azov | 6f114c603c6f536c9a1e6ebf77666932a1f73543311cd0f003022904a1f096ee | Triage

Sharing

General

Target

rdpclient.exe
Size

182KB
Sample

240917-rnd9tsxfnp
MD5

e8634825d250c1965273585e1168f4b8
SHA1

753820cfb36bd201524ec923e02107a163fca46c
SHA256

6f114c603c6f536c9a1e6ebf77666932a1f73543311cd0f003022904a1f096ee
SHA512

7a006af2b8c0425404a0aefb0910d5b17584d54d8603a5a569c7593caf3fb746a6d5c1d9bd35f4824f78bc9d8dce9f3212599c33d952e455384ff988c2bf84a1
SSDEEP

3072:fRTO4r5ZiVvvXtmGLiXscj1U39Hq+ZDPUEMTlf+rr4UmMCr7Gr:fnZuvvdmGLSDs9lZDPFMTsrr5mT78

Score

10^/10

azov credential_access discovery persistence ransomware spyware stealer wiper

Malware Config

Targets

- Target
  
  rdpclient.exe
- Size
  
  182KB
- MD5
  
  e8634825d250c1965273585e1168f4b8
- SHA1
  
  753820cfb36bd201524ec923e02107a163fca46c
- SHA256
  
  6f114c603c6f536c9a1e6ebf77666932a1f73543311cd0f003022904a1f096ee
- SHA512
  
  7a006af2b8c0425404a0aefb0910d5b17584d54d8603a5a569c7593caf3fb746a6d5c1d9bd35f4824f78bc9d8dce9f3212599c33d952e455384ff988c2bf84a1
- SSDEEP
  
  3072:fRTO4r5ZiVvvXtmGLiXscj1U39Hq+ZDPUEMTlf+rr4UmMCr7Gr:fnZuvvdmGLSDs9lZDPFMTsrr5mT78
Score

10^/10

azov credential_access discovery persistence ransomware spyware stealer wiper
- Azov
  A wiper seeking only damage, first seen in 2022.
  ransomware wiper azov
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Renames multiple (8206) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Windows Credential Manager

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

azovcredential_accessdiscoverypersistenceransomwarespywarestealerwiper

behavioral2

azovcredential_accessdiscoverypersistenceransomwarespywarestealerwiper