Egregor
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Egregor has communicated with its C2 servers via HTTPS protocol.[4] |
| Enterprise | T1197 | BITS Jobs |
Egregor has used BITSadmin to download and execute malicious DLLs.[4] |
|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Egregor has used an encoded PowerShell command by a service created by Cobalt Strike for lateral movement.[4] |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Egregor has used batch files for execution and can launch Internet Explorer from cmd.exe.[5][6] |
||
| Enterprise | T1486 | Data Encrypted for Impact |
Egregor can encrypt all non-system files using a hybrid AES-RSA algorithm prior to displaying a ransom note.[1][6] |
|
| Enterprise | T1039 | Data from Network Shared Drive |
Egregor can collect any files found in the enumerated drivers before sending it to its C2 channel.[1] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ||
| Enterprise | T1484 | .001 | Domain Policy Modification: Group Policy Modification | |
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Egregor has used DLL side-loading to execute its payload.[2] |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Egregor has disabled Windows Defender to evade protections.[4] |
| Enterprise | T1105 | Ingress Tool Transfer |
Egregor has the ability to download files from its C2 server.[6][4] |
|
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Egregor has masqueraded the svchost.exe process to exfiltrate data.[4] |
| Enterprise | T1106 | Native API |
Egregor has used the Windows API to make detection more difficult.[2] |
|
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Egregor's payloads are custom-packed, archived and encrypted to prevent analysis.[1][2] |
| Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
Egregor can conduct Active Directory reconnaissance using tools such as Sharphound or AdFind.[4] |
| Enterprise | T1055 | Process Injection |
Egregor can inject its payload into iexplore.exe process.[2] |
|
| Enterprise | T1219 | Remote Access Software |
Egregor has checked for the LogMein event log in an attempt to encrypt files in remote machines.[2] |
|
| Enterprise | T1218 | .010 | Signed Binary Proxy Execution: Regsvr32 | |
| .011 | Signed Binary Proxy Execution: Rundll32 | |||
| Enterprise | T1082 | System Information Discovery |
Egregor can perform a language check of the infected system and can query the CPU information (cupid).[5][1] |
|
| Enterprise | T1049 | System Network Connections Discovery | ||
| Enterprise | T1033 | System Owner/User Discovery |
Egregor has used tools to gather information about users.[4] |
|
| Enterprise | T1124 | System Time Discovery |
Egregor contains functionality to query the local/system time.[5] |
|
| Enterprise | T1497 | Virtualization/Sandbox Evasion |
Egregor has used multiple anti-analysis and anti-sandbox techniques to prevent automated analysis by sandboxes.[2][1] |
|
| .003 | Time Based Evasion |
Egregor can perform a long sleep (greater than or equal to 3 minutes) to evade detection.[5] |
||
References
- NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.
- Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020.
- Meskauskas, T.. (2020, October 29). Egregor: Sekhmet’s Cousin. Retrieved January 6, 2021.