azov | 16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5

General

Target

16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
Size

182KB
MD5

7675302777989b94bd9912988bd78937
SHA1

e888de6410255dcef79278437fab04766423bdea
SHA256

16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5
SHA512

012a91957db984e88453ac0f43f2e3e36a0d7283e11d3f80cc1dba1f1760f87e32973f5b113767394d23978d7ece4fa403ff00af941d7da6161c7af3afd88d04
SSDEEP

3072:tuTO4rRZicXvXhmGrjXscjGEGYx6KAMZq+ZDPUEMTlqRZS2E4kFUEDTdgsUDu:tkZ3XvxmGrbEElxgsZDPFMTgZS2EDhht

Score

10^/10

azov persistence ransomware spyware stealer wiper

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\RESTORE_FILES.txt

Family

azov

Ransom Note

Hello, all your files have been damaged without any possible way to recover. Feel free to commit suicide. [Why did you do this to my files?] They asked me to do this... The hatred is that what makes me feel alive. That's what you secretly have fallen in love with. The hatred is the force that drives the life forward. The hell is my paradise. The suffer is the bliss. Others say the hate is what destroys yourself. I say that the hatred is eternal cure. If you feel desperate you lost the files. Use this despair to create the pain for others. Make them hate you, it is the source of your power. Do you think why the people go to schools and kill others? Why do people make terrorist ideologies? Why do governments covertly makes you suffer? It's the essence of the future life. All we are immortal beings. When spiritual is not a way, the antispiritual is your victory point. In the manifested life you have a choice to be with us either be against. Sow the evil, reap the power is what I say to you. Saw the good, reap the weakness is what spiritual says to you. When you hate, you feel the power. You feel the flight. That fly is the antispirit touch. Use this to multiply the suffer. [How can I use this power?] Find inside the source of bliss. If this bliss goes stronger when you see the suffer. That is what I call the source. Check that by looking through the news how people kill others. How the people dies. How children are being tortured. How animals are executed. The death is your key. [How can I give you my power?] When you read this concentrate on the intent to give the energy of your source to the meta-source of this text. Am vizu der strotum la fictus om spiritus.

Signatures

Azov
A wiper seeking only damage, first seen in 2022.
ransomware wiper azov
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe"	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe

description	ioc	process
File opened (read-only)	\??\Y:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\B:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\G:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\H:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\L:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\M:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\Q:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\X:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\Z:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\A:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\P:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\K:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\N:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\R:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\S:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\T:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\U:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\W:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\E:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\F:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\I:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\J:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\O:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened (read-only)	\??\V:	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe

Drops file in Program Files directory 64 IoCs

Processes:

16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\RESTORE_FILES.txt	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7MDT	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\bg.pak	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\install.ins	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Monrovia	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Antigua	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bangkok	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Gibraltar	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tahiti	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\RESTORE_FILES.txt	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Windows Media Player\wmlaunch.exe	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\et.pak	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\mr.pak	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5EDT	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\RESTORE_FILES.txt	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_it.properties	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\RESTORE_FILES.txt	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Lisbon	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guadalcanal	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Chisinau	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu	16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe

C:\Users\Admin\AppData\Local\Temp\16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
"C:\Users\Admin\AppData\Local\Temp\16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1724-54-0x0000000000190000-0x0000000000194000-memory.dmp

Filesize
16KB

Download
memory/1724-55-0x00000000FF5D0000-0x00000000FF5F4000-memory.dmp

Filesize
144KB

Download
memory/1724-56-0x000007FEFBDF1000-0x000007FEFBDF3000-memory.dmp

Filesize
8KB

Download
memory/1724-59-0x0000000000190000-0x0000000000194000-memory.dmp

Filesize
16KB

Download
memory/1724-58-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download
memory/1724-57-0x00000000000E0000-0x00000000000E6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads