egregor | 2473441e6f56cfefbfe844f80aaede0508690588c474da36e2ee91c5b64f69b5 | Triage

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-en-20211104
submitted
08-11-2021 09:40

Sharing

Report Analysis Logs

General

Target

4c9e3ffda0e663217638e6192a093bbc23cd9ebfbdf6d2fc683f331beaee0321.dll
Size

790KB
MD5

a654b3a37c27810db180822b72ad6d3e
SHA1

d2d9484276a208641517a2273d96f34de1394b8e
SHA256

4c9e3ffda0e663217638e6192a093bbc23cd9ebfbdf6d2fc683f331beaee0321
SHA512

181027d766c0c206b4a66273bdc4df5efad3f205533eb1f8af8b01bb6d320d59c15515cd19e56f20c72476e07c1529a5a9b280bdfb57e197c3dd071077d4d4ba

Score

10^/10

egregor ransomware

Malware Config

Signatures

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1608 wrote to memory of 772	1608	regsvr32.exe	regsvr32.exe
PID 1608 wrote to memory of 772	1608	regsvr32.exe	regsvr32.exe
PID 1608 wrote to memory of 772	1608	regsvr32.exe	regsvr32.exe
PID 1608 wrote to memory of 772	1608	regsvr32.exe	regsvr32.exe
PID 1608 wrote to memory of 772	1608	regsvr32.exe	regsvr32.exe
PID 1608 wrote to memory of 772	1608	regsvr32.exe	regsvr32.exe
PID 1608 wrote to memory of 772	1608	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4c9e3ffda0e663217638e6192a093bbc23cd9ebfbdf6d2fc683f331beaee0321.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\4c9e3ffda0e663217638e6192a093bbc23cd9ebfbdf6d2fc683f331beaee0321.dll
2⤵
PID:772

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/772-56-0x0000000000000000-mapping.dmp

Download
memory/772-57-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/772-58-0x0000000000340000-0x000000000037F000-memory.dmp

Filesize
252KB

Download
memory/1608-55-0x000007FEFB8D1000-0x000007FEFB8D3000-memory.dmp

Filesize
8KB

Download