Analysis
-
max time kernel
131s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2022 05:01
Static task
static1
Behavioral task
behavioral1
Sample
4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe
Resource
win10v2004-20220812-en
General
-
Target
4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe
-
Size
182KB
-
MD5
9c4c2f4f00522c9ebe08905270b2ac4b
-
SHA1
63e0b1975eaadd99a742fc279ee1956377686f10
-
SHA256
4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24
-
SHA512
7d6589d5efb9d024454ad53f4a16f5e1663dcaa638fe22c5039b9562b1aa29a01a299cb312e14436fda517cd14fbe53f2e308c97b37b9be0108dc9a830c66278
-
SSDEEP
3072:tuTO4rRZiIgvX5mG1EXscjrU39Qq+ZDPUEMTlqiP60zEBXY+adic1oi53t:tkZrgvpmG1QFs9UZDPFMThy0zEWLNou9
Malware Config
Signatures
-
Azov
A wiper seeking only damage, first seen in 2022.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exedescription ioc process File opened (read-only) \??\N: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\U: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\K: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\T: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\W: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\F: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\G: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\E: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\H: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\L: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\P: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\Q: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\R: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\A: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\B: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\X: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\Y: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\Z: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\S: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\V: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\M: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\O: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\I: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened (read-only) \??\J: 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe -
Drops file in Program Files directory 64 IoCs
Processes:
4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File created C:\Program Files\Common Files\microsoft shared\ink\lt-LT\RESTORE_FILES.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File created C:\Program Files\Common Files\System\ado\fr-FR\RESTORE_FILES.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File created C:\Program Files\Common Files\System\msadc\de-DE\RESTORE_FILES.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File created C:\Program Files\Common Files\microsoft shared\VGX\RESTORE_FILES.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrome.7z 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\icudtl.dat 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\CloseSet.emf 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\RESTORE_FILES.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File created C:\Program Files\Common Files\System\en-US\RESTORE_FILES.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File created C:\Program Files\Common Files\System\it-IT\RESTORE_FILES.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File created C:\Program Files\RESTORE_FILES.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\RESTORE_FILES.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File created C:\Program Files\Common Files\microsoft shared\ink\et-EE\RESTORE_FILES.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\RESTORE_FILES.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File created C:\Program Files\Common Files\microsoft shared\ink\ru-RU\RESTORE_FILES.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File created C:\Program Files\Common Files\microsoft shared\ink\sk-SK\RESTORE_FILES.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Common Files\System\ado\msado25.tlb 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\RESTORE_FILES.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\RESTORE_FILES.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\Common Files\System\ado\msador28.tlb 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File created C:\Program Files\Common Files\microsoft shared\ink\bg-BG\RESTORE_FILES.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\RESTORE_FILES.txt 4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe"C:\Users\Admin\AppData\Local\Temp\4a29756b890feadbb8506662bb02da34f264ffcce40b05a0e44378b01ce2cd24.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
PID:4664