Analysis Overview
SHA256
9435b7a2b884676ec7e109ed28a9164cea5f5f6d4a18e1b2cebaff1de4c186db
Threat Level: Known bad
The file ie_to_edge_stub.exe was found to be: Known bad.
Malicious Activity Summary
Azov
Enumerates connected drives
Drops file in System32 directory
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-24 15:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-24 15:21
Reported
2022-11-24 15:34
Platform
win10v2004-20221111-en
Max time kernel
658s
Max time network
631s
Command Line
Signatures
Azov
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\7-zip.chm | C:\Users\Admin\Desktop\ie_to_edge_stub.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\Desktop\ie_to_edge_stub.exe | N/A |
| File created | C:\Program Files\7-Zip\RESTORE_FILES.txt | C:\Users\Admin\Desktop\ie_to_edge_stub.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.sfx | C:\Users\Admin\Desktop\ie_to_edge_stub.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zCon.sfx | C:\Users\Admin\Desktop\ie_to_edge_stub.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3536 wrote to memory of 5044 | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe | C:\Users\Admin\Desktop\ie_to_edge_stub.exe |
| PID 3536 wrote to memory of 5044 | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe | C:\Users\Admin\Desktop\ie_to_edge_stub.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe
"C:\Users\Admin\AppData\Local\Temp\ie_to_edge_stub.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Desktop'
C:\Users\Admin\Desktop\ie_to_edge_stub.exe
"C:\Users\Admin\Desktop\ie_to_edge_stub.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 67.26.109.254:80 | tcp | |
| N/A | 67.26.109.254:80 | tcp | |
| N/A | 72.21.91.29:80 | tcp | |
| N/A | 72.21.91.29:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 20.50.80.209:443 | tcp | |
| N/A | 67.26.109.254:80 | tcp | |
| N/A | 67.26.109.254:80 | tcp | |
| N/A | 67.26.109.254:80 | tcp |
Files
memory/3792-132-0x000001E3FA5B0000-0x000001E3FA5B4000-memory.dmp
memory/3792-133-0x00007FF6028D0000-0x00007FF60294B000-memory.dmp
memory/3792-134-0x000001E3FA580000-0x000001E3FA586000-memory.dmp
memory/3792-135-0x000001E3FA5A0000-0x000001E3FA5A5000-memory.dmp
memory/3792-136-0x000001E3FA5B0000-0x000001E3FA5B4000-memory.dmp
memory/3536-137-0x000002229AF90000-0x000002229AFB2000-memory.dmp
memory/3536-138-0x00000222B4D40000-0x00000222B4D84000-memory.dmp
memory/3536-139-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp
memory/3536-140-0x00000222B4E10000-0x00000222B4E86000-memory.dmp
memory/3536-141-0x00000222B4D10000-0x00000222B4D2E000-memory.dmp
memory/5044-142-0x0000000000000000-mapping.dmp
memory/5044-144-0x00007FF70ACC0000-0x00007FF70AD3B000-memory.dmp
memory/5044-145-0x000001DB189E0000-0x000001DB189E5000-memory.dmp
memory/5044-146-0x000001DB189F0000-0x000001DB189F4000-memory.dmp
memory/3536-147-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp