egregor | 4d0b1acb70b620853c9b42b954eb7b7176f5e268fc9bc4b2639a309f7a4417ce

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoneTool_setup.exe
Size

181.2MB
MD5

bacde97b524dfea3f7651d79ff9c6cb5
SHA1

3729876fc38bd07a49a578c41a52af2101683fc5
SHA256

4d0b1acb70b620853c9b42b954eb7b7176f5e268fc9bc4b2639a309f7a4417ce
SHA512

5cae32ab6340baeedb76ae5ce6b70b647893ae5a052272db5994a50ff325fb8b9dc9e3745f49b3ebacc9ae91c968b26834b2f29208b2265d434dcd82cabd8964
SSDEEP

3145728:rd3NggXs1bvaJJswsIfZX1reXIx6PhAgSUnSMJW9HAHKtYYrhv7JdJHCXKU+Pcn1:rd3JXs1b7wFfr5xQSMQ9gHKtzRN/4fjp

Score

10^/10

egregor persistence ransomware

Malware Config

Signatures

Detected Egregor ransomware 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023225-17.dat	family_egregor

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ambinstover	FoneTool_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ambinstover	FoneTool_setup.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\FoneTool\heif.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\imageformats\qwbmp.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\api-ms-win-core-profile-l1-1-0.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\libxml2.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\Qt5Positioning.dll	FoneTool_setup.tmp
File created	C:\Program Files (x86)\FoneTool\is-01467.tmp	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\api-ms-win-core-interlocked-l1-1-0.dll	FoneTool_setup.tmp
File created	C:\Program Files (x86)\FoneTool\is-19RKQ.tmp	FoneTool_setup.tmp
File created	C:\Program Files (x86)\FoneTool\is-8TF8R.tmp	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\libxslt.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\api-ms-win-crt-convert-l1-1-0.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\itunes\icudt62.dll	FoneTool_setup.tmp
File created	C:\Program Files (x86)\FoneTool\is-HDBB8.tmp	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\fiber_pool-vc142-mt-x32.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\libcrypto-1_1.dll	FoneTool_setup.tmp
File created	C:\Program Files (x86)\FoneTool\is-QS29S.tmp	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\api-ms-win-core-rtlsupport-l1-1-0.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\api-ms-win-crt-environment-l1-1-0.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\uistyle.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\api-ms-win-core-errorhandling-l1-1-0.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\libssl-1_1.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\Qt5Gui.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\Qt5Widgets.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\zlib1.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\imageformats\qtiff.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\curlpp.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\platforms\qwindows.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\itunes\CFNetwork.dll	FoneTool_setup.tmp
File created	C:\Program Files (x86)\FoneTool\is-8338K.tmp	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\zip.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\ucrtbase.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\platforms\mfplat.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\api-ms-win-core-timezone-l1-1-0.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\icuuc65.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\libGLESv2.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\Qt5WinExtras.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\Qt5WebKit.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\imageformats\qheif.dll	FoneTool_setup.tmp
File created	C:\Program Files (x86)\FoneTool\is-H73S4.tmp	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\itunes\SQLite3.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\itunes\pthreadVC2.dll	FoneTool_setup.tmp
File created	C:\Program Files (x86)\FoneTool\is-69R8T.tmp	FoneTool_setup.tmp
File created	C:\Program Files (x86)\FoneTool\is-960SG.tmp	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\api-ms-win-core-console-l1-1-0.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\itunes\libxml2.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\Qt5SerialPort.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\Qt5WebEngineWidgets.dll	FoneTool_setup.tmp
File created	C:\Program Files (x86)\FoneTool\is-I18BM.tmp	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\libexpat.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\Qt5Core.dll	FoneTool_setup.tmp
File created	C:\Program Files (x86)\FoneTool\is-HS6U8.tmp	FoneTool_setup.tmp
File created	C:\Program Files (x86)\FoneTool\is-T73M9.tmp	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\itunes\libdispatch.dll	FoneTool_setup.tmp
File created	C:\Program Files (x86)\FoneTool\is-1KJR6.tmp	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\api-ms-win-core-debug-l1-1-0.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\imageformats\qwebp.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\icudt65.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\ftcli.exe	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\imgdedup.exe	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\nlog.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\uiframe.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\api-ms-win-crt-time-l1-1-0.dll	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\minibrowser.exe	FoneTool_setup.tmp
File opened for modification	C:\Program Files (x86)\FoneTool\platforms\qoffscreen.dll	FoneTool_setup.tmp

Executes dropped EXE 1 IoCs

pid	Process
3500	FoneTool_setup.tmp

Loads dropped DLL 3 IoCs

pid	Process
3500	FoneTool_setup.tmp
3500	FoneTool_setup.tmp
3500	FoneTool_setup.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3500	FoneTool_setup.tmp
3500	FoneTool_setup.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	3500	FoneTool_setup.tmp
Token: SeSecurityPrivilege	3500	FoneTool_setup.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3500	FoneTool_setup.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 3500	4872	FoneTool_setup.exe	95
PID 4872 wrote to memory of 3500	4872	FoneTool_setup.exe	95
PID 4872 wrote to memory of 3500	4872	FoneTool_setup.exe	95

C:\Users\Admin\AppData\Local\Temp\FoneTool_setup.exe
"C:\Users\Admin\AppData\Local\Temp\FoneTool_setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Local\Temp\is-DB0I0.tmp\FoneTool_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DB0I0.tmp\FoneTool_setup.tmp" /SL5="$80224,189424112,370688,C:\Users\Admin\AppData\Local\Temp\FoneTool_setup.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-DB0I0.tmp\FoneTool_setup.tmp

Filesize
1.6MB

MD5
a46942cd7415973b8cf80f9d8383a488

SHA1
76a6ec5b11ee69736c951758b2c8ca6f0e1bc095

SHA256
f4c2055b0521b94949f0d85923bbef9d42d00f1c1623346678c055620963665f

SHA512
3cc644e238f4077b4fc83ac35e312a670743712739105cff4f9e9c00dd960d8028041a99cd1ccca5de1795d7a4a11540e07550d94294c3556f498030c341de84

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TGLI0.tmp\PathFormat.dll

Filesize
192KB

MD5
43c145138d77a5094996fb1ddfc6576d

SHA1
e665345aa27a9c172e3a55b0d6d391d8591c3b7e

SHA256
18b57a13b39e727407de84b4b70e2010c5bdfe35aa43972298c4412a1f253b41

SHA512
4c5b7130d7454166024d2b9e11715c15308b0cf03b6428e83a1a57fc706a6b35715a12c20555c8d14d3d088346ad09cd37205f5ff73c8c32653685fe629a0a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TGLI0.tmp\ipc_plug.dll

Filesize
864KB

MD5
e4ab018e53afa3ff2065f4eb0c09971f

SHA1
03410b8ea04fec6ae373deca5e100223dd65dab5

SHA256
fbd3b91063453f0e6b3185297ad1fd5c016d3ace94b13cea854e1fff789dd78a

SHA512
143cdcff6fe035636a39129af7b49d9ff6de116334e29492f89f5267f59a86da7f657e6976bf0ae2a01cc230936733264eefb9ac9ccdb05e5d7be9051f0399e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TGLI0.tmp\peappend.dll

Filesize
1.6MB

MD5
0fb3f762086ea334d2377ea5229b8d32

SHA1
d3acda6d813ba41e5db699889b6a654204c4ebfc

SHA256
91e12c7b83cc0f34403186cceb4c53f6ed2568fb288686a893dffbe66e873ef6

SHA512
8e33bd12ea6def2ecc83af89c07be6c2d31bb16b33ec02edb95d60c221b6fe68fce153b108244494368f31c93dcbfaa741499473c5109aa87f484a4e4e5005ec

Download Submit
memory/3500-7-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3500-30-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/3500-33-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/4872-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4872-2-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4872-29-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download