Overview

overview

10

Static

static

ie_to_edge_stub.exe

windows10-2004-x64

10

Resubmissions

24-11-2022 15:21

221124-srn4wafg8w 10

10-11-2022 09:00

221110-kyppzsgdh2 10

30-10-2022 18:47

221030-xe9bhaecd3 6

Analysis

  • max time kernel
    658s
  • max time network
    631s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 15:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ie_to_edge_stub.exe

  • Size

    544KB

  • MD5

    ffee009b572a16093cfffe7f8e3d963a

  • SHA1

    c499d2778dc2746a08ef90d259e2f6834ed17cdf

  • SHA256

    9435b7a2b884676ec7e109ed28a9164cea5f5f6d4a18e1b2cebaff1de4c186db

  • SHA512

    e3916649143e0976f5b553c23818918307fc63bfcac070ea9ed5119c68192cabd6faddb2b895915bdd19203ae2754c815fb4537e3b77342378ae4f9b7f4669f6

  • SSDEEP

    12288:+klqkuX7nP1Lkp2gKXTMxq9b5it9KMR+F96l0fPUn:+klqN79Lkonw09b5icj6APUn

Score
10/10
azovransomwarewiper

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-4246620582-653642754-1174164128-1000\RESTORE_FILES.txt

Family

azov

Ransom Note
Hello, all your files have been damaged without any possible way to recover. Feel free to commit suicide. [Why did you do this to my files?] They asked me to do this... The hatred is that what makes me feel alive. That's what you secretly have fallen in love with. The hatred is the force that drives the life forward. The hell is my paradise. The suffer is the bliss. Others say the hate is what destroys yourself. I say that the hatred is eternal cure. If you feel desperate you lost the files. Use this despair to create the pain for others. Make them hate you, it is the source of your power. Do you think why the people go to schools and kill others? Why do people make terrorist ideologies? Why do governments covertly makes you suffer? It's the essence of the future life. All we are immortal beings. When spiritual is not a way, the antispiritual is your victory point. In the manifested life you have a choice to be with us either be against. Sow the evil, reap the power is what I say to you. Saw the good, reap the weakness is what spiritual says to you. When you hate, you feel the power. You feel the flight. That fly is the antispirit touch. Use this to multiply the suffer. [How can I use this power?] Find inside the source of bliss. If this bliss goes stronger when you see the suffer. That is what I call the source. Check that by looking through the news how people kill others. How the people dies. How children are being tortured. How animals are executed. The death is your key. [How can I give you my power?] When you read this concentrate on the intent to give the energy of your source to the meta-source of this text. Am vizu der strotum la fictus om spiritus.

Signatures

  • Azov

    A wiper seeking only damage, first seen in 2022.

    ransomwarewiperazov
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe
    "C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe"
    1⤵
    • Enumerates connected drives
    PID:3792
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1512
    • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
      "PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Desktop'
      1⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3536
      • C:\Users\Admin\Desktop\ie_to_edge_stub.exe
        "C:\Users\Admin\Desktop\ie_to_edge_stub.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        PID:5044

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3536-141-0x00000222B4D10000-0x00000222B4D2E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3536-140-0x00000222B4E10000-0x00000222B4E86000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3536-147-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3536-138-0x00000222B4D40000-0x00000222B4D84000-memory.dmp
      Filesize

      272KB

      Download
    • memory/3536-139-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3536-137-0x000002229AF90000-0x000002229AFB2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3792-136-0x000001E3FA5B0000-0x000001E3FA5B4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/3792-133-0x00007FF6028D0000-0x00007FF60294B000-memory.dmp
      Filesize

      492KB

      Download
    • memory/3792-135-0x000001E3FA5A0000-0x000001E3FA5A5000-memory.dmp
      Filesize

      20KB

      Download
    • memory/3792-132-0x000001E3FA5B0000-0x000001E3FA5B4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/3792-134-0x000001E3FA580000-0x000001E3FA586000-memory.dmp
      Filesize

      24KB

      Download
    • memory/5044-142-0x0000000000000000-mapping.dmp
      Download
    • memory/5044-144-0x00007FF70ACC0000-0x00007FF70AD3B000-memory.dmp
      Filesize

      492KB

      Download
    • memory/5044-145-0x000001DB189E0000-0x000001DB189E5000-memory.dmp
      Filesize

      20KB

      Download
    • memory/5044-146-0x000001DB189F0000-0x000001DB189F4000-memory.dmp
      Filesize

      16KB

      Download