azov | d8de7883364b25260efef81e4ade09637aa4d8d8e03f8d288694759a29ab7c38

Analysis

max time kernel
15s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a6b98ec385b6481e1cbba5d7ad70980N.exe
Size

3.6MB
MD5

6a6b98ec385b6481e1cbba5d7ad70980
SHA1

41877f3af028a0ff668500878ac5636e2cd45177
SHA256

d8de7883364b25260efef81e4ade09637aa4d8d8e03f8d288694759a29ab7c38
SHA512

4681cb5f73057fc06a9b56368588e9bdd57d51666877ef1af58c4096a857fc81bc6741a0b3644ce51be307aceb970e21a829d57c2fdb34e82623fca942614426
SSDEEP

49152:qz+Zn2TAyHzztmLFEuVebedv9uNBb8AfLK9qrO1LS9RhSq15vTNuHv/QXd9CQxM9:kWFk/fSqrOiOc53I

Score

10^/10

azov persistence ransomware wiper

Malware Config

Signatures

Azov
A wiper seeking only damage, first seen in 2022.
ransomware wiper azov

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe"	6a6b98ec385b6481e1cbba5d7ad70980N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\B:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\E:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\K:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\N:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\O:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\G:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\H:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\S:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\V:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\W:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\U:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\A:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\I:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\M:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\Q:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\T:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\Z:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\J:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\L:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\P:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\R:	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened (read-only)	\??\Y:	6a6b98ec385b6481e1cbba5d7ad70980N.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	6a6b98ec385b6481e1cbba5d7ad70980N.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	6a6b98ec385b6481e1cbba5d7ad70980N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2468	2304	6a6b98ec385b6481e1cbba5d7ad70980N.exe	29
PID 2304 wrote to memory of 2468	2304	6a6b98ec385b6481e1cbba5d7ad70980N.exe	29
PID 2304 wrote to memory of 2468	2304	6a6b98ec385b6481e1cbba5d7ad70980N.exe	29

C:\Users\Admin\AppData\Local\Temp\6a6b98ec385b6481e1cbba5d7ad70980N.exe
"C:\Users\Admin\AppData\Local\Temp\6a6b98ec385b6481e1cbba5d7ad70980N.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2304 -s 136
  2⤵
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2304-0-0x0000000000110000-0x0000000000114000-memory.dmp

Filesize
16KB

Download
memory/2304-6-0x0000000000110000-0x0000000000114000-memory.dmp

Filesize
16KB

Download
memory/2304-5-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download
memory/2304-9-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download
memory/2304-7-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download
memory/2304-3-0x00000000000E0000-0x00000000000E7000-memory.dmp

Filesize
28KB

Download
memory/2304-2-0x000000013F360000-0x000000013F6DA000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads