Analysis Overview
SHA256
2bc8579bb843386dd0198069bb54e4abebbe9e2cc0ab2fae2f1386fb4b70cd1b
Threat Level: Known bad
The file 2bc8579bb843386dd0198069bb54e4abebbe9e2cc0ab2fae2f1386fb4b70cd1b.exe was found to be: Known bad.
Malicious Activity Summary
Azov
Reads user/profile data of web browsers
Adds Run key to start application
Enumerates connected drives
Drops file in Program Files directory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-14 05:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-14 05:58
Reported
2022-11-14 06:00
Platform
win7-20220812-en
Max time kernel
43s
Max time network
45s
Command Line
Signatures
Azov
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\2bc8579bb843386dd0198069bb54e4abebbe9e2cc0ab2fae2f1386fb4b70cd1b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\2bc8579bb843386dd0198069bb54e4abebbe9e2cc0ab2fae2f1386fb4b70cd1b.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
Processes
C:\Users\Admin\AppData\Local\Temp\2bc8579bb843386dd0198069bb54e4abebbe9e2cc0ab2fae2f1386fb4b70cd1b.exe
"C:\Users\Admin\AppData\Local\Temp\2bc8579bb843386dd0198069bb54e4abebbe9e2cc0ab2fae2f1386fb4b70cd1b.exe"
Network
Files
memory/896-54-0x0000000000290000-0x0000000000294000-memory.dmp
memory/896-55-0x00000000FF550000-0x00000000FF574000-memory.dmp
memory/896-56-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp
memory/896-59-0x0000000000290000-0x0000000000294000-memory.dmp
memory/896-58-0x0000000000280000-0x0000000000285000-memory.dmp
memory/896-57-0x0000000000260000-0x0000000000267000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-14 05:58
Reported
2022-11-14 06:00
Platform
win10v2004-20220901-en
Max time kernel
91s
Max time network
151s
Command Line
Signatures
Azov
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\2bc8579bb843386dd0198069bb54e4abebbe9e2cc0ab2fae2f1386fb4b70cd1b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\2bc8579bb843386dd0198069bb54e4abebbe9e2cc0ab2fae2f1386fb4b70cd1b.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
Processes
C:\Users\Admin\AppData\Local\Temp\2bc8579bb843386dd0198069bb54e4abebbe9e2cc0ab2fae2f1386fb4b70cd1b.exe
"C:\Users\Admin\AppData\Local\Temp\2bc8579bb843386dd0198069bb54e4abebbe9e2cc0ab2fae2f1386fb4b70cd1b.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 20.42.65.89:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp |
Files
memory/4788-132-0x0000000001370000-0x0000000001374000-memory.dmp
memory/4788-133-0x00007FF645D90000-0x00007FF645DB4000-memory.dmp
memory/4788-134-0x0000000001340000-0x0000000001347000-memory.dmp
memory/4788-135-0x0000000001360000-0x0000000001365000-memory.dmp
memory/4788-136-0x0000000001370000-0x0000000001374000-memory.dmp