Analysis Overview
SHA256
c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6
Threat Level: Known bad
The file c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6.exe was found to be: Known bad.
Malicious Activity Summary
Azov
Renames multiple (138) files with added filename extension
Renames multiple (174) files with added filename extension
Reads user/profile data of web browsers
Adds Run key to start application
Enumerates connected drives
Drops file in Program Files directory
Unsigned PE
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-04 12:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-04 12:20
Reported
2023-07-04 12:22
Platform
win7-20230703-en
Max time kernel
28s
Max time network
32s
Command Line
Signatures
Azov
Renames multiple (174) files with added filename extension
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
Processes
C:\Users\Admin\AppData\Local\Temp\c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6.exe
"C:\Users\Admin\AppData\Local\Temp\c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6.exe"
Network
Files
memory/2376-54-0x0000000000110000-0x0000000000114000-memory.dmp
memory/2376-59-0x0000000000110000-0x0000000000114000-memory.dmp
memory/2376-60-0x0000000000100000-0x0000000000105000-memory.dmp
memory/2376-56-0x00000000FF060000-0x00000000FF084000-memory.dmp
memory/2376-62-0x0000000000100000-0x0000000000105000-memory.dmp
memory/2376-68-0x0000000000100000-0x0000000000105000-memory.dmp
C:\Program Files\RESTORE_FILES.txt
| MD5 | 78ede93114e65f9160fd03d3357c56e6 |
| SHA1 | 88d531b101e57655f1d0d26c6b3257aa2468d460 |
| SHA256 | c97412fbf88da8f91099a52888dea4c3f222cd95af3e681e3271cbca8b6b7bb5 |
| SHA512 | 074a4c741273902ccacb6f573b96d8accedb2ee405dbd04350cdbf54d180c1fd577a4e90c2aae26bf72f3782403f4494db6e3501a04cfd9d7d81a6bc14884b9d |
memory/2376-443-0x00000000000E0000-0x00000000000E7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-04 12:20
Reported
2023-07-04 12:22
Platform
win10v2004-20230703-en
Max time kernel
7s
Command Line
Signatures
Azov
Renames multiple (138) files with added filename extension
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
Processes
C:\Users\Admin\AppData\Local\Temp\c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6.exe
"C:\Users\Admin\AppData\Local\Temp\c7073357c5cfe55454b74ee5a2c8fd05e22e0ee9f6264db7df4490af543274a6.exe"
Network
Files
memory/4468-133-0x0000000002A80000-0x0000000002A84000-memory.dmp
memory/4468-135-0x00007FF667E40000-0x00007FF667E64000-memory.dmp
memory/4468-136-0x0000000001450000-0x0000000001455000-memory.dmp
memory/4468-137-0x0000000001450000-0x0000000001455000-memory.dmp
memory/4468-138-0x0000000001450000-0x0000000001455000-memory.dmp
memory/4468-142-0x0000000002A80000-0x0000000002A84000-memory.dmp
C:\Program Files\7-Zip\RESTORE_FILES.txt
| MD5 | 78ede93114e65f9160fd03d3357c56e6 |
| SHA1 | 88d531b101e57655f1d0d26c6b3257aa2468d460 |
| SHA256 | c97412fbf88da8f91099a52888dea4c3f222cd95af3e681e3271cbca8b6b7bb5 |
| SHA512 | 074a4c741273902ccacb6f573b96d8accedb2ee405dbd04350cdbf54d180c1fd577a4e90c2aae26bf72f3782403f4494db6e3501a04cfd9d7d81a6bc14884b9d |
memory/4468-186-0x0000000001430000-0x0000000001437000-memory.dmp