23b661d7bc171cd500d5096456905283ffe06479582b62d3bd5066633935d43e

Analysis

max time kernel
160s
max time network
203s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
06/02/2024, 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rustdesk-1.2.3-x86_64.exe
Size

19.8MB
MD5

7caa1ef1cdeabb6c7487d66bd172fcf8
SHA1

a95d7098080fc3994ab434c2a5c4ec8f85817b11
SHA256

23b661d7bc171cd500d5096456905283ffe06479582b62d3bd5066633935d43e
SHA512

d4d13f539ce2e6177be3c06bab29fb69964424176a5f7573f27bfcdf87fe73b9b522182460331523f1421c0490e4c95b3a864eb9152df8bca7957916b85c5ae1
SSDEEP

393216:Mdvr3DHhPWjmUASYlYLGE3+6Pdj/uVDVU3LLHf36WAaS:SzTHhOjCl3b6F85UbL/36WAz

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2464	rustdesk.exe
1872	rustdesk.exe
2008	rustdesk.exe
3768	rustdesk.exe
5676	rustdesk.exe

Loads dropped DLL 59 IoCs

pid	Process
2464	rustdesk.exe
2464	rustdesk.exe
2464	rustdesk.exe
2464	rustdesk.exe
2464	rustdesk.exe
2464	rustdesk.exe
2464	rustdesk.exe
2464	rustdesk.exe
2464	rustdesk.exe
2464	rustdesk.exe
2464	rustdesk.exe
2464	rustdesk.exe
2464	rustdesk.exe
2464	rustdesk.exe
2464	rustdesk.exe
1872	rustdesk.exe
1872	rustdesk.exe
1872	rustdesk.exe
1872	rustdesk.exe
1872	rustdesk.exe
1872	rustdesk.exe
1872	rustdesk.exe
1872	rustdesk.exe
1872	rustdesk.exe
1872	rustdesk.exe
1872	rustdesk.exe
2008	rustdesk.exe
2008	rustdesk.exe
2008	rustdesk.exe
2008	rustdesk.exe
2008	rustdesk.exe
2008	rustdesk.exe
2008	rustdesk.exe
2008	rustdesk.exe
2008	rustdesk.exe
2008	rustdesk.exe
2008	rustdesk.exe
3768	rustdesk.exe
3768	rustdesk.exe
3768	rustdesk.exe
3768	rustdesk.exe
3768	rustdesk.exe
3768	rustdesk.exe
3768	rustdesk.exe
3768	rustdesk.exe
3768	rustdesk.exe
3768	rustdesk.exe
3768	rustdesk.exe
5676	rustdesk.exe
5676	rustdesk.exe
5676	rustdesk.exe
5676	rustdesk.exe
5676	rustdesk.exe
5676	rustdesk.exe
5676	rustdesk.exe
5676	rustdesk.exe
5676	rustdesk.exe
5676	rustdesk.exe
5676	rustdesk.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2268	icacls.exe
2516	icacls.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\rustdesk_rCURRENT.log	rustdesk.exe
File opened for modification	C:\Windows\SystemTemp\shared_memory-rs\shmem_BE0E08ED10801DC1	rustdesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
5068	taskkill.exe
3740	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2464	rustdesk.exe
1872	rustdesk.exe
1872	rustdesk.exe
3768	rustdesk.exe
5676	rustdesk.exe
5676	rustdesk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	1872	rustdesk.exe
Token: SeDebugPrivilege	3740	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2464	rustdesk.exe
5676	rustdesk.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2464	rustdesk.exe
2464	rustdesk.exe
5676	rustdesk.exe
5676	rustdesk.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 5068	4404	rustdesk-1.2.3-x86_64.exe	77
PID 4404 wrote to memory of 5068	4404	rustdesk-1.2.3-x86_64.exe	77
PID 4404 wrote to memory of 2464	4404	rustdesk-1.2.3-x86_64.exe	80
PID 4404 wrote to memory of 2464	4404	rustdesk-1.2.3-x86_64.exe	80
PID 2464 wrote to memory of 2516	2464	rustdesk.exe	84
PID 2464 wrote to memory of 2516	2464	rustdesk.exe	84
PID 2464 wrote to memory of 2268	2464	rustdesk.exe	83
PID 2464 wrote to memory of 2268	2464	rustdesk.exe	83
PID 2464 wrote to memory of 1872	2464	rustdesk.exe	91
PID 2464 wrote to memory of 1872	2464	rustdesk.exe	91
PID 2464 wrote to memory of 2008	2464	rustdesk.exe	85
PID 2464 wrote to memory of 2008	2464	rustdesk.exe	85
PID 2464 wrote to memory of 3420	2464	rustdesk.exe	90
PID 2464 wrote to memory of 3420	2464	rustdesk.exe	90
PID 3420 wrote to memory of 3740	3420	cmd.exe	88
PID 3420 wrote to memory of 3740	3420	cmd.exe	88
PID 2464 wrote to memory of 5676	2464	rustdesk.exe	92
PID 2464 wrote to memory of 5676	2464	rustdesk.exe	92

C:\Users\Admin\AppData\Local\Temp\rustdesk-1.2.3-x86_64.exe
"C:\Users\Admin\AppData\Local\Temp\rustdesk-1.2.3-x86_64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RuntimeBroker_rustdesk.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
  "C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\system32\icacls.exe
    "icacls" C:\ProgramData\RustDesk\shared_memory_portable_service /grant *S-1-1-0:(OI)(CI)F /T
    3⤵
    - Modifies file permissions
    PID:2268
- - C:\Windows\system32\icacls.exe
    "icacls" C:\ProgramData\RustDesk /grant *S-1-1-0:(OI)(CI)F /T
    3⤵
    - Modifies file permissions
    PID:2516
- - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
    "C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe" --check-hwcodec-config
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2008
- - C:\Windows\system32\cmd.exe
    "cmd" /c "taskkill /F /IM RuntimeBroker_rustdesk.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3420
- - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
    "C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe" --portable-service
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
    "C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe" --install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:5676

C:\Windows\system32\taskkill.exe
taskkill /F /IM RuntimeBroker_rustdesk.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
"C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe" --run-as-system
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RustDesk\shared_memory_portable_service

Filesize
23B

MD5
68d7ab5c8a6d828bd61822f93f97d6d3

SHA1
bd723584a02c3789d0936d2447372f25171b5bea

SHA256
b668283b58459b011a455c39d2267bdf3128519e8bd8cbfbbe6cc65b6eee5b83

SHA512
dbc18a7d44ddba1612d82054474fa6c9e36b3f03d3f41698e29bf1929a6a1a6cc8bc95e252752c0ea9e4ebdc8a7db8863e0d234488c43a257646fd0d4825fc00

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\data\app.so

Filesize
12.6MB

MD5
d5a981e73de575e062ddc104a7fc4b97

SHA1
00ac691f5f3e9caade1949a06b3a77c6e370d8e8

SHA256
961b5683da717aa5e92ed4f51706403ae36f2cbb576fc5813fdf0a2b3f79921c

SHA512
b4255fc6b97331ef4d95cc4e4f93c8b3d2ba27f187ce49bdfa474f0ae6ae75869a1f0293c7e659d6e1919c99007ffbd43606ed792961ca9673e1df71fed45a1d

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\desktop_drop_plugin.dll

Filesize
332KB

MD5
a08b6b4b8fca511c4ae5f0c3ea2b3b52

SHA1
f4062878489cb76259546f535fa5b0cda4500e06

SHA256
0de513f799226c86365295950821725eefac3d7b094f3b1c3dc7b8cd92127564

SHA512
a08af29dea6c0c16caebd2683ca1413aa801358c644029f728d2e4066998c0931c95a1c65781fe58927094d1df3e48b342d0f65efd370c8d094a64cc9af1126b

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\desktop_multi_window_plugin.dll

Filesize
405KB

MD5
19964243f81efea4cb3c756fce35fc87

SHA1
5cad8ee708732f6076daceabf6939edf8d53e116

SHA256
f417bde8a0853a612c0c9e81e28f52795b052180788e001210ed3fe09491103a

SHA512
df5d97112018a160675d5a0fc8b262f90e4c745f58af9e09089bf66b8e18f6cfc619856cac1e4adc2ab827324b899dc1fc48e318554378417c0f3b5b11704825

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\flutter_custom_cursor_plugin.dll

Filesize
322KB

MD5
3c710c1e1025ef0fc8cdfc9f746372ac

SHA1
f46ada3ba09bce3457cd5ef0f2ae22ce7dad5fe5

SHA256
39884f09ce034d7b3cabbe3300ecea3d4731835acede66b7b213c46277b5695b

SHA512
00617fc61eec40590e5e702ed8a055e553d80908ef12469ce9a9373125e60f1157cd9accc717cc5273bdbb6deb55ba6d5f551ffc66a37e2609633e5a2e504af3

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\flutter_windows.dll

Filesize
6.8MB

MD5
87f5b497ebbcaff3739197e23a9c0185

SHA1
f2903a5f40307d1f0514f867e7a4638ae8d8ed36

SHA256
c0ed299c9e7d28e9f799589d256e24d4582293b281161c7e9bc54573e35314dc

SHA512
ade34d9ea0ce8e39e894fdef3bc3603106f794db1342d01d326fd156f391fc513a741d1a23a221047a106a3c054a80841153831770a4d28b76d906be28a4f5a7

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\flutter_windows.dll

Filesize
17.0MB

MD5
e2b36e1e9d37c457693a846bde518c75

SHA1
3dae7866ea914ebaa8ad486822fa592d69183601

SHA256
e04e062474335d1e78f90f3c426b2d0a37a0bbec4def5033e7cc0caa255fda25

SHA512
f2c62d60ca0ca3e29aa6113764c56447d017c9c4932b29759aa60116dac1254036ec9f6cf9400f278d86360f743e76945a56064073e0417d4fd497488f198dba

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\librustdesk.dll

Filesize
12.3MB

MD5
b9306f712986738e737fc933a74d1fa5

SHA1
208922519ed566102a20bead4feea3bcec39f8b9

SHA256
004e7cb1bc34ba007233fbb9261335acdd5de9a5f7fefccf3cfd2c8ad2fa8710

SHA512
50161f6036f62beb5ef82764c12030c708886d60b05ec7da4af4b27432843d0e6e489b397feaa0afd6ef0edbfe57dc60f5e41d73d3fa76e7942451db4e018b3b

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\librustdesk.dll

Filesize
8.0MB

MD5
e7386ffd4ccd69f8658b0268572f3cad

SHA1
ad569effbfe77832c52493107031208d65535134

SHA256
faac777d9a9b6339f1efd0d42deb58503d35c28a25b15722216613dadc3155e2

SHA512
ef561a6d8411739fef0cf4c09dc877aa697ed525fd9f9466f97437586a6223731168f1db3c8fcce4e7a3e7d093e0461ce7efe0e5e2137efa47da7e01e63c971e

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\librustdesk.dll

Filesize
23.6MB

MD5
5aaca1aaf9d5883b3c474f8e013f91a9

SHA1
00036beb0521c4cdda6f123356a2ffef5e5f0895

SHA256
01e8bd30ee27d94bc3e4d092c3431c5940d13953042c26fb89be7364a7dfcd94

SHA512
910e6d1aa302b638e32a49d79c45ac8b1595e6a5f36f99689e36f96b7520d4223e391364313c571faea230cb8795cc13be89a9f4556a29be30b7cbf48a58bab2

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe

Filesize
266KB

MD5
272595dc239c416f97d938edf06b2fff

SHA1
6fbbf0629226d0337f62d09847a569ccfeaab7a5

SHA256
e8f370f8029b433f481333ffb7887f3dd8b91ebcd9e8cf8c81787c9de07da86f

SHA512
e430c87181aa41f6cd8aa32d92d729059f37b474ef03ea74bbbe18eb9b172a2bb423345139c5af833edea86864e6b8896f02ebc85741ecef29a4e62a3868ab15

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\screen_retriever_plugin.dll

Filesize
557KB

MD5
09c5f77b487c525230d287f72b155699

SHA1
16149a40680bd9d8e43a51a06282c2cb3b61a7bf

SHA256
ca71b91945b859c0e9af9c97e64733ab30589b16ada39095a03a00fa4fec64b1

SHA512
2333795975999031d5d1ec2235f9f0b6f57a24aa1b95223161c05a429935e6c80187e08cdc3a54459fa6274086110e22b490d922bed5546f27c42323076b0920

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\texture_rgba_renderer_plugin.dll

Filesize
335KB

MD5
79ec6a8d69d00ec85e0d4bca4ca9f4c3

SHA1
c012a435e705e0102e981ebf5e252a429959613b

SHA256
497eef7df50108321a25940b858db0f5e448a0d2384ec3d2038c6e360f593ae4

SHA512
77de26eda07803070288b5376cafca8475a153986fdcbfc1c742f4224b09b9c8746bf87db7175b367125255593c07c7bf16554f0f4b06d444c5d2b0902452cb4

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\uni_links_desktop_plugin.dll

Filesize
554KB

MD5
ad303be2fd780fec8dd371cf371c0539

SHA1
0b177653f8457642717aa6a4e1c62432e6e92b39

SHA256
d7c3da9ae5e8c6f33e4972784a0e73034b31576bf47248e5512f34d4beb0f8c2

SHA512
1ec4bd2bbed3b4d783611a2943c93854425a4b6eae070d37d61135f4ce826672a960fd0bdf1d4e7687b47a3b01ce6958e3f8c60b6df4ac274c627cf0966bb498

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\url_launcher_windows_plugin.dll

Filesize
332KB

MD5
f007f46a79fe228e5aadbceaca242703

SHA1
c0f347acce2ea2025d9e1eb35e4eb829344a30fd

SHA256
027e70b91a2ba89f40b768f3b3eb6c12792f422c931a310f097bdb992131aa6c

SHA512
524e11f557395d025d3658c035d87a909eeed7c2c3e89209869e0a1f000e998ff71c4ba3fb69836d44b5116b4ff56c2f1f0eaeb7df3496421f3d1db42354f4a4

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\window_manager_plugin.dll

Filesize
597KB

MD5
f14f9be66e48c18118c45cf9fcd3309b

SHA1
1d290be804d926f60bed30f8f850bdb085515a92

SHA256
4a80b9dba44153735810e7531395a15476733f8a90a69f8fc5939a2c323873a1

SHA512
03b74aadc9a85c65024f4cc43ac6dda1558a157708b26b2c655249034fe0617eb8c03e5d6158ae2ac197ce51b8947262a6450e1a4f41ce0cbdec9a9f5ce4a0b1

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\window_size_plugin.dll

Filesize
551KB

MD5
8147bd2f71221360338cd14e3e7ea323

SHA1
e59ac3f40454e7a4e8abd63945994b836f283c80

SHA256
e0976cceaced3fcb2c93821d760381acd8bcb59b02d2e4df8468cd021c65d96a

SHA512
f7faac494aa4347545b7a17ef56f3e05751d43425a17b80b9c9923924251cc5dff306e5ceed18f856c84236a5ae174519c5fcb91726352b7b31ed73f399400b2

Download Submit
memory/2464-138-0x000001761C760000-0x000001761C761000-memory.dmp

Filesize
4KB

Download
memory/2464-151-0x000001761C880000-0x000001761D511000-memory.dmp

Filesize
12.6MB

Download
memory/2464-160-0x000001761C880000-0x000001761D511000-memory.dmp

Filesize
12.6MB

Download
memory/2464-167-0x000001761C880000-0x000001761D511000-memory.dmp

Filesize
12.6MB

Download
memory/2464-172-0x000001761DAA0000-0x000001761DAA1000-memory.dmp

Filesize
4KB

Download