Skip to content

S0554 Egregor

Egregor is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between Egregor and Sekhmet ransomware, as well as Maze ransomware.123

Item Value
ID S0554
Associated Names
Version 1.0
Created 29 December 2020
Last Modified 14 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Egregor has communicated with its C2 servers via HTTPS protocol.4
enterprise T1197 BITS Jobs Egregor has used BITSadmin to download and execute malicious DLLs.4
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Egregor has used an encoded PowerShell command by a service created by Cobalt Strike for lateral movement.4
enterprise T1059.003 Windows Command Shell Egregor has used batch files for execution and can launch Internet Explorer from cmd.exe.65
enterprise T1486 Data Encrypted for Impact Egregor can encrypt all non-system files using a hybrid AES-RSA algorithm prior to displaying a ransom note.15
enterprise T1039 Data from Network Shared Drive Egregor can collect any files found in the enumerated drivers before sending it to its C2 channel.1
enterprise T1140 Deobfuscate/Decode Files or Information Egregor has been decrypted before execution.15
enterprise T1484 Domain Policy Modification -
enterprise T1484.001 Group Policy Modification Egregor can modify the GPO to evade detection.5 4
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Egregor has used DLL side-loading to execute its payload.2
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Egregor has disabled Windows Defender to evade protections.4
enterprise T1105 Ingress Tool Transfer Egregor has the ability to download files from its C2 server.54
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Egregor has masqueraded the svchost.exe process to exfiltrate data.4
enterprise T1106 Native API Egregor has used the Windows API to make detection more difficult.2
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing Egregor‘s payloads are custom-packed, archived and encrypted to prevent analysis.12
enterprise T1069 Permission Groups Discovery -
enterprise T1069.002 Domain Groups Egregor can conduct Active Directory reconnaissance using tools such as Sharphound or AdFind.4
enterprise T1055 Process Injection Egregor can inject its payload into iexplore.exe process.2
enterprise T1219 Remote Access Software Egregor has checked for the LogMein event log in an attempt to encrypt files in remote machines.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.010 Regsvr32 Egregor has used regsvr32.exe to execute malicious DLLs.6
enterprise T1218.011 Rundll32 Egregor has used rundll32 during execution.5
enterprise T1082 System Information Discovery Egregor can perform a language check of the infected system and can query the CPU information (cupid).61
enterprise T1049 System Network Connections Discovery Egregor can enumerate all connected drives.1
enterprise T1033 System Owner/User Discovery Egregor has used tools to gather information about users.4
enterprise T1124 System Time Discovery Egregor contains functionality to query the local/system time.6
enterprise T1497 Virtualization/Sandbox Evasion Egregor has used multiple anti-analysis and anti-sandbox techniques to prevent automated analysis by sandboxes.21
enterprise T1497.003 Time Based Evasion Egregor can perform a long sleep (greater than or equal to 3 minutes) to evade detection.6