egregor | a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436

Analysis

max time kernel
164s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 18:43

Target

a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436.dll
Size

783KB
MD5

666f8d920f85f9afffcf0865a98efe69
SHA1

50c3b800294f7ee4bde577d99f2118fc1c4ba3b9
SHA256

a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436
SHA512

f7cc441a86a47e7be6010e2deaca7ab365de4d739e7d6b4d3f05748fcff1444e60f42241932ee40ef1e9a93f72a5f1a92263bf19d72b5fae47c8756e3386c911
SSDEEP

12288:N85TCAgejIrgj04Z/9gjbw6nFztKekwiN7UK5TNCT7hLr6+RJl+:STCR4tapwN7Hf87w0/

Score

10^/10

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 3040	1952	regsvr32.exe	82
PID 1952 wrote to memory of 3040	1952	regsvr32.exe	82
PID 1952 wrote to memory of 3040	1952	regsvr32.exe	82

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436.dll
  2⤵
  PID:3040

memory/3040-133-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download
memory/3040-139-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download