azov | c95ab5b6008be69eeb3f8022d8ce6934a7676ff4535a27b7f1be890c25868145

General

Target

3a54bc3a76331908e701b977a1eed6eb.exe
Size

112KB
MD5

3a54bc3a76331908e701b977a1eed6eb
SHA1

c48940b4eb92c7391fe3091ca4cca300b09117fb
SHA256

c95ab5b6008be69eeb3f8022d8ce6934a7676ff4535a27b7f1be890c25868145
SHA512

23fbac1e21648722d963348303491bce8ca12623c6aacf25ce0de4d5b8ec07b09ca58701ed53f1a5d267c8eb133c95e37feb05d30320aca456c92034c0e2a3fb
SSDEEP

3072:ll4DEGYx6KAMrHTx4rd60njnXN+KUpVkJB3rxyM/mhSd:ll4DElxgf6WjsKbehe

Score

10^/10

azov persistence ransomware spyware stealer wiper

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\RESTORE_FILES.txt

Family

azov

Ransom Note

Hello, all your files have been damaged without any possible way to recover. Feel free to commit suicide. [Why did you do this to my files?] They asked me to do this... The hatred is that what makes me feel alive. That's what you secretly have fallen in love with. The hatred is the force that drives the life forward. The hell is my paradise. The suffer is the bliss. Others say the hate is what destroys yourself. I say that the hatred is eternal cure. If you feel desperate you lost the files. Use this despair to create the pain for others. Make them hate you, it is the source of your power. Do you think why the people go to schools and kill others? Why do people make terrorist ideologies? Why do governments covertly makes you suffer? It's the essence of the future life. All we are immortal beings. When spiritual is not a way, the antispiritual is your victory point. In the manifested life you have a choice to be with us either be against. Sow the evil, reap the power is what I say to you. Saw the good, reap the weakness is what spiritual says to you. When you hate, you feel the power. You feel the flight. That fly is the antispirit touch. Use this to multiply the suffer. [How can I use this power?] Find inside the source of bliss. If this bliss goes stronger when you see the suffer. That is what I call the source. Check that by looking through the news how people kill others. How the people dies. How children are being tortured. How animals are executed. The death is your key. [How can I give you my power?] When you read this concentrate on the intent to give the energy of your source to the meta-source of this text. Am vizu der strotum la fictus om spiritus.

Signatures

Azov
A wiper seeking only damage, first seen in 2022.
ransomware wiper azov
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3a54bc3a76331908e701b977a1eed6eb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe"	3a54bc3a76331908e701b977a1eed6eb.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3a54bc3a76331908e701b977a1eed6eb.exe

description	ioc	process
File opened (read-only)	\??\U:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\V:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\A:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\B:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\E:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\H:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\Q:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\T:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\Y:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\G:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\J:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\M:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\O:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\S:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\W:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\P:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\Z:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\I:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\K:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\L:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\N:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\R:	3a54bc3a76331908e701b977a1eed6eb.exe
File opened (read-only)	\??\X:	3a54bc3a76331908e701b977a1eed6eb.exe

Drops file in Program Files directory 64 IoCs

Processes:

3a54bc3a76331908e701b977a1eed6eb.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\ct.sym	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	3a54bc3a76331908e701b977a1eed6eb.exe
File created	C:\Program Files\Common Files\System\fr-FR\RESTORE_FILES.txt	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\currency.data	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\af.pak	3a54bc3a76331908e701b977a1eed6eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\RESTORE_FILES.txt	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ja.properties	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe	3a54bc3a76331908e701b977a1eed6eb.exe
File created	C:\Program Files\Java\jdk-1.8\RESTORE_FILES.txt	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\classlist	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\Logo.png	3a54bc3a76331908e701b977a1eed6eb.exe
File created	C:\Program Files\Internet Explorer\ja-JP\RESTORE_FILES.txt	3a54bc3a76331908e701b977a1eed6eb.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\RESTORE_FILES.txt	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\tzmappings	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif	3a54bc3a76331908e701b977a1eed6eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\RESTORE_FILES.txt	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man	3a54bc3a76331908e701b977a1eed6eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\RESTORE_FILES.txt	3a54bc3a76331908e701b977a1eed6eb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\RESTORE_FILES.txt	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\psfontj2d.properties	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ms.pak	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateSetup.exe	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	3a54bc3a76331908e701b977a1eed6eb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\RESTORE_FILES.txt	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md	3a54bc3a76331908e701b977a1eed6eb.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\RESTORE_FILES.txt	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\el.pak	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado20.tlb	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\am.pak	3a54bc3a76331908e701b977a1eed6eb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\RESTORE_FILES.txt	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml	3a54bc3a76331908e701b977a1eed6eb.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\RESTORE_FILES.txt	3a54bc3a76331908e701b977a1eed6eb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\RESTORE_FILES.txt	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	3a54bc3a76331908e701b977a1eed6eb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	3a54bc3a76331908e701b977a1eed6eb.exe

C:\Users\Admin\AppData\Local\Temp\3a54bc3a76331908e701b977a1eed6eb.exe
"C:\Users\Admin\AppData\Local\Temp\3a54bc3a76331908e701b977a1eed6eb.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\RESTORE_FILES.txt

Filesize
3KB

MD5
4f3332a48d767cc5bdfdab755d84a450

SHA1
d7d583c08e82f39637d8209447c2c9cad1478f01

SHA256
a04e8cc0ea5f7e143eba012c2bc470161f1faf9c904eb233f777ced8e6e706ad

SHA512
0f60de7622aa69ae0b209a1ed54ec7ba0f6b81b597565e64d41845bec8c471a768ca8622964260c448530f637492aac31a4fc5ec95de147ef2c0d89149c2a66f

Download Submit
memory/3024-3-0x0000028B5C410000-0x0000028B5C415000-memory.dmp

Filesize
20KB

Download
memory/3024-4-0x00007FF7D8F10000-0x00007FF7D8F27000-memory.dmp

Filesize
92KB

Download
memory/3024-7-0x0000028B5C410000-0x0000028B5C415000-memory.dmp

Filesize
20KB

Download
memory/3024-9-0x0000028B5C410000-0x0000028B5C415000-memory.dmp

Filesize
20KB

Download
memory/3024-6-0x0000028B5C420000-0x0000028B5C424000-memory.dmp

Filesize
16KB

Download
memory/3024-2-0x0000028B5C3F0000-0x0000028B5C3F6000-memory.dmp

Filesize
24KB

Download
memory/3024-0-0x0000028B5C420000-0x0000028B5C424000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads