Analysis Overview
SHA256
c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6
Threat Level: Known bad
The file c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6 was found to be: Known bad.
Malicious Activity Summary
Azov
Renames multiple (142) files with added filename extension
Renames multiple (190) files with added filename extension
Reads user/profile data of web browsers
Enumerates connected drives
Adds Run key to start application
Drops file in Program Files directory
Unsigned PE
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-04 12:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-04 12:18
Reported
2023-07-04 12:20
Platform
win7-20230703-en
Max time kernel
28s
Max time network
32s
Command Line
Signatures
Azov
Renames multiple (190) files with added filename extension
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
Processes
C:\Users\Admin\AppData\Local\Temp\c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6.exe
"C:\Users\Admin\AppData\Local\Temp\c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6.exe"
Network
Files
memory/2088-54-0x0000000000190000-0x0000000000194000-memory.dmp
memory/2088-56-0x00000000FFB50000-0x00000000FFB74000-memory.dmp
memory/2088-59-0x0000000000190000-0x0000000000194000-memory.dmp
memory/2088-60-0x0000000000180000-0x0000000000185000-memory.dmp
memory/2088-62-0x0000000000180000-0x0000000000185000-memory.dmp
memory/2088-67-0x0000000000180000-0x0000000000185000-memory.dmp
C:\Program Files\RESTORE_FILES.txt
| MD5 | 78ede93114e65f9160fd03d3357c56e6 |
| SHA1 | 88d531b101e57655f1d0d26c6b3257aa2468d460 |
| SHA256 | c97412fbf88da8f91099a52888dea4c3f222cd95af3e681e3271cbca8b6b7bb5 |
| SHA512 | 074a4c741273902ccacb6f573b96d8accedb2ee405dbd04350cdbf54d180c1fd577a4e90c2aae26bf72f3782403f4494db6e3501a04cfd9d7d81a6bc14884b9d |
memory/2088-439-0x00000000000E0000-0x00000000000E7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-04 12:18
Reported
2023-07-04 12:20
Platform
win10v2004-20230703-en
Max time kernel
90s
Max time network
117s
Command Line
Signatures
Azov
Renames multiple (142) files with added filename extension
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
Processes
C:\Users\Admin\AppData\Local\Temp\c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6.exe
"C:\Users\Admin\AppData\Local\Temp\c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.214.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.234.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.179.238.8.in-addr.arpa | udp |
Files
memory/3468-133-0x0000000002DD0000-0x0000000002DD4000-memory.dmp
memory/3468-135-0x00007FF6E71D0000-0x00007FF6E71F4000-memory.dmp
memory/3468-139-0x0000000002DD0000-0x0000000002DD4000-memory.dmp
memory/3468-137-0x0000000002DC0000-0x0000000002DC5000-memory.dmp
memory/3468-142-0x0000000002DC0000-0x0000000002DC5000-memory.dmp
memory/3468-140-0x0000000002DC0000-0x0000000002DC5000-memory.dmp
C:\Program Files\7-Zip\RESTORE_FILES.txt
| MD5 | 78ede93114e65f9160fd03d3357c56e6 |
| SHA1 | 88d531b101e57655f1d0d26c6b3257aa2468d460 |
| SHA256 | c97412fbf88da8f91099a52888dea4c3f222cd95af3e681e3271cbca8b6b7bb5 |
| SHA512 | 074a4c741273902ccacb6f573b96d8accedb2ee405dbd04350cdbf54d180c1fd577a4e90c2aae26bf72f3782403f4494db6e3501a04cfd9d7d81a6bc14884b9d |
memory/3468-230-0x00000000015D0000-0x00000000015D7000-memory.dmp