Overview

overview

10

Static

static

1

AOMEIBacku...up.exe

windows7-x64

5

AOMEIBacku...up.exe

windows10-2004-x64

7

AOMEICyber...ee.exe

windows7-x64

4

AOMEICyber...ee.exe

windows10-2004-x64

4

CBackupSetup.exe

windows7-x64

4

CBackupSetup.exe

windows10-2004-x64

4

FoneTool_setup.exe

windows7-x64

10

FoneTool_setup.exe

windows10-2004-x64

10

MyRecover_...up.exe

windows7-x64

4

MyRecover_...up.exe

windows10-2004-x64

4

MyRecover_...up.exe

windows7-x64

5

MyRecover_...up.exe

windows10-2004-x64

5

Resubmissions

07-03-2024 15:06

240307-sg3jhseb28 10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-03-2024 15:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FoneTool_setup.exe

  • Size

    181.2MB

  • MD5

    bacde97b524dfea3f7651d79ff9c6cb5

  • SHA1

    3729876fc38bd07a49a578c41a52af2101683fc5

  • SHA256

    4d0b1acb70b620853c9b42b954eb7b7176f5e268fc9bc4b2639a309f7a4417ce

  • SHA512

    5cae32ab6340baeedb76ae5ce6b70b647893ae5a052272db5994a50ff325fb8b9dc9e3745f49b3ebacc9ae91c968b26834b2f29208b2265d434dcd82cabd8964

  • SSDEEP

    3145728:rd3NggXs1bvaJJswsIfZX1reXIx6PhAgSUnSMJW9HAHKtYYrhv7JdJHCXKU+Pcn1:rd3JXs1b7wFfr5xQSMQ9gHKtzRN/4fjp

Score
10/10
egregorransomware

Malware Config

Signatures

  • Detected Egregor ransomware 1 IoCs
  • Egregor Ransomware

    Variant of the Sekhmet ransomware first seen in September 2020.

    ransomwareegregor
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FoneTool_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\FoneTool_setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3272
    • C:\Users\Admin\AppData\Local\Temp\is-KUH9S.tmp\FoneTool_setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-KUH9S.tmp\FoneTool_setup.tmp" /SL5="$501C8,189424112,370688,C:\Users\Admin\AppData\Local\Temp\FoneTool_setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:2796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-KUH9S.tmp\FoneTool_setup.tmp
    Filesize

    1.6MB

    MD5

    a46942cd7415973b8cf80f9d8383a488

    SHA1

    76a6ec5b11ee69736c951758b2c8ca6f0e1bc095

    SHA256

    f4c2055b0521b94949f0d85923bbef9d42d00f1c1623346678c055620963665f

    SHA512

    3cc644e238f4077b4fc83ac35e312a670743712739105cff4f9e9c00dd960d8028041a99cd1ccca5de1795d7a4a11540e07550d94294c3556f498030c341de84

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-V50AJ.tmp\PathFormat.dll
    Filesize

    192KB

    MD5

    43c145138d77a5094996fb1ddfc6576d

    SHA1

    e665345aa27a9c172e3a55b0d6d391d8591c3b7e

    SHA256

    18b57a13b39e727407de84b4b70e2010c5bdfe35aa43972298c4412a1f253b41

    SHA512

    4c5b7130d7454166024d2b9e11715c15308b0cf03b6428e83a1a57fc706a6b35715a12c20555c8d14d3d088346ad09cd37205f5ff73c8c32653685fe629a0a17

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-V50AJ.tmp\ipc_plug.dll
    Filesize

    864KB

    MD5

    e4ab018e53afa3ff2065f4eb0c09971f

    SHA1

    03410b8ea04fec6ae373deca5e100223dd65dab5

    SHA256

    fbd3b91063453f0e6b3185297ad1fd5c016d3ace94b13cea854e1fff789dd78a

    SHA512

    143cdcff6fe035636a39129af7b49d9ff6de116334e29492f89f5267f59a86da7f657e6976bf0ae2a01cc230936733264eefb9ac9ccdb05e5d7be9051f0399e2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-V50AJ.tmp\peappend.dll
    Filesize

    1.6MB

    MD5

    0fb3f762086ea334d2377ea5229b8d32

    SHA1

    d3acda6d813ba41e5db699889b6a654204c4ebfc

    SHA256

    91e12c7b83cc0f34403186cceb4c53f6ed2568fb288686a893dffbe66e873ef6

    SHA512

    8e33bd12ea6def2ecc83af89c07be6c2d31bb16b33ec02edb95d60c221b6fe68fce153b108244494368f31c93dcbfaa741499473c5109aa87f484a4e4e5005ec

    Download Submit

  • memory/2796-7-0x0000000000790000-0x0000000000791000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2796-30-0x0000000000400000-0x00000000005B1000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2796-33-0x0000000000790000-0x0000000000791000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3272-0-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/3272-2-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/3272-29-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download