Analysis
-
max time kernel
5s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
07-04-2021 13:22
Static task
static1
Behavioral task
behavioral1
Sample
GRS66701.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
GRS66701.exe
Resource
win10v20201028
General
-
Target
GRS66701.exe
-
Size
151KB
-
MD5
390ac19e8d4b6eba1a936a5052b6babf
-
SHA1
1700afbdafcf20ee9deeee4165f6758403e7f43a
-
SHA256
9aee92df3530cb75fb37ffe332199dc0a61718a010d34fc48dbbe16fdd1b3154
-
SHA512
b876561ce26fafe4b7a4423c8a992bac48625eb68a540608a499d0b3920841666d01dd83f85f669fafd960ef1e10c7395578107174a33a799d4e542f3faf05a7
Malware Config
Extracted
azorult
http://staging.onyxa.pl/XyuTr/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Loads dropped DLL 1 IoCs
Processes:
GRS66701.exepid process 776 GRS66701.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
GRS66701.exedescription pid process target process PID 776 set thread context of 1980 776 GRS66701.exe GRS66701.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
GRS66701.exepid process 776 GRS66701.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
GRS66701.exedescription pid process target process PID 776 wrote to memory of 1980 776 GRS66701.exe GRS66701.exe PID 776 wrote to memory of 1980 776 GRS66701.exe GRS66701.exe PID 776 wrote to memory of 1980 776 GRS66701.exe GRS66701.exe PID 776 wrote to memory of 1980 776 GRS66701.exe GRS66701.exe PID 776 wrote to memory of 1980 776 GRS66701.exe GRS66701.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GRS66701.exe"C:\Users\Admin\AppData\Local\Temp\GRS66701.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GRS66701.exe"C:\Users\Admin\AppData\Local\Temp\GRS66701.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsc407.tmp\ixl9x1o3z.dllMD5
3729b4259a3cdc6f4a897d889c19c89c
SHA1bce86715539a3c56a20d1f1f930d68b1d21a4ef7
SHA256a4dfeae8fde1e6fa800c9a7b3074bda27f0be7a090f30b99615ff2a6ae1dcc46
SHA512dce8f6931c81c0a038b928538ca0f86e2e9c53399fda1825e7e867dd92aa011871765b8989a9d08e8cb8e62023e4bfdc5a9b2b8b94ac9665f299bfc51ccb9399
-
memory/776-2-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB
-
memory/776-7-0x00000000023B0000-0x00000000023B2000-memory.dmpFilesize
8KB
-
memory/1816-6-0x000007FEF74B0000-0x000007FEF772A000-memory.dmpFilesize
2.5MB
-
memory/1980-4-0x000000000041A684-mapping.dmp
-
memory/1980-8-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB