Analysis Overview
SHA256
05815418cfc42049037a3aee0cab64353d01bb2003b88faf7a89258b40d6b3b9
Threat Level: Known bad
The file d610608364afbb4dcfd94365f718c65d was found to be: Known bad.
Malicious Activity Summary
Azov
Adds Run key to start application
Enumerates connected drives
Drops file in Program Files directory
Unsigned PE
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-10-18 12:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-18 12:07
Reported
2023-10-18 12:10
Platform
win7-20230831-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Azov
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\d610608364afbb4dcfd94365f718c65d.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Users\Admin\AppData\Local\Temp\d610608364afbb4dcfd94365f718c65d.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\AppData\Local\Temp\d610608364afbb4dcfd94365f718c65d.exe | N/A |
| File opened (read-only) | \??\E: | C:\Users\Admin\AppData\Local\Temp\d610608364afbb4dcfd94365f718c65d.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\7-zip.chm | C:\Users\Admin\AppData\Local\Temp\d610608364afbb4dcfd94365f718c65d.exe | N/A |
| File created | C:\Program Files\7-Zip\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\d610608364afbb4dcfd94365f718c65d.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.sfx | C:\Users\Admin\AppData\Local\Temp\d610608364afbb4dcfd94365f718c65d.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d610608364afbb4dcfd94365f718c65d.exe
"C:\Users\Admin\AppData\Local\Temp\d610608364afbb4dcfd94365f718c65d.exe"
Network
Files
memory/2372-1-0x00000000001B0000-0x00000000001B4000-memory.dmp
memory/2372-0-0x00000000000E0000-0x00000000000E7000-memory.dmp
memory/2372-3-0x0000000000100000-0x0000000000105000-memory.dmp
memory/2372-5-0x000000013F5D0000-0x000000013F672000-memory.dmp
memory/2372-4-0x00000000001B0000-0x00000000001B4000-memory.dmp
memory/2372-11-0x0000000000100000-0x0000000000105000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-18 12:07
Reported
2023-10-18 12:10
Platform
win10v2004-20230915-en
Max time kernel
138s
Max time network
160s
Command Line
Signatures
Azov
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\d610608364afbb4dcfd94365f718c65d.exe | N/A |
Enumerates connected drives
Processes
C:\Users\Admin\AppData\Local\Temp\d610608364afbb4dcfd94365f718c65d.exe
"C:\Users\Admin\AppData\Local\Temp\d610608364afbb4dcfd94365f718c65d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 254.211.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.50.123.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.192.11.51.in-addr.arpa | udp |
Files
memory/2144-1-0x000001995ECB0000-0x000001995ECB4000-memory.dmp
memory/2144-2-0x000001995D4E0000-0x000001995D4E5000-memory.dmp
memory/2144-4-0x00007FF779590000-0x00007FF779632000-memory.dmp
memory/2144-0-0x000001995D4C0000-0x000001995D4C7000-memory.dmp
memory/2144-7-0x000001995ECB0000-0x000001995ECB4000-memory.dmp
memory/2144-10-0x000001995D4E0000-0x000001995D4E5000-memory.dmp
memory/2144-14-0x000001995D4E0000-0x000001995D4E5000-memory.dmp