egregor | ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541

Analysis

max time kernel
62s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2022 19:10

Target

ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541.dll
Size

784KB
MD5

427105821263afeeccca05b43ea8dac4
SHA1

fa33fd577f5eb4813bc69dce891361871cda860c
SHA256

ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541
SHA512

d6806fbe2059e218cbaf90c6b61e3f0c2721d5b243fe7deb1d82340ace639b326145fee23d8778dec68a10f4f0321df9e2662d4ac8a79aec19c10357dbd81f7b
SSDEEP

12288:NQmAezlB4hf7yhY96Zh4Wjb16nFztKxHBzS4+fUs3xHxi:TB4iYp2dB+f7R

Score

10^/10

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 984	3008	regsvr32.exe	82
PID 3008 wrote to memory of 984	3008	regsvr32.exe	82
PID 3008 wrote to memory of 984	3008	regsvr32.exe	82

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541.dll
  2⤵
  PID:984

memory/984-133-0x0000000001480000-0x00000000014C0000-memory.dmp

Filesize
256KB

Download
memory/984-139-0x0000000001480000-0x00000000014C0000-memory.dmp

Filesize
256KB

Download