azov | b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801

General

Target

b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
Size

32KB
MD5

6468ee100d88c71d55dfdcf4e30f991e
SHA1

5c520d2d7dc4c9e5d536d3aff998185657d40ac8
SHA256

b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801
SHA512

41913eb5adaab42c7ebff547421c0faedede5a3356cb2aa8b92ab20320f73766101056853f450435281cf31e7f32603c62fbd88fa3a680b19abda5d8cc9a98ae
SSDEEP

768:QzG3EG0IUJrd6dQar/MjfW33AMar6q3Fu:QKEG4Jx6Ky/Mjo3AMa13U

Score

10^/10

azov ransomware spyware stealer wiper

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\RESTORE_FILES.txt

Family

azov

Ransom Note

Hello, all your files have been damaged without any possible way to recover. Feel free to commit suicide. [Why did you do this to my files?] They asked me to do this... The hatred is that what makes me feel alive. That's what you secretly have fallen in love with. The hatred is the force that drives the life forward. The hell is my paradise. The suffer is the bliss. Others say the hate is what destroys yourself. I say that the hatred is eternal cure. If you feel desperate you lost the files. Use this despair to create the pain for others. Make them hate you, it is the source of your power. Do you think why the people go to schools and kill others? Why do people make terrorist ideologies? Why do governments covertly makes you suffer? It's the essence of the future life. All we are immortal beings. When spiritual is not a way, the antispiritual is your victory point. In the manifested life you have a choice to be with us either be against. Sow the evil, reap the power is what I say to you. Saw the good, reap the weakness is what spiritual says to you. When you hate, you feel the power. You feel the flight. That fly is the antispirit touch. Use this to multiply the suffer. [How can I use this power?] Find inside the source of bliss. If this bliss goes stronger when you see the suffer. That is what I call the source. Check that by looking through the news how people kill others. How the people dies. How children are being tortured. How animals are executed. The death is your key. [How can I give you my power?] When you read this concentrate on the intent to give the energy of your source to the meta-source of this text. Am vizu der strotum la fictus om spiritus.

Signatures

Azov
A wiper seeking only damage, first seen in 2022.
ransomware wiper azov

Drops startup file 1 IoCs

Processes:

b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RESTORE_FILES.txt	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe

description	ioc	process
File opened (read-only)	\??\O:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\Q:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\R:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\S:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\V:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\W:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\E:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\L:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\Y:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\F:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\N:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\U:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\A:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\B:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\X:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\Z:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\H:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\J:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\K:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\M:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\P:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\T:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\G:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened (read-only)	\??\I:	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe

Drops file in Program Files directory 64 IoCs

Processes:

b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.security	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\LoadedModelShaders\StandardShader.io.hlsl	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalSplashScreen.scale-100_contrast-white.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-400.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineStrings.js	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\RESTORE_FILES.txt	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MediumTile.scale-100_contrast-white.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\ui-strings.js	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\RESTORE_FILES.txt	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\et_get.svg	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\youtube.crx	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-60.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_contrast-white.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_contrast-black.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\RESTORE_FILES.txt	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-250.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-400.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\RESTORE_FILES.txt	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-16_contrast-white.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Outlook.scale-150.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-200.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-lightunplated.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\nacl_irt_x86_64.nexe	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\THMBNAIL.PNG	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Protocol.winmd	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\View3d\RESTORE_FILES.txt	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\RESTORE_FILES.txt	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\ValueProp_Shadow.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\LargeTile.scale-125.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\10.jpg	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-400.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-200.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-api-search.jar	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-white_scale-200.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\LargeTile.scale-200.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoInternetConnection_120x80.svg	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\RESTORE_FILES.txt	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosWideTile.scale-125.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-125.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\LargeTile.scale-200.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-60_altform-unplated_contrast-black.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_altform-unplated_contrast-high.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\main.css	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-16.png	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms	b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe

C:\Users\Admin\AppData\Local\Temp\b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe
"C:\Users\Admin\AppData\Local\Temp\b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
PID:4188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4188-132-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/4188-133-0x00000000000C0000-0x00000000000C5000-memory.dmp

Filesize
20KB

Download
memory/4188-134-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads