Analysis Overview
SHA256
0d654bd41f1aa5790624656e942f317e5984d139a3f17cb6f167544d713609a8
Threat Level: Known bad
The file 0d654bd41f1aa5790624656e942f317e5984d139a3f17cb6f167544d713609a8.exe was found to be: Known bad.
Malicious Activity Summary
Azov
Adds Run key to start application
Enumerates connected drives
Drops file in Program Files directory
Unsigned PE
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-10-18 12:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-18 12:08
Reported
2023-10-18 12:12
Platform
win7-20230831-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Azov
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\0d654bd41f1aa5790624656e942f317e5984d139a3f17cb6f167544d713609a8.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
Processes
C:\Users\Admin\AppData\Local\Temp\0d654bd41f1aa5790624656e942f317e5984d139a3f17cb6f167544d713609a8.exe
"C:\Users\Admin\AppData\Local\Temp\0d654bd41f1aa5790624656e942f317e5984d139a3f17cb6f167544d713609a8.exe"
Network
Files
memory/2988-1-0x0000000000160000-0x0000000000166000-memory.dmp
memory/2988-3-0x0000000000180000-0x0000000000185000-memory.dmp
memory/2988-0-0x0000000000190000-0x0000000000194000-memory.dmp
memory/2988-5-0x00000000FFA20000-0x00000000FFA44000-memory.dmp
memory/2988-4-0x0000000000190000-0x0000000000194000-memory.dmp
memory/2988-11-0x0000000000180000-0x0000000000185000-memory.dmp
memory/2988-15-0x0000000000180000-0x0000000000185000-memory.dmp
C:\Program Files\7-Zip\Lang\RESTORE_FILES.txt
| MD5 | 4f3332a48d767cc5bdfdab755d84a450 |
| SHA1 | d7d583c08e82f39637d8209447c2c9cad1478f01 |
| SHA256 | a04e8cc0ea5f7e143eba012c2bc470161f1faf9c904eb233f777ced8e6e706ad |
| SHA512 | 0f60de7622aa69ae0b209a1ed54ec7ba0f6b81b597565e64d41845bec8c471a768ca8622964260c448530f637492aac31a4fc5ec95de147ef2c0d89149c2a66f |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-18 12:08
Reported
2023-10-18 12:13
Platform
win10v2004-20230915-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Azov
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\0d654bd41f1aa5790624656e942f317e5984d139a3f17cb6f167544d713609a8.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
Processes
C:\Users\Admin\AppData\Local\Temp\0d654bd41f1aa5790624656e942f317e5984d139a3f17cb6f167544d713609a8.exe
"C:\Users\Admin\AppData\Local\Temp\0d654bd41f1aa5790624656e942f317e5984d139a3f17cb6f167544d713609a8.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.50.123.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.20.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/3224-0-0x0000000002A60000-0x0000000002A64000-memory.dmp
memory/3224-4-0x00000000012A0000-0x00000000012A5000-memory.dmp
memory/3224-3-0x00007FF656600000-0x00007FF656624000-memory.dmp
memory/3224-1-0x0000000001280000-0x0000000001286000-memory.dmp
memory/3224-7-0x0000000002A60000-0x0000000002A64000-memory.dmp
memory/3224-11-0x00000000012A0000-0x00000000012A5000-memory.dmp
C:\Program Files\7-Zip\Lang\RESTORE_FILES.txt
| MD5 | 4f3332a48d767cc5bdfdab755d84a450 |
| SHA1 | d7d583c08e82f39637d8209447c2c9cad1478f01 |
| SHA256 | a04e8cc0ea5f7e143eba012c2bc470161f1faf9c904eb233f777ced8e6e706ad |
| SHA512 | 0f60de7622aa69ae0b209a1ed54ec7ba0f6b81b597565e64d41845bec8c471a768ca8622964260c448530f637492aac31a4fc5ec95de147ef2c0d89149c2a66f |
memory/3224-19-0x00000000012A0000-0x00000000012A5000-memory.dmp