Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2022 12:50
Static task
static1
Behavioral task
behavioral1
Sample
rdpclient.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
rdpclient.exe
Resource
win10v2004-20220812-en
General
-
Target
rdpclient.exe
-
Size
113KB
-
MD5
8737c6601c30b2ed49b51d6b53e2ea3e
-
SHA1
d9521390d87bd895c78d16f573bfa6863ce46e2c
-
SHA256
9a952abaa9e8bc4676e2c8e53774d15198e4b9163bebf37a0bc2e238e49f2f98
-
SHA512
ab451844a8d6d57e34b2825db9bc8c669a1dd83db6bb7d98b37919da26a45b815d9c1544eed00eea8190255dc9edc7f42cdb5dde8f92b9df14309a3cbcad1ec2
-
SSDEEP
1536:lxhjgDHJewOvXuhi3ugCXjQzZ28Tx4rUbu60l+uMh8c9n5P3vrOTaTlonDQgWPI:la4aU39FHTx4rd60fS8cd5P3viCYDQ0
Malware Config
Signatures
-
Azov
A wiper seeking only damage, first seen in 2022.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rdpclient.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run rdpclient.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" rdpclient.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rdpclient.exedescription ioc process File opened (read-only) \??\N: rdpclient.exe File opened (read-only) \??\Q: rdpclient.exe File opened (read-only) \??\S: rdpclient.exe File opened (read-only) \??\W: rdpclient.exe File opened (read-only) \??\A: rdpclient.exe File opened (read-only) \??\F: rdpclient.exe File opened (read-only) \??\O: rdpclient.exe File opened (read-only) \??\P: rdpclient.exe File opened (read-only) \??\R: rdpclient.exe File opened (read-only) \??\T: rdpclient.exe File opened (read-only) \??\E: rdpclient.exe File opened (read-only) \??\G: rdpclient.exe File opened (read-only) \??\V: rdpclient.exe File opened (read-only) \??\X: rdpclient.exe File opened (read-only) \??\Y: rdpclient.exe File opened (read-only) \??\Z: rdpclient.exe File opened (read-only) \??\B: rdpclient.exe File opened (read-only) \??\L: rdpclient.exe File opened (read-only) \??\J: rdpclient.exe File opened (read-only) \??\K: rdpclient.exe File opened (read-only) \??\M: rdpclient.exe File opened (read-only) \??\U: rdpclient.exe File opened (read-only) \??\H: rdpclient.exe File opened (read-only) \??\I: rdpclient.exe -
Drops file in Program Files directory 64 IoCs
Processes:
rdpclient.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-200.png rdpclient.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-72_contrast-black.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteMedTile.scale-100.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\resources.pri rdpclient.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ru.jar rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\ui-strings.js rdpclient.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_Flight_Light.png rdpclient.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\RESTORE_FILES.txt rdpclient.exe File created C:\Program Files\VideoLAN\VLC\plugins\logger\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-16.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-125.png rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover_2x.png rdpclient.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms rdpclient.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Confirmation.m4a rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ChakraBridge.winmd rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\ui-strings.js rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil_2x.png rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_selected_18.svg rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\LockScreenLogo.scale-100.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-400.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxWideTile.scale-400.png rdpclient.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\RESTORE_FILES.txt rdpclient.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pl-pl\RESTORE_FILES.txt rdpclient.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files\FormatOpen.pps rdpclient.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-400_contrast-white.png rdpclient.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\favicon.ico rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\tr-tr\ui-strings.js rdpclient.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar rdpclient.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\resources.pak rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\104.0.1293.47\Locales\ca.pak rdpclient.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-80.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-150.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\TriPeaks.Wide.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-140.png rdpclient.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign-2x.png rdpclient.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\OriginLetter.Dotx rdpclient.exe File created C:\Program Files\Windows Media Player\es-ES\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms rdpclient.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\skin.catalog rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WideTile.scale-125_contrast-black.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48_altform-unplated.png rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxManifest.xml rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxSelected.svg rdpclient.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml rdpclient.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml rdpclient.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\EdgeWebView.dat rdpclient.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-fr\RESTORE_FILES.txt rdpclient.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Regular.otf rdpclient.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1850_20x20x32.png rdpclient.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLike.Tests.ps1 rdpclient.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms rdpclient.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3996-132-0x0000021002D60000-0x0000021002D64000-memory.dmpFilesize
16KB
-
memory/3996-133-0x00007FF67FA70000-0x00007FF67FA87000-memory.dmpFilesize
92KB
-
memory/3996-134-0x0000021002D30000-0x0000021002D37000-memory.dmpFilesize
28KB
-
memory/3996-135-0x0000021002D50000-0x0000021002D55000-memory.dmpFilesize
20KB
-
memory/3996-136-0x0000021002D60000-0x0000021002D64000-memory.dmpFilesize
16KB