Analysis Overview
SHA256
268f9c1a9cc445a6f2afe21100702e14e69c7d1ed127bfe930628ecc8496badb
Threat Level: Known bad
The file 268f9c1a9cc445a6f2afe21100702e14e69c7d1ed127bfe930628ecc8496badb.exe was found to be: Known bad.
Malicious Activity Summary
Azov
Adds Run key to start application
Enumerates connected drives
Drops file in Program Files directory
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-28 12:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-28 12:33
Reported
2023-01-28 12:36
Platform
win10v2004-20220812-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Azov
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\268f9c1a9cc445a6f2afe21100702e14e69c7d1ed127bfe930628ecc8496badb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\268f9c1a9cc445a6f2afe21100702e14e69c7d1ed127bfe930628ecc8496badb.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\7-zip.chm | C:\Users\Admin\AppData\Local\Temp\268f9c1a9cc445a6f2afe21100702e14e69c7d1ed127bfe930628ecc8496badb.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\268f9c1a9cc445a6f2afe21100702e14e69c7d1ed127bfe930628ecc8496badb.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\268f9c1a9cc445a6f2afe21100702e14e69c7d1ed127bfe930628ecc8496badb.exe
"C:\Users\Admin\AppData\Local\Temp\268f9c1a9cc445a6f2afe21100702e14e69c7d1ed127bfe930628ecc8496badb.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\WaitSend.doc" /o ""
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\ResizeTest.pdf"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=060F0DD52643B43B8C240F368DA0DA18 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=065A841F5FAF449ED07A5BAD5DB36391 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=065A841F5FAF449ED07A5BAD5DB36391 --renderer-client-id=2 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8DB4B6420EB5090AFDCCC99BFC658E34 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6B2D64F2F54FE6791EE5EF29F27B1BD9 --mojo-platform-channel-handle=2432 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9146DFEFD47BA5ABF0B9AF6A63CCEA1E --mojo-platform-channel-handle=1840 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\CompressEnter.odp" /ou ""
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 104.46.162.224:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 13.107.21.200:443 | tcp | |
| N/A | 8.8.8.8:53 | fp-afd-nocache-ccp.azureedge.net | udp |
| N/A | 13.107.253.67:443 | fp-afd-nocache-ccp.azureedge.net | tcp |
| N/A | 8.8.8.8:53 | fp-afd.azurefd.net | udp |
| N/A | 13.107.237.67:443 | fp-afd.azurefd.net | tcp |
| N/A | 8.8.8.8:53 | fp-afd-nocache.azureedge.net | udp |
| N/A | 13.107.237.67:443 | fp-afd-nocache.azureedge.net | tcp |
Files
memory/716-132-0x000002496AD90000-0x000002496AD94000-memory.dmp
memory/716-133-0x00007FF6D2200000-0x00007FF6D2277000-memory.dmp
memory/716-135-0x00000249695D0000-0x00000249695D5000-memory.dmp
memory/716-134-0x00000249695B0000-0x00000249695B7000-memory.dmp
memory/716-136-0x000002496AD90000-0x000002496AD94000-memory.dmp
memory/928-137-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp
memory/928-138-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp
memory/928-139-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp
memory/928-140-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp
memory/928-141-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp
memory/928-142-0x00007FFDD0F00000-0x00007FFDD0F10000-memory.dmp
memory/928-143-0x00007FFDD0F00000-0x00007FFDD0F10000-memory.dmp
memory/928-145-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp
memory/928-146-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp
memory/928-147-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp
memory/928-148-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp
memory/1976-149-0x0000000000000000-mapping.dmp
memory/3004-151-0x0000000000000000-mapping.dmp
memory/2900-154-0x0000000000000000-mapping.dmp
memory/4884-159-0x0000000000000000-mapping.dmp
memory/3480-162-0x0000000000000000-mapping.dmp
memory/3928-165-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\New Text Document.txt
| MD5 | 28b662d883b6d76fd96e4ddc5e9ba780 |
| SHA1 | d1c056a983786a38ca76a05cda240c7b86d77136 |
| SHA256 | ce0f6c28b5869ff166714da5fe08554c70c731a335ff9702e38b00f81ad348c6 |
| SHA512 | b551ea951724d66921f7e4991ee3b86e883921abf6a14552c73a4032cc87fa4900b2faa27d1cca5139d71a12937797cd29b589561fcc7fbb60dca460141afa65 |
memory/1776-168-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp
memory/1776-170-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp
memory/1776-169-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp
memory/1776-171-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp
memory/1776-172-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp
memory/1776-173-0x00007FFDD0F00000-0x00007FFDD0F10000-memory.dmp
memory/1776-175-0x00007FFDD0F00000-0x00007FFDD0F10000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\884A4858-FD8A-4C82-8078-CA2C59F2EDB9
| MD5 | 389d938ac869daa05c890fb81e687477 |
| SHA1 | e1259c7a4c56cb9eebc1353241594ddccd547b61 |
| SHA256 | 0798257ba2e326f316f8fa5ef855094d08a271cf27e0130901b309da116e4e50 |
| SHA512 | fb7202139702ea2e2cda5e9ba958b638c9c8fbc275d2cb611a91ea5ba58a33b3b96fe433a9752b07260667b486462fc14834407d6d5642288f5f8a678e632a59 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
| MD5 | cc1f78ad993aaf6d4ca7a878b78f31d3 |
| SHA1 | 844cdc88c12f01c0dd5a45f27f6d55caf03bc27b |
| SHA256 | b4541c70d8db19d07da1d9fdc98fe4f831f3c0bc6040066a0fb682ae33e5e612 |
| SHA512 | 89c1f90f901eabad09286f5776fd30f2316ea5a7db75ca8884e2487420bb650eb1a58ebbc40ba17e4fb83faf9861d6f6cf3182319eaa8ab4969f12eac246d25d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
| MD5 | c591334f185a513c08a15fcea80d67de |
| SHA1 | 21e8b464f793cfb4b04d6845fed07a31bfda862a |
| SHA256 | bd0adf5086be247ea5e136b48189f7045dec5ef1694e5f454dafc87caa2489a2 |
| SHA512 | fe4510331259442ae72e1788c64587b7503b7b2313feafd03d5d53a0350e8022cbe855b2b972efcbe447ee049e1e004f8dbf4b5c55f62c3c4ef4fc2ec5fce068 |
memory/1776-179-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp
memory/1776-180-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp
memory/1776-181-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp
memory/1776-182-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp