egregor | ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-10-2022 19:10

Target

ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541.dll
Size

784KB
MD5

427105821263afeeccca05b43ea8dac4
SHA1

fa33fd577f5eb4813bc69dce891361871cda860c
SHA256

ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541
SHA512

d6806fbe2059e218cbaf90c6b61e3f0c2721d5b243fe7deb1d82340ace639b326145fee23d8778dec68a10f4f0321df9e2662d4ac8a79aec19c10357dbd81f7b
SSDEEP

12288:NQmAezlB4hf7yhY96Zh4Wjb16nFztKxHBzS4+fUs3xHxi:TB4iYp2dB+f7R

Score

10^/10

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1628	1096	regsvr32.exe	27
PID 1096 wrote to memory of 1628	1096	regsvr32.exe	27
PID 1096 wrote to memory of 1628	1096	regsvr32.exe	27
PID 1096 wrote to memory of 1628	1096	regsvr32.exe	27
PID 1096 wrote to memory of 1628	1096	regsvr32.exe	27
PID 1096 wrote to memory of 1628	1096	regsvr32.exe	27
PID 1096 wrote to memory of 1628	1096	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541.dll
  2⤵
  PID:1628

memory/1096-54-0x000007FEFC291000-0x000007FEFC293000-memory.dmp

Filesize
8KB

Download
memory/1628-56-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1628-60-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1628-63-0x0000000000220000-0x00000000002A0000-memory.dmp

Filesize
512KB

Download
memory/1628-64-0x0000000000220000-0x00000000002A0000-memory.dmp

Filesize
512KB

Download