemoryregsvr32.exe
Reported IOCs
description pid process target process PID 3116 wrote to memory of 1308 3116 regsvr32.exe regsvr32.exe PID 3116 wrote to memory of 1308 3116 regsvr32.exe regsvr32.exe PID 3116 wrote to memory of 1308 3116 regsvr32.exe regsvr32.exe
Processes 3
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dllSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\7600010ee12e098ebebd2cf9e4cab289b465ceb81bd999ae2c6074b8385d7de5.dll
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
memory/1308-115-0x0000000000000000-mapping.dmp
-
memory/1308-118-0x0000000000700000-0x000000000073F000-memory.dmp
-
memory/1308-121-0x0000000000600000-0x000000000074A000-memory.dmp
Title
Loading data