Analysis
-
max time kernel
34s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-04-2021 06:35
Static task
static1
Behavioral task
behavioral1
Sample
Worksheet.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Worksheet.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
Worksheet.exe
-
Size
786KB
-
MD5
5facfb9ed998b8f292da114f84cabb06
-
SHA1
98b47094b6be743971163327715cf052142ab7f7
-
SHA256
b3b81c1169d7c9595f001b4b97fd871b78f3dbd7c1062df1587518219dafb7bd
-
SHA512
a8c7c5004dce32e2d023954ebe04937a1860c9133a26d7186a0c22828d6747cb03e86ea4098c71c762c1572be54ca7e3d1d9357dafd636bb3b39ffcc0acb7163
Score
10/10
Malware Config
Extracted
Family
azorult
C2
http://31.210.20.121/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Worksheet.exedescription pid process target process PID 3968 set thread context of 188 3968 Worksheet.exe Worksheet.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Worksheet.exepid process 3968 Worksheet.exe 3968 Worksheet.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Worksheet.exedescription pid process Token: SeDebugPrivilege 3968 Worksheet.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Worksheet.exedescription pid process target process PID 3968 wrote to memory of 184 3968 Worksheet.exe Worksheet.exe PID 3968 wrote to memory of 184 3968 Worksheet.exe Worksheet.exe PID 3968 wrote to memory of 184 3968 Worksheet.exe Worksheet.exe PID 3968 wrote to memory of 188 3968 Worksheet.exe Worksheet.exe PID 3968 wrote to memory of 188 3968 Worksheet.exe Worksheet.exe PID 3968 wrote to memory of 188 3968 Worksheet.exe Worksheet.exe PID 3968 wrote to memory of 188 3968 Worksheet.exe Worksheet.exe PID 3968 wrote to memory of 188 3968 Worksheet.exe Worksheet.exe PID 3968 wrote to memory of 188 3968 Worksheet.exe Worksheet.exe PID 3968 wrote to memory of 188 3968 Worksheet.exe Worksheet.exe PID 3968 wrote to memory of 188 3968 Worksheet.exe Worksheet.exe PID 3968 wrote to memory of 188 3968 Worksheet.exe Worksheet.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Worksheet.exe"C:\Users\Admin\AppData\Local\Temp\Worksheet.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Worksheet.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Worksheet.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/188-115-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/188-116-0x000000000041A1F8-mapping.dmp
-
memory/188-117-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3968-114-0x0000000001400000-0x0000000001401000-memory.dmpFilesize
4KB