Analysis Overview
SHA256
febdd0a7b6040ba8ebe0d2bbaf9c832bfe32c249189b368fcefcbdbfd27adecb
Threat Level: Known bad
The file febdd0a7b6040ba8ebe0d2bbaf9c832bfe32c249189b368fcefcbdbfd27adecb.exe was found to be: Known bad.
Malicious Activity Summary
Azov
Adds Run key to start application
Enumerates connected drives
Drops file in Program Files directory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-15 04:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-15 04:41
Reported
2022-11-15 04:44
Platform
win7-20220812-en
Max time kernel
37s
Max time network
44s
Command Line
Signatures
Azov
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\febdd0a7b6040ba8ebe0d2bbaf9c832bfe32c249189b368fcefcbdbfd27adecb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\febdd0a7b6040ba8ebe0d2bbaf9c832bfe32c249189b368fcefcbdbfd27adecb.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\febdd0a7b6040ba8ebe0d2bbaf9c832bfe32c249189b368fcefcbdbfd27adecb.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\febdd0a7b6040ba8ebe0d2bbaf9c832bfe32c249189b368fcefcbdbfd27adecb.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\febdd0a7b6040ba8ebe0d2bbaf9c832bfe32c249189b368fcefcbdbfd27adecb.exe
"C:\Users\Admin\AppData\Local\Temp\febdd0a7b6040ba8ebe0d2bbaf9c832bfe32c249189b368fcefcbdbfd27adecb.exe"
Network
Files
memory/1248-54-0x0000000000310000-0x0000000000314000-memory.dmp
memory/1248-55-0x000000013F7F0000-0x000000013F84F000-memory.dmp
memory/1248-56-0x00000000002E0000-0x00000000002E7000-memory.dmp
memory/1248-57-0x0000000000300000-0x0000000000305000-memory.dmp
memory/1248-58-0x0000000000310000-0x0000000000314000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-15 04:41
Reported
2022-11-15 04:44
Platform
win10v2004-20220812-en
Max time kernel
97s
Max time network
127s
Command Line
Signatures
Azov
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\febdd0a7b6040ba8ebe0d2bbaf9c832bfe32c249189b368fcefcbdbfd27adecb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\febdd0a7b6040ba8ebe0d2bbaf9c832bfe32c249189b368fcefcbdbfd27adecb.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
Processes
C:\Users\Admin\AppData\Local\Temp\febdd0a7b6040ba8ebe0d2bbaf9c832bfe32c249189b368fcefcbdbfd27adecb.exe
"C:\Users\Admin\AppData\Local\Temp\febdd0a7b6040ba8ebe0d2bbaf9c832bfe32c249189b368fcefcbdbfd27adecb.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 20.223.24.244:443 | tcp | |
| N/A | 13.69.239.72:443 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp |
Files
memory/4800-132-0x0000022949DA0000-0x0000022949DA4000-memory.dmp
memory/4800-133-0x00007FF7629A0000-0x00007FF7629FF000-memory.dmp
memory/4800-134-0x0000022949D60000-0x0000022949D67000-memory.dmp
memory/4800-135-0x0000022949D90000-0x0000022949D95000-memory.dmp
memory/4800-136-0x0000022949DA0000-0x0000022949DA4000-memory.dmp