Analysis Overview
SHA256
16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5
Threat Level: Known bad
The file 16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5 was found to be: Known bad.
Malicious Activity Summary
Azov
Reads user/profile data of web browsers
Adds Run key to start application
Enumerates connected drives
Drops file in Program Files directory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-16 05:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-16 05:38
Reported
2022-11-16 05:41
Platform
win7-20221111-en
Max time kernel
32s
Max time network
34s
Command Line
Signatures
Azov
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
Processes
C:\Users\Admin\AppData\Local\Temp\16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
"C:\Users\Admin\AppData\Local\Temp\16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe"
Network
Files
memory/1724-54-0x0000000000190000-0x0000000000194000-memory.dmp
memory/1724-55-0x00000000FF5D0000-0x00000000FF5F4000-memory.dmp
memory/1724-56-0x000007FEFBDF1000-0x000007FEFBDF3000-memory.dmp
memory/1724-59-0x0000000000190000-0x0000000000194000-memory.dmp
memory/1724-58-0x0000000000100000-0x0000000000105000-memory.dmp
memory/1724-57-0x00000000000E0000-0x00000000000E6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-16 05:38
Reported
2022-11-16 05:41
Platform
win10v2004-20221111-en
Max time kernel
72s
Max time network
119s
Command Line
Signatures
Azov
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
Processes
C:\Users\Admin\AppData\Local\Temp\16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe
"C:\Users\Admin\AppData\Local\Temp\16ee5eb9bd028bf3665884b78a6d5eb595aa05d32eacd345d01bf337f4b602f5.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 20.189.173.2:443 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp |
Files
memory/5088-132-0x0000000002440000-0x0000000002444000-memory.dmp
memory/5088-133-0x00007FF71F1A0000-0x00007FF71F1C4000-memory.dmp
memory/5088-134-0x0000000000AE0000-0x0000000000AE6000-memory.dmp
memory/5088-136-0x0000000002440000-0x0000000002444000-memory.dmp
memory/5088-135-0x0000000000C80000-0x0000000000C85000-memory.dmp