Resubmissions
24-11-2022 15:21
221124-srn4wafg8w 1010-11-2022 09:00
221110-kyppzsgdh2 1030-10-2022 18:47
221030-xe9bhaecd3 6Analysis
-
max time kernel
658s -
max time network
631s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 15:21
Static task
static1
Behavioral task
behavioral1
Sample
ie_to_edge_stub.exe
Resource
win10v2004-20221111-en
General
-
Target
ie_to_edge_stub.exe
-
Size
544KB
-
MD5
ffee009b572a16093cfffe7f8e3d963a
-
SHA1
c499d2778dc2746a08ef90d259e2f6834ed17cdf
-
SHA256
9435b7a2b884676ec7e109ed28a9164cea5f5f6d4a18e1b2cebaff1de4c186db
-
SHA512
e3916649143e0976f5b553c23818918307fc63bfcac070ea9ed5119c68192cabd6faddb2b895915bdd19203ae2754c815fb4537e3b77342378ae4f9b7f4669f6
-
SSDEEP
12288:+klqkuX7nP1Lkp2gKXTMxq9b5it9KMR+F96l0fPUn:+klqN79Lkonw09b5icj6APUn
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-4246620582-653642754-1174164128-1000\RESTORE_FILES.txt
azov
Signatures
-
Azov
A wiper seeking only damage, first seen in 2022.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ie_to_edge_stub.exeie_to_edge_stub.exedescription ioc process File opened (read-only) \??\P: ie_to_edge_stub.exe File opened (read-only) \??\A: ie_to_edge_stub.exe File opened (read-only) \??\G: ie_to_edge_stub.exe File opened (read-only) \??\K: ie_to_edge_stub.exe File opened (read-only) \??\R: ie_to_edge_stub.exe File opened (read-only) \??\W: ie_to_edge_stub.exe File opened (read-only) \??\Y: ie_to_edge_stub.exe File opened (read-only) \??\S: ie_to_edge_stub.exe File opened (read-only) \??\J: ie_to_edge_stub.exe File opened (read-only) \??\M: ie_to_edge_stub.exe File opened (read-only) \??\V: ie_to_edge_stub.exe File opened (read-only) \??\G: ie_to_edge_stub.exe File opened (read-only) \??\O: ie_to_edge_stub.exe File opened (read-only) \??\R: ie_to_edge_stub.exe File opened (read-only) \??\X: ie_to_edge_stub.exe File opened (read-only) \??\Z: ie_to_edge_stub.exe File opened (read-only) \??\Q: ie_to_edge_stub.exe File opened (read-only) \??\O: ie_to_edge_stub.exe File opened (read-only) \??\E: ie_to_edge_stub.exe File opened (read-only) \??\F: ie_to_edge_stub.exe File opened (read-only) \??\H: ie_to_edge_stub.exe File opened (read-only) \??\J: ie_to_edge_stub.exe File opened (read-only) \??\V: ie_to_edge_stub.exe File opened (read-only) \??\W: ie_to_edge_stub.exe File opened (read-only) \??\F: ie_to_edge_stub.exe File opened (read-only) \??\B: ie_to_edge_stub.exe File opened (read-only) \??\B: ie_to_edge_stub.exe File opened (read-only) \??\I: ie_to_edge_stub.exe File opened (read-only) \??\T: ie_to_edge_stub.exe File opened (read-only) \??\X: ie_to_edge_stub.exe File opened (read-only) \??\A: ie_to_edge_stub.exe File opened (read-only) \??\K: ie_to_edge_stub.exe File opened (read-only) \??\L: ie_to_edge_stub.exe File opened (read-only) \??\M: ie_to_edge_stub.exe File opened (read-only) \??\N: ie_to_edge_stub.exe File opened (read-only) \??\E: ie_to_edge_stub.exe File opened (read-only) \??\S: ie_to_edge_stub.exe File opened (read-only) \??\Z: ie_to_edge_stub.exe File opened (read-only) \??\T: ie_to_edge_stub.exe File opened (read-only) \??\U: ie_to_edge_stub.exe File opened (read-only) \??\P: ie_to_edge_stub.exe File opened (read-only) \??\U: ie_to_edge_stub.exe File opened (read-only) \??\I: ie_to_edge_stub.exe File opened (read-only) \??\Q: ie_to_edge_stub.exe File opened (read-only) \??\Y: ie_to_edge_stub.exe File opened (read-only) \??\H: ie_to_edge_stub.exe File opened (read-only) \??\L: ie_to_edge_stub.exe File opened (read-only) \??\N: ie_to_edge_stub.exe -
Drops file in System32 directory 1 IoCs
Processes:
PowerShell.exedescription ioc process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk PowerShell.exe -
Drops file in Program Files directory 5 IoCs
Processes:
ie_to_edge_stub.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7-zip.chm ie_to_edge_stub.exe File opened for modification C:\Program Files\7-Zip\7z.exe ie_to_edge_stub.exe File created C:\Program Files\7-Zip\RESTORE_FILES.txt ie_to_edge_stub.exe File opened for modification C:\Program Files\7-Zip\7z.sfx ie_to_edge_stub.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx ie_to_edge_stub.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
PowerShell.exepid process 3536 PowerShell.exe 3536 PowerShell.exe 3536 PowerShell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PowerShell.exedescription pid process Token: SeDebugPrivilege 3536 PowerShell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
PowerShell.exedescription pid process target process PID 3536 wrote to memory of 5044 3536 PowerShell.exe ie_to_edge_stub.exe PID 3536 wrote to memory of 5044 3536 PowerShell.exe ie_to_edge_stub.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe"C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe"1⤵
- Enumerates connected drives
PID:3792
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1512
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Desktop'1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Admin\Desktop\ie_to_edge_stub.exe"C:\Users\Admin\Desktop\ie_to_edge_stub.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
PID:5044