Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2022 12:48
Static task
static1
Behavioral task
behavioral1
Sample
rdpclient.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
rdpclient.exe
Resource
win10v2004-20221111-en
General
-
Target
rdpclient.exe
-
Size
113KB
-
MD5
cb36414aa635a55c46da102f64e68667
-
SHA1
6a16c156b4e937e16961606c9e2c0bf982d7994b
-
SHA256
f26a427105cba33da30a7e345f398c0808ad350875ff6bc1790b17132a1c0405
-
SHA512
ce3d5124c7ded7b2a5a0d4d10c7fbbadd290af056cda0761a3e9c9864a91b561cae2d55ac5e369db15454e8236395e1fdf59a8a0b6614132bd9d41694117359f
-
SSDEEP
1536:lxhjZDHJex1vXuhi3ugzXjQzZ28Tx4rUbu60z0aleVrk3kCNUGG4XsEjUyOyI7:lF4qU39YHTx4rd60zrley3IGGOsEjUV7
Malware Config
Signatures
-
Azov
A wiper seeking only damage, first seen in 2022.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rdpclient.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run rdpclient.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" rdpclient.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rdpclient.exedescription ioc process File opened (read-only) \??\B: rdpclient.exe File opened (read-only) \??\F: rdpclient.exe File opened (read-only) \??\H: rdpclient.exe File opened (read-only) \??\I: rdpclient.exe File opened (read-only) \??\N: rdpclient.exe File opened (read-only) \??\S: rdpclient.exe File opened (read-only) \??\Z: rdpclient.exe File opened (read-only) \??\E: rdpclient.exe File opened (read-only) \??\M: rdpclient.exe File opened (read-only) \??\R: rdpclient.exe File opened (read-only) \??\V: rdpclient.exe File opened (read-only) \??\X: rdpclient.exe File opened (read-only) \??\A: rdpclient.exe File opened (read-only) \??\G: rdpclient.exe File opened (read-only) \??\K: rdpclient.exe File opened (read-only) \??\L: rdpclient.exe File opened (read-only) \??\P: rdpclient.exe File opened (read-only) \??\U: rdpclient.exe File opened (read-only) \??\J: rdpclient.exe File opened (read-only) \??\O: rdpclient.exe File opened (read-only) \??\Q: rdpclient.exe File opened (read-only) \??\T: rdpclient.exe File opened (read-only) \??\W: rdpclient.exe File opened (read-only) \??\Y: rdpclient.exe -
Drops file in Program Files directory 64 IoCs
Processes:
rdpclient.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml rdpclient.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms rdpclient.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-lightunplated.png rdpclient.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms rdpclient.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_altform-unplated_contrast-white.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-150.png rdpclient.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\RESTORE_FILES.txt rdpclient.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml rdpclient.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\RESTORE_FILES.txt rdpclient.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-100.png rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\pages-app-tool-view.js rdpclient.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCacheMini.scale-200.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_contrast-white.png rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\ui-strings.js rdpclient.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-400.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-24_contrast-white.png rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak rdpclient.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar rdpclient.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-125_contrast-white.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-100_contrast-white.png rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_18.svg rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sv_get.svg rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\ui-strings.js rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\cs_get.svg rdpclient.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms rdpclient.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms rdpclient.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms rdpclient.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\View3d\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-400.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Snooze.scale-64.png rdpclient.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\PesterThrow.ps1 rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_contrast-black.png rdpclient.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-ae\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms rdpclient.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-4246620582-653642754-1174164128-1000-MergedResources-0.pri rdpclient.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-48.png rdpclient.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt rdpclient.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\example_icons.png rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\ui-strings.js rdpclient.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-36_altform-unplated_contrast-white.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_contrast-white.png rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_hover_18.svg rdpclient.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt rdpclient.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms rdpclient.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-72_altform-unplated.png rdpclient.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\MedTile.scale-200.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\SuccessControl.xaml rdpclient.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3648-132-0x0000021E947F0000-0x0000021E947F4000-memory.dmpFilesize
16KB
-
memory/3648-133-0x00007FF7BBE50000-0x00007FF7BBE67000-memory.dmpFilesize
92KB
-
memory/3648-134-0x0000021E947C0000-0x0000021E947C7000-memory.dmpFilesize
28KB
-
memory/3648-135-0x0000021E947E0000-0x0000021E947E5000-memory.dmpFilesize
20KB
-
memory/3648-136-0x0000021E947F0000-0x0000021E947F4000-memory.dmpFilesize
16KB