Analysis
-
max time kernel
159s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2023 12:14
Static task
static1
Behavioral task
behavioral1
Sample
7129291FC3D97377200F8A24AD06930A.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
7129291FC3D97377200F8A24AD06930A.exe
Resource
win10v2004-20230915-en
General
-
Target
7129291FC3D97377200F8A24AD06930A.exe
-
Size
32KB
-
MD5
7129291fc3d97377200f8a24ad06930a
-
SHA1
3f858d2837529e6c973ffa7c26c643e9748e7282
-
SHA256
650f0d694c0928d88aeeed649cf629fc8a7bec604563bca716b1688227e0cc7e
-
SHA512
6bd4537a79f839c2964a814eed2fd5c217a969632e267afbe028b04a91a410abd594fb45bf1cba954f8be71e6041a923e932994754fcd46cc71a0bbaf4a932a1
-
SSDEEP
384:s+ImkKRjvD/XlXPRPNTEUZytgSisYuaDhcWNDkSIvrfPxLCk9Hf/z:WKRjvTXlXPRNTRZ6hisYugcXjfNCkl
Malware Config
Signatures
-
Azov
A wiper seeking only damage, first seen in 2022.
-
Renames multiple (2503) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7129291FC3D97377200F8A24AD06930A.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" 7129291FC3D97377200F8A24AD06930A.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
7129291FC3D97377200F8A24AD06930A.exedescription ioc process File opened (read-only) \??\B: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\H: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\K: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\L: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\N: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\V: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\X: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\A: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\M: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\Q: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\Z: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\E: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\G: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\I: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\J: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\Y: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\O: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\P: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\R: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\S: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\T: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\U: 7129291FC3D97377200F8A24AD06930A.exe File opened (read-only) \??\W: 7129291FC3D97377200F8A24AD06930A.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7129291FC3D97377200F8A24AD06930A.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_zh_CN.jar 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_zh_4.4.0.v20140623020002.jar 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-TW.pak 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoDev.png 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_TW.properties 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\.lastModified 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.properties 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ul-oob.xrm-ms 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\de.pak 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkDrop32x32.gif 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_ja.jar 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine_2.3.0.v20140506-1720.jar 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\rt.jar 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms 7129291FC3D97377200F8A24AD06930A.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-MX\RESTORE_FILES.txt 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.SF 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe 7129291FC3D97377200F8A24AD06930A.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\RESTORE_FILES.txt 7129291FC3D97377200F8A24AD06930A.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\RESTORE_FILES.txt 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms 7129291FC3D97377200F8A24AD06930A.exe File created C:\Program Files\Common Files\microsoft shared\ink\nb-NO\RESTORE_FILES.txt 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\cmm\LINEAR_RGB.pf 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_zh_CN.jar 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt 7129291FC3D97377200F8A24AD06930A.exe File created C:\Program Files\Common Files\microsoft shared\ink\pt-BR\RESTORE_FILES.txt 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jvm.hprof.txt 7129291FC3D97377200F8A24AD06930A.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html 7129291FC3D97377200F8A24AD06930A.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\RESTORE_FILES.txt 7129291FC3D97377200F8A24AD06930A.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\RESTORE_FILES.txtFilesize
2KB
MD578ede93114e65f9160fd03d3357c56e6
SHA188d531b101e57655f1d0d26c6b3257aa2468d460
SHA256c97412fbf88da8f91099a52888dea4c3f222cd95af3e681e3271cbca8b6b7bb5
SHA512074a4c741273902ccacb6f573b96d8accedb2ee405dbd04350cdbf54d180c1fd577a4e90c2aae26bf72f3782403f4494db6e3501a04cfd9d7d81a6bc14884b9d
-
memory/4544-0-0x0000000000020000-0x0000000000027000-memory.dmpFilesize
28KB
-
memory/4544-2-0x00000000001A0000-0x00000000001A5000-memory.dmpFilesize
20KB
-
memory/4544-4-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4544-3-0x00000000001A0000-0x00000000001A5000-memory.dmpFilesize
20KB