Malware Analysis Report

2024-09-23 07:01

Sample ID 221110-kyppzsgdh2
Target ie_to_edge_stub.exe
SHA256 9435b7a2b884676ec7e109ed28a9164cea5f5f6d4a18e1b2cebaff1de4c186db
Tags
azov persistence ransomware wiper
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9435b7a2b884676ec7e109ed28a9164cea5f5f6d4a18e1b2cebaff1de4c186db

Threat Level: Known bad

The file ie_to_edge_stub.exe was found to be: Known bad.

Malicious Activity Summary

azov persistence ransomware wiper

Azov

Adds Run key to start application

Enumerates connected drives

Drops file in Program Files directory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-11-10 09:00

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-10 09:00

Reported

2022-11-10 09:03

Platform

win10v2004-20220901-en

Max time kernel

91s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe"

Signatures

Azov

ransomware wiper azov

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\br.txt C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\co.txt C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip.chm C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\az.txt C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\be.txt C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bn.txt C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cy.txt C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\an.txt C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.sfx C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened for modification C:\Program Files\7-Zip\descript.ion C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File created C:\Program Files\7-Zip\Lang\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ast.txt C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bg.txt C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ca.txt C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File created C:\Program Files\7-Zip\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ar.txt C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ba.txt C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cs.txt C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened for modification C:\Program Files\7-Zip\7zCon.sfx C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe

"C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe"

Network

Country Destination Domain Proto
US 20.189.173.5:443 tcp
US 8.253.208.120:80 tcp
US 8.253.208.120:80 tcp
US 8.253.208.120:80 tcp

Files

memory/3040-132-0x000001945D5F0000-0x000001945D5F4000-memory.dmp

memory/3040-133-0x00007FF6B01C0000-0x00007FF6B023B000-memory.dmp

memory/3040-136-0x000001945D5F0000-0x000001945D5F4000-memory.dmp

memory/3040-135-0x000001945D5E0000-0x000001945D5E5000-memory.dmp

memory/3040-134-0x000001945D5C0000-0x000001945D5C6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-10 09:00

Reported

2022-11-10 09:03

Platform

win7-20220812-en

Max time kernel

40s

Max time network

43s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe"

Signatures

Azov

ransomware wiper azov

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe

"C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe"

Network

N/A

Files

memory/1476-54-0x0000000000210000-0x0000000000214000-memory.dmp

memory/1476-55-0x000000013F9B0000-0x000000013FA2B000-memory.dmp

memory/1476-56-0x00000000001E0000-0x00000000001E6000-memory.dmp

memory/1476-58-0x0000000000210000-0x0000000000214000-memory.dmp

memory/1476-57-0x0000000000200000-0x0000000000205000-memory.dmp