Egregor
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1197 | BITS任务 |
Egregor has used BITSadmin to download and execute malicious DLLs.[4] |
|
| Enterprise | T1039 | 从网络共享驱动器获取数据 |
Egregor can collect any files found in the enumerated drivers before sending it to its C2 channel.[1] |
|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
Egregor has masqueraded the svchost.exe process to exfiltrate data.[4] |
| Enterprise | T1574 | .002 | 劫持执行流: DLL Side-Loading |
Egregor has used DLL side-loading to execute its payload.[2] |
| Enterprise | T1140 | 反混淆/解码文件或信息 | ||
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Egregor has used an encoded PowerShell command by a service created by Cobalt Strike for lateral movement.[4] |
| .003 | 命令与脚本解释器: Windows Command Shell |
Egregor has used batch files for execution and can launch Internet Explorer from cmd.exe.[6][5] |
||
| Enterprise | T1484 | .001 | 域或租户策略修改: Group Policy Modification | |
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Egregor has disabled Windows Defender to evade protections.[4] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Egregor has communicated with its C2 servers via HTTPS protocol.[4] |
| Enterprise | T1486 | 数据加密以实现影响 |
Egregor can encrypt all non-system files using a hybrid AES-RSA algorithm prior to displaying a ransom note.[1][5] |
|
| Enterprise | T1106 | 本机API |
Egregor has used the Windows API to make detection more difficult.[2] |
|
| Enterprise | T1069 | .002 | 权限组发现: Domain Groups |
Egregor can conduct Active Directory reconnaissance using tools such as Sharphound or AdFind.[4] |
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing |
Egregor's payloads are custom-packed, archived and encrypted to prevent analysis.[1][2] |
| Enterprise | T1218 | .010 | 系统二进制代理执行: Regsvr32 | |
| .011 | 系统二进制代理执行: Rundll32 | |||
| Enterprise | T1082 | 系统信息发现 |
Egregor can perform a language check of the infected system and can query the CPU information (cupid).[6][1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Egregor has used tools to gather information about users.[4] |
|
| Enterprise | T1124 | 系统时间发现 |
Egregor contains functionality to query the local/system time.[6] |
|
| Enterprise | T1049 | 系统网络连接发现 | ||
| Enterprise | T1497 | 虚拟化/沙盒规避 |
Egregor has used multiple anti-analysis and anti-sandbox techniques to prevent automated analysis by sandboxes.[2][1] |
|
| .003 | Time Based Evasion |
Egregor can perform a long sleep (greater than or equal to 3 minutes) to evade detection.[6] |
||
| Enterprise | T1105 | 输入工具传输 |
Egregor has the ability to download files from its C2 server.[5][4] |
|
| Enterprise | T1055 | 进程注入 |
Egregor can inject its payload into iexplore.exe process.[2] |
|
| Enterprise | T1219 | 远程访问软件 |
Egregor has checked for the LogMein event log in an attempt to encrypt files in remote machines.[2] |
|
References
- NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.
- Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020.
- Meskauskas, T.. (2020, October 29). Egregor: Sekhmet’s Cousin. Retrieved January 6, 2021.