1a9fe09d5ecca17e3afe32f44d7be2230e527cfdc3a4aa7806488589ea9cb945

General

Target

SecuriteInfo.com.Trojan.Siggen22.48393.30867.31825.exe
Size

8.4MB
MD5

521efa48cc727900d66115774f2e076e
SHA1

abee3f10102e581b8f94d7092168e57c5c1e2493
SHA256

1a9fe09d5ecca17e3afe32f44d7be2230e527cfdc3a4aa7806488589ea9cb945
SHA512

e1f805f8d70fa0b2946daea1b98d99f69ec2119cf2c399d5996dc50945e2c16432b2d338d569d3487b759ed3f55d2cc788e67874698ad684cb7e82f63d312249
SSDEEP

196608:YdaS+uvUh0Fx0suEUkCpMnl8+Uy9n9/aelRMV2Q3TlEu:+axmqOx0Zcnq+fZ9/MVxTSu

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rustdesk.exe

Executes dropped EXE 3 IoCs

pid	Process
2132	rustdesk.exe
1356	rustdesk.exe
3188	rustdesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2132	rustdesk.exe
2132	rustdesk.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3812	icacls.exe
2516	icacls.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\rustdesk_rCURRENT.log	rustdesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
448	taskkill.exe
4936	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2132	rustdesk.exe
1356	rustdesk.exe
1356	rustdesk.exe
3188	rustdesk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	448	taskkill.exe
Token: SeDebugPrivilege	1356	rustdesk.exe
Token: SeDebugPrivilege	4936	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 448	1648	SecuriteInfo.com.Trojan.Siggen22.48393.30867.31825.exe	91
PID 1648 wrote to memory of 448	1648	SecuriteInfo.com.Trojan.Siggen22.48393.30867.31825.exe	91
PID 1648 wrote to memory of 448	1648	SecuriteInfo.com.Trojan.Siggen22.48393.30867.31825.exe	91
PID 1648 wrote to memory of 2132	1648	SecuriteInfo.com.Trojan.Siggen22.48393.30867.31825.exe	94
PID 1648 wrote to memory of 2132	1648	SecuriteInfo.com.Trojan.Siggen22.48393.30867.31825.exe	94
PID 1648 wrote to memory of 2132	1648	SecuriteInfo.com.Trojan.Siggen22.48393.30867.31825.exe	94
PID 2132 wrote to memory of 2516	2132	rustdesk.exe	98
PID 2132 wrote to memory of 2516	2132	rustdesk.exe	98
PID 2132 wrote to memory of 2516	2132	rustdesk.exe	98
PID 2132 wrote to memory of 3812	2132	rustdesk.exe	97
PID 2132 wrote to memory of 3812	2132	rustdesk.exe	97
PID 2132 wrote to memory of 3812	2132	rustdesk.exe	97
PID 2132 wrote to memory of 1356	2132	rustdesk.exe	99
PID 2132 wrote to memory of 1356	2132	rustdesk.exe	99
PID 2132 wrote to memory of 1356	2132	rustdesk.exe	99
PID 2132 wrote to memory of 932	2132	rustdesk.exe	102
PID 2132 wrote to memory of 932	2132	rustdesk.exe	102
PID 2132 wrote to memory of 932	2132	rustdesk.exe	102
PID 932 wrote to memory of 4936	932	cmd.exe	104
PID 932 wrote to memory of 4936	932	cmd.exe	104
PID 932 wrote to memory of 4936	932	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen22.48393.30867.31825.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen22.48393.30867.31825.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RuntimeBroker_rustdesk.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
  "C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" C:\ProgramData\RustDesk\shared_memory_portable_service /grant *S-1-1-0:(OI)(CI)F /T
    3⤵
    - Modifies file permissions
    PID:3812
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" C:\ProgramData\RustDesk /grant *S-1-1-0:(OI)(CI)F /T
    3⤵
    - Modifies file permissions
    PID:2516
- - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
    "C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe" --portable-service
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
  - - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
      "C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe" --run-as-system
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:3188
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "taskkill /F /IM RuntimeBroker_rustdesk.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM RuntimeBroker_rustdesk.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RustDesk\shared_memory_portable_service

Filesize
23B

MD5
fd6844912ef09a0bfee5f804d8995d91

SHA1
554fd7048160903b5a965fc55c90e2c0adc4714d

SHA256
dbfbfee001a0c4628b32d6886aee93c6417782bfe06ad706f5068bcf5a39d215

SHA512
791da977edba2460e4c955037d6137666c6a9535ff61c20ef344ebe7ba59dec85d98d6801dd7c49481b0b43f74b487a0a1880b1ca407bc118e01e1d95cf3f8ad

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe

Filesize
580KB

MD5
f267777f063ffa870cc74643f2de8ade

SHA1
370b854132c13ce9ed2e86e010cd38382a0ce52d

SHA256
a069dd8d73868b309337051ba08473dddbb0868482972156fb2f63357cd1e0c4

SHA512
32cb934a76908c8e25a7590b111a86df9354e28ab975f40521fc38ad356f4ab7fbc105e27210b3f74b79b21e6906585603bbee0c0c67561384efe37f47cbc6eb

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe

Filesize
1.4MB

MD5
4853a4edbc7c3ffb2061ce3aa15ad2d5

SHA1
dbad1589cb9e9f893c4839c808079d9fff59f21e

SHA256
a204d4dcf564827fa3de76ae626f56a093d20f446fd8d7c4f99591984a7e0489

SHA512
060173a2f9cd6fd80aff308357211af71e07602e6073d54f510c67281671b94d9bc358aca2a68d3e2f040d3f2adccd2171b92a8b2896f50dbed782109200b7b1

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe

Filesize
1.4MB

MD5
8e0c53e8d2d78f18050b63fb99a33901

SHA1
b6629c55e1b660f0797f9b1a0b27cfe290d7cf22

SHA256
dc3e590a08863c60e1e54dfcdc429ba00eba071d541fa8ef6d6ba6a7ebd0bf5e

SHA512
b7e03565b4b329e9a2e260a3c263b7e304652708d755ddc3224ac426c2d9c039d1a02f7b4516aa5ebb764e04e28560651ea3b9eb51a7f389c7ab6c07085e693d

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe

Filesize
566KB

MD5
1e4118577fa5bf7b9a6771816e42792b

SHA1
04492dab6894d6e4419c56a02765f237800a4cf8

SHA256
81cb5bf262316313a030a3c2997287aa61e684029f4408b9b5c9be7c8b9a7c54

SHA512
6ef03f7923a56b4e86aabcc379a2524da6a17c7b339b41eba43b711987d9da059396991d11ddfe2e05e097ca63fb69edfcd22c7a202346cd79fd00ea4ad10f10

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\sciter.dll

Filesize
627KB

MD5
ff509035ce42c13269b75a9f3b2c6cb5

SHA1
cd479b35089a30b53ec217456abe956febe24c92

SHA256
0655f57a43bc6823205fd7c3a0b243d4bbabc5da0371d8b810d7e5394ee0a562

SHA512
141c697d8f2d2d21b926592f32deaae9876902995c015e461678ace90baf0e2f259d041f802ea8dc3e6ae29d685f1a7f4ccebe167a5214b2c75edfe58697fafc

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\sciter.dll

Filesize
649KB

MD5
d3214a01c5b0cd16da95344da0cc5a7c

SHA1
fce0d9eb33393c6086bc6205d48095526bd87cea

SHA256
8528b6ee3567db370f7db1605736cd5f56fa529646e2de1e43ef0ae96824610f

SHA512
411bd966a87081ab1ce8127fadd00e1ac42fb0cd972ef9a5953af0ad33bccb7ba54faa7903b8c0b7e255a87fc67c7123c453eda1e5d2989f22b267fc92bce8f7

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\sciter.dll

Filesize
881KB

MD5
b6ce84eb7e0f5a1a8b6e0de3e77beb65

SHA1
51c9e40e331722a7592c995a0a5113e4d1c41df4

SHA256
02012808b13f1aee5f337394ea7f6eb38fb7b57ffd65951017140631ef87f99f

SHA512
843da5f8da4ecd9b19007e114630310f8e8906f12802990653a2c0a9f1313bb4c8431e2effe3cb50d939c996fdfc7c70088b70da873e62782139d7007776d8c4

Download Submit

Analysis

Sharing