azov | 9f7fcc877645899abcf028022a04454d81b5f757c825500c2278fa84ba7799fd | Triage

Sharing

General

Target

2025-03-06_8cb20120cbffa976277c992d2fc1c633_ryuk
Size

664KB
Sample

250306-gp787azzdz
MD5

8cb20120cbffa976277c992d2fc1c633
SHA1

57971dc11c99c2261242e24058fb9528a6219f96
SHA256

9f7fcc877645899abcf028022a04454d81b5f757c825500c2278fa84ba7799fd
SHA512

e1a1aa76978e64fa9413974d271e602b76f8a6410c87c119f5a8a03eb52c85a8b3aac20928f2d0b3bf4c41485e2a2e9f0b4aafcf45ffd7b59c2f6e42276f6b91
SSDEEP

12288:rs9hR66kSoCU5qJSr1eCyUZbOj39fyf4MgqAUHUzTshp1dIWcI:+ROSoCU5qJSr1eCyJZfyf4Mgq9eTsIJI

Score

10^/10

azov persistence ransomware spyware stealer wiper

Malware Config

Targets

- Target
  
  2025-03-06_8cb20120cbffa976277c992d2fc1c633_ryuk
- Size
  
  664KB
- MD5
  
  8cb20120cbffa976277c992d2fc1c633
- SHA1
  
  57971dc11c99c2261242e24058fb9528a6219f96
- SHA256
  
  9f7fcc877645899abcf028022a04454d81b5f757c825500c2278fa84ba7799fd
- SHA512
  
  e1a1aa76978e64fa9413974d271e602b76f8a6410c87c119f5a8a03eb52c85a8b3aac20928f2d0b3bf4c41485e2a2e9f0b4aafcf45ffd7b59c2f6e42276f6b91
- SSDEEP
  
  12288:rs9hR66kSoCU5qJSr1eCyUZbOj39fyf4MgqAUHUzTshp1dIWcI:+ROSoCU5qJSr1eCyJZfyf4Mgq9eTsIJI
Score

10^/10

azov persistence ransomware spyware stealer wiper
- Azov
  A wiper seeking only damage, first seen in 2022.
  ransomware wiper azov
- Azov family
  azov
- Renames multiple (1262) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

azovpersistenceransomwarespywarestealerwiper

behavioral2

azovpersistenceransomwarespywarestealerwiper