egregor | 14da004cc96b910fb75abb86df09e318d92f4fb8dda39c8bd6a8e0601b6605d8

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 18:03

Target

14da004cc96b910fb75abb86df09e318d92f4fb8dda39c8bd6a8e0601b6605d8.dll
Size

782KB
MD5

b348a8ea634ee62341dd4d550a59ac2a
SHA1

ae2b651868055c8ce8efed055c152d60601276c1
SHA256

14da004cc96b910fb75abb86df09e318d92f4fb8dda39c8bd6a8e0601b6605d8
SHA512

bc7ddc29182f747fff6f6553a40a4344f51139e8c93d7d0432abdc7d4502a47ea7614c830a5fd0c9ba9b7fe020db3337009fe1ea319d8bfdc917bd1fedc151e1
SSDEEP

12288:MJKq8anpHpFmpoq3vjbL6c1jO4lOXLDw/jv4JCxJj2:AJ8ljCxDwLv4E

Score

10^/10

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1528	1464	regsvr32.exe	26
PID 1464 wrote to memory of 1528	1464	regsvr32.exe	26
PID 1464 wrote to memory of 1528	1464	regsvr32.exe	26
PID 1464 wrote to memory of 1528	1464	regsvr32.exe	26
PID 1464 wrote to memory of 1528	1464	regsvr32.exe	26
PID 1464 wrote to memory of 1528	1464	regsvr32.exe	26
PID 1464 wrote to memory of 1528	1464	regsvr32.exe	26

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\14da004cc96b910fb75abb86df09e318d92f4fb8dda39c8bd6a8e0601b6605d8.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\14da004cc96b910fb75abb86df09e318d92f4fb8dda39c8bd6a8e0601b6605d8.dll
  2⤵
  PID:1528

memory/1464-54-0x000007FEFB5E1000-0x000007FEFB5E3000-memory.dmp

Filesize
8KB

Download
memory/1528-56-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1528-57-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1528-63-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download