Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21-11-2022 12:48
Static task
static1
Behavioral task
behavioral1
Sample
rdpclient.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
rdpclient.exe
Resource
win10v2004-20221111-en
General
-
Target
rdpclient.exe
-
Size
113KB
-
MD5
0de8c69f60e0469a56b9d9b4a3cac9c7
-
SHA1
d7d44c64e7ce5973815327cc2218340dd38363b5
-
SHA256
e2ca30b2a5d896a6386d7e93addef74499fdcec1be625f8c21bfb7f6fbf83794
-
SHA512
e7e4a7b96b6126a370d707d811fff03929bd2113f01c254a909deeb8df7e1a2697f33a9dcdcf449e01344a757e6b8eeb960c9f4088d0d2a8d6f1497ff30a24d1
-
SSDEEP
1536:lxhjrDHJeUDvXuhi3ugHXjQzZ28Tx4rUbu60CNznelEWn4w6T8fW37yimIgHL65G:ln4FU39EHTx4rd60CFnwn8lU65s3
Malware Config
Signatures
-
Azov
A wiper seeking only damage, first seen in 2022.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rdpclient.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run rdpclient.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" rdpclient.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rdpclient.exedescription ioc process File opened (read-only) \??\O: rdpclient.exe File opened (read-only) \??\N: rdpclient.exe File opened (read-only) \??\M: rdpclient.exe File opened (read-only) \??\S: rdpclient.exe File opened (read-only) \??\V: rdpclient.exe File opened (read-only) \??\X: rdpclient.exe File opened (read-only) \??\A: rdpclient.exe File opened (read-only) \??\G: rdpclient.exe File opened (read-only) \??\K: rdpclient.exe File opened (read-only) \??\L: rdpclient.exe File opened (read-only) \??\Q: rdpclient.exe File opened (read-only) \??\T: rdpclient.exe File opened (read-only) \??\U: rdpclient.exe File opened (read-only) \??\Y: rdpclient.exe File opened (read-only) \??\F: rdpclient.exe File opened (read-only) \??\Z: rdpclient.exe File opened (read-only) \??\E: rdpclient.exe File opened (read-only) \??\H: rdpclient.exe File opened (read-only) \??\I: rdpclient.exe File opened (read-only) \??\J: rdpclient.exe File opened (read-only) \??\P: rdpclient.exe File opened (read-only) \??\R: rdpclient.exe File opened (read-only) \??\W: rdpclient.exe File opened (read-only) \??\B: rdpclient.exe -
Drops file in Program Files directory 64 IoCs
Processes:
rdpclient.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107708.WMF rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00913_.WMF rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21413_.GIF rdpclient.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Seoul rdpclient.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar rdpclient.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe rdpclient.exe File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02312_.WMF rdpclient.exe File opened for modification C:\Program Files\7-Zip\License.txt rdpclient.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightItalic.ttf rdpclient.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187817.WMF rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME24.CSS rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN103.XML rdpclient.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_hover.png rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt rdpclient.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_partly-cloudy.png rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187861.WMF rdpclient.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png rdpclient.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml rdpclient.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151067.WMF rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199307.WMF rdpclient.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png rdpclient.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe rdpclient.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CONTACT.JPG rdpclient.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\weather.css rdpclient.exe File opened for modification C:\Program Files\Java\jre7\lib\security\javafx.policy rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG rdpclient.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png rdpclient.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui_4.0.100.v20140401-0608.jar rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195788.WMF rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR39F.GIF rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg rdpclient.exe File opened for modification C:\Program Files\ProtectUninstall.vstx rdpclient.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUAUTH.CAB rdpclient.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\handler.reg rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00269_.WMF rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SessionMember.ico rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7FR.LEX rdpclient.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml rdpclient.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\clock.css rdpclient.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752G.GIF rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR29F.GIF rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\MAIL.ICO rdpclient.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\RESTORE_FILES.txt rdpclient.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107500.WMF rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BRCHUR98.POC rdpclient.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png rdpclient.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101858.BMP rdpclient.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo rdpclient.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1184-54-0x0000000000290000-0x0000000000294000-memory.dmpFilesize
16KB
-
memory/1184-55-0x000000013FE70000-0x000000013FE87000-memory.dmpFilesize
92KB
-
memory/1184-58-0x0000000000290000-0x0000000000294000-memory.dmpFilesize
16KB
-
memory/1184-57-0x0000000000280000-0x0000000000285000-memory.dmpFilesize
20KB
-
memory/1184-56-0x0000000000260000-0x0000000000267000-memory.dmpFilesize
28KB