Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-04-2021 07:03
Static task
static1
Behavioral task
behavioral1
Sample
Worksheet.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Worksheet.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
Worksheet.exe
-
Size
786KB
-
MD5
5facfb9ed998b8f292da114f84cabb06
-
SHA1
98b47094b6be743971163327715cf052142ab7f7
-
SHA256
b3b81c1169d7c9595f001b4b97fd871b78f3dbd7c1062df1587518219dafb7bd
-
SHA512
a8c7c5004dce32e2d023954ebe04937a1860c9133a26d7186a0c22828d6747cb03e86ea4098c71c762c1572be54ca7e3d1d9357dafd636bb3b39ffcc0acb7163
Score
10/10
Malware Config
Extracted
Family
azorult
C2
http://31.210.20.121/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Worksheet.exedescription pid process target process PID 1964 set thread context of 1704 1964 Worksheet.exe Worksheet.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Worksheet.exedescription pid process target process PID 1964 wrote to memory of 1704 1964 Worksheet.exe Worksheet.exe PID 1964 wrote to memory of 1704 1964 Worksheet.exe Worksheet.exe PID 1964 wrote to memory of 1704 1964 Worksheet.exe Worksheet.exe PID 1964 wrote to memory of 1704 1964 Worksheet.exe Worksheet.exe PID 1964 wrote to memory of 1704 1964 Worksheet.exe Worksheet.exe PID 1964 wrote to memory of 1704 1964 Worksheet.exe Worksheet.exe PID 1964 wrote to memory of 1704 1964 Worksheet.exe Worksheet.exe PID 1964 wrote to memory of 1704 1964 Worksheet.exe Worksheet.exe PID 1964 wrote to memory of 1704 1964 Worksheet.exe Worksheet.exe PID 1964 wrote to memory of 1704 1964 Worksheet.exe Worksheet.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1704-62-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1704-63-0x000000000041A1F8-mapping.dmp
-
memory/1704-66-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1964-60-0x0000000076A81000-0x0000000076A83000-memory.dmpFilesize
8KB
-
memory/1964-61-0x00000000004B0000-0x00000000004B1000-memory.dmpFilesize
4KB
-
memory/1964-65-0x00000000004B1000-0x00000000004B2000-memory.dmpFilesize
4KB