e56a7ac7a566ac2065d7de524f9934f485fa6f55a1fb6cd388dc0fd1a1daac8d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e56a7ac7a566ac2065d7de524f9934f485fa6f55a1fb6cd388dc0fd1a1daac8d.exe
Size

19.8MB
MD5

0ea4387193cc9313064edce65640f722
SHA1

98925289efe4a071027e25ace5e8a9d659934f1b
SHA256

e56a7ac7a566ac2065d7de524f9934f485fa6f55a1fb6cd388dc0fd1a1daac8d
SHA512

ec4e43dae839c1bde61d6feef212e2eea9eea0b1c69bc77459d23f1613c73378dab13518c249f65988153bc21a5ad2d13fbb82013321555ccd16dac2880ce69a
SSDEEP

393216:Mdvr3DHhPWjmUASYlYLGE3+6Pdj/uVDVU3LLHf36WAa:SzTHhOjCl3b6F85UbL/36WA

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

3672 icacls.exe
4952 icacls.exe

pid	process
3672	icacls.exe
4952	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rustdesk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	rustdesk.exe

Drops file in Windows directory 1 IoCs

Processes:

rustdesk.exe

description ioc process

File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\rustdesk_rCURRENT.log rustdesk.exe
Executes dropped EXE 4 IoCs

Processes:

rustdesk.exerustdesk.exerustdesk.exerustdesk.exe

pid process

2744 rustdesk.exe
496 rustdesk.exe
2812 rustdesk.exe
4224 rustdesk.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\rustdesk_rCURRENT.log	rustdesk.exe

Loads dropped DLL 46 IoCs

Processes:

rustdesk.exerustdesk.exerustdesk.exerustdesk.exe

pid	process
2744	rustdesk.exe
2744	rustdesk.exe
2744	rustdesk.exe
2744	rustdesk.exe
2744	rustdesk.exe
2744	rustdesk.exe
2744	rustdesk.exe
2744	rustdesk.exe
2744	rustdesk.exe
2744	rustdesk.exe
2744	rustdesk.exe
2744	rustdesk.exe
2744	rustdesk.exe
496	rustdesk.exe
496	rustdesk.exe
496	rustdesk.exe
496	rustdesk.exe
496	rustdesk.exe
496	rustdesk.exe
496	rustdesk.exe
496	rustdesk.exe
496	rustdesk.exe
496	rustdesk.exe
496	rustdesk.exe
2812	rustdesk.exe
2812	rustdesk.exe
2812	rustdesk.exe
2812	rustdesk.exe
2812	rustdesk.exe
2812	rustdesk.exe
2812	rustdesk.exe
2812	rustdesk.exe
2812	rustdesk.exe
2812	rustdesk.exe
2812	rustdesk.exe
4224	rustdesk.exe
4224	rustdesk.exe
4224	rustdesk.exe
4224	rustdesk.exe
4224	rustdesk.exe
4224	rustdesk.exe
4224	rustdesk.exe
4224	rustdesk.exe
4224	rustdesk.exe
4224	rustdesk.exe
4224	rustdesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2056 taskkill.exe
2300 taskkill.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rustdesk.exerustdesk.exerustdesk.exe

pid process

2744 rustdesk.exe
496 rustdesk.exe
496 rustdesk.exe
4224 rustdesk.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exerustdesk.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2056 taskkill.exe
Token: SeDebugPrivilege 496 rustdesk.exe
Token: SeDebugPrivilege 2300 taskkill.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rustdesk.exe

pid process

2744 rustdesk.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

rustdesk.exe

pid process

2744 rustdesk.exe
2744 rustdesk.exe

pid	process
2056	taskkill.exe
2300	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	496	rustdesk.exe
Token: SeDebugPrivilege	2300	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

e56a7ac7a566ac2065d7de524f9934f485fa6f55a1fb6cd388dc0fd1a1daac8d.exerustdesk.execmd.exe

description	pid	process	target process
PID 5056 wrote to memory of 2056	5056	e56a7ac7a566ac2065d7de524f9934f485fa6f55a1fb6cd388dc0fd1a1daac8d.exe	taskkill.exe
PID 5056 wrote to memory of 2056	5056	e56a7ac7a566ac2065d7de524f9934f485fa6f55a1fb6cd388dc0fd1a1daac8d.exe	taskkill.exe
PID 5056 wrote to memory of 2744	5056	e56a7ac7a566ac2065d7de524f9934f485fa6f55a1fb6cd388dc0fd1a1daac8d.exe	rustdesk.exe
PID 5056 wrote to memory of 2744	5056	e56a7ac7a566ac2065d7de524f9934f485fa6f55a1fb6cd388dc0fd1a1daac8d.exe	rustdesk.exe
PID 2744 wrote to memory of 4952	2744	rustdesk.exe	icacls.exe
PID 2744 wrote to memory of 4952	2744	rustdesk.exe	icacls.exe
PID 2744 wrote to memory of 3672	2744	rustdesk.exe	icacls.exe
PID 2744 wrote to memory of 3672	2744	rustdesk.exe	icacls.exe
PID 2744 wrote to memory of 496	2744	rustdesk.exe	rustdesk.exe
PID 2744 wrote to memory of 496	2744	rustdesk.exe	rustdesk.exe
PID 2744 wrote to memory of 2812	2744	rustdesk.exe	rustdesk.exe
PID 2744 wrote to memory of 2812	2744	rustdesk.exe	rustdesk.exe
PID 2744 wrote to memory of 4384	2744	rustdesk.exe	cmd.exe
PID 2744 wrote to memory of 4384	2744	rustdesk.exe	cmd.exe
PID 4384 wrote to memory of 2300	4384	cmd.exe	taskkill.exe
PID 4384 wrote to memory of 2300	4384	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\e56a7ac7a566ac2065d7de524f9934f485fa6f55a1fb6cd388dc0fd1a1daac8d.exe
"C:\Users\Admin\AppData\Local\Temp\e56a7ac7a566ac2065d7de524f9934f485fa6f55a1fb6cd388dc0fd1a1daac8d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\system32\taskkill.exe
"taskkill" /F /IM RuntimeBroker_rustdesk.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
"C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\system32\icacls.exe
"icacls" C:\ProgramData\RustDesk /grant *S-1-1-0:(OI)(CI)F /T
3⤵
- Modifies file permissions
PID:4952

C:\Windows\system32\icacls.exe
"icacls" C:\ProgramData\RustDesk\shared_memory_portable_service /grant *S-1-1-0:(OI)(CI)F /T
3⤵
- Modifies file permissions
PID:3672

C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
"C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe" --portable-service
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:496

C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
"C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe" --run-as-system
4⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4224

C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
"C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe" --check-hwcodec-config
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812

C:\Windows\system32\cmd.exe
"cmd" /c "taskkill /F /IM RuntimeBroker_rustdesk.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\system32\taskkill.exe
taskkill /F /IM RuntimeBroker_rustdesk.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RustDesk\shared_memory_portable_service

Filesize
23B

MD5
749ff049216aae790b9c30278bb08cc1

SHA1
88b1374e8c491a2e666e6b00a8b1fdcfd745a52d

SHA256
7f401b7d18938b566139fcea1cded6b27be73517161eaecc68e7b1667ab6486a

SHA512
34414ddedd03c0be7cd064f6c4b9d896e366d078573d2eea41ea337f0ef06a8e28fd176762940975913ee38ce5abb2ea9c0fba0e0fe188d2a36f242957c2cabf

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\data\app.so

Filesize
12.6MB

MD5
d5a981e73de575e062ddc104a7fc4b97

SHA1
00ac691f5f3e9caade1949a06b3a77c6e370d8e8

SHA256
961b5683da717aa5e92ed4f51706403ae36f2cbb576fc5813fdf0a2b3f79921c

SHA512
b4255fc6b97331ef4d95cc4e4f93c8b3d2ba27f187ce49bdfa474f0ae6ae75869a1f0293c7e659d6e1919c99007ffbd43606ed792961ca9673e1df71fed45a1d

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\desktop_drop_plugin.dll

Filesize
332KB

MD5
a08b6b4b8fca511c4ae5f0c3ea2b3b52

SHA1
f4062878489cb76259546f535fa5b0cda4500e06

SHA256
0de513f799226c86365295950821725eefac3d7b094f3b1c3dc7b8cd92127564

SHA512
a08af29dea6c0c16caebd2683ca1413aa801358c644029f728d2e4066998c0931c95a1c65781fe58927094d1df3e48b342d0f65efd370c8d094a64cc9af1126b

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\desktop_multi_window_plugin.dll

Filesize
405KB

MD5
19964243f81efea4cb3c756fce35fc87

SHA1
5cad8ee708732f6076daceabf6939edf8d53e116

SHA256
f417bde8a0853a612c0c9e81e28f52795b052180788e001210ed3fe09491103a

SHA512
df5d97112018a160675d5a0fc8b262f90e4c745f58af9e09089bf66b8e18f6cfc619856cac1e4adc2ab827324b899dc1fc48e318554378417c0f3b5b11704825

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\flutter_custom_cursor_plugin.dll

Filesize
322KB

MD5
3c710c1e1025ef0fc8cdfc9f746372ac

SHA1
f46ada3ba09bce3457cd5ef0f2ae22ce7dad5fe5

SHA256
39884f09ce034d7b3cabbe3300ecea3d4731835acede66b7b213c46277b5695b

SHA512
00617fc61eec40590e5e702ed8a055e553d80908ef12469ce9a9373125e60f1157cd9accc717cc5273bdbb6deb55ba6d5f551ffc66a37e2609633e5a2e504af3

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\flutter_windows.dll

Filesize
17.0MB

MD5
e2b36e1e9d37c457693a846bde518c75

SHA1
3dae7866ea914ebaa8ad486822fa592d69183601

SHA256
e04e062474335d1e78f90f3c426b2d0a37a0bbec4def5033e7cc0caa255fda25

SHA512
f2c62d60ca0ca3e29aa6113764c56447d017c9c4932b29759aa60116dac1254036ec9f6cf9400f278d86360f743e76945a56064073e0417d4fd497488f198dba

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\librustdesk.dll

Filesize
23.6MB

MD5
5aaca1aaf9d5883b3c474f8e013f91a9

SHA1
00036beb0521c4cdda6f123356a2ffef5e5f0895

SHA256
01e8bd30ee27d94bc3e4d092c3431c5940d13953042c26fb89be7364a7dfcd94

SHA512
910e6d1aa302b638e32a49d79c45ac8b1595e6a5f36f99689e36f96b7520d4223e391364313c571faea230cb8795cc13be89a9f4556a29be30b7cbf48a58bab2

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe

Filesize
266KB

MD5
272595dc239c416f97d938edf06b2fff

SHA1
6fbbf0629226d0337f62d09847a569ccfeaab7a5

SHA256
e8f370f8029b433f481333ffb7887f3dd8b91ebcd9e8cf8c81787c9de07da86f

SHA512
e430c87181aa41f6cd8aa32d92d729059f37b474ef03ea74bbbe18eb9b172a2bb423345139c5af833edea86864e6b8896f02ebc85741ecef29a4e62a3868ab15

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\screen_retriever_plugin.dll

Filesize
557KB

MD5
09c5f77b487c525230d287f72b155699

SHA1
16149a40680bd9d8e43a51a06282c2cb3b61a7bf

SHA256
ca71b91945b859c0e9af9c97e64733ab30589b16ada39095a03a00fa4fec64b1

SHA512
2333795975999031d5d1ec2235f9f0b6f57a24aa1b95223161c05a429935e6c80187e08cdc3a54459fa6274086110e22b490d922bed5546f27c42323076b0920

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\texture_rgba_renderer_plugin.dll

Filesize
335KB

MD5
79ec6a8d69d00ec85e0d4bca4ca9f4c3

SHA1
c012a435e705e0102e981ebf5e252a429959613b

SHA256
497eef7df50108321a25940b858db0f5e448a0d2384ec3d2038c6e360f593ae4

SHA512
77de26eda07803070288b5376cafca8475a153986fdcbfc1c742f4224b09b9c8746bf87db7175b367125255593c07c7bf16554f0f4b06d444c5d2b0902452cb4

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\uni_links_desktop_plugin.dll

Filesize
554KB

MD5
ad303be2fd780fec8dd371cf371c0539

SHA1
0b177653f8457642717aa6a4e1c62432e6e92b39

SHA256
d7c3da9ae5e8c6f33e4972784a0e73034b31576bf47248e5512f34d4beb0f8c2

SHA512
1ec4bd2bbed3b4d783611a2943c93854425a4b6eae070d37d61135f4ce826672a960fd0bdf1d4e7687b47a3b01ce6958e3f8c60b6df4ac274c627cf0966bb498

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\url_launcher_windows_plugin.dll

Filesize
332KB

MD5
f007f46a79fe228e5aadbceaca242703

SHA1
c0f347acce2ea2025d9e1eb35e4eb829344a30fd

SHA256
027e70b91a2ba89f40b768f3b3eb6c12792f422c931a310f097bdb992131aa6c

SHA512
524e11f557395d025d3658c035d87a909eeed7c2c3e89209869e0a1f000e998ff71c4ba3fb69836d44b5116b4ff56c2f1f0eaeb7df3496421f3d1db42354f4a4

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\window_manager_plugin.dll

Filesize
597KB

MD5
f14f9be66e48c18118c45cf9fcd3309b

SHA1
1d290be804d926f60bed30f8f850bdb085515a92

SHA256
4a80b9dba44153735810e7531395a15476733f8a90a69f8fc5939a2c323873a1

SHA512
03b74aadc9a85c65024f4cc43ac6dda1558a157708b26b2c655249034fe0617eb8c03e5d6158ae2ac197ce51b8947262a6450e1a4f41ce0cbdec9a9f5ce4a0b1

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\window_size_plugin.dll

Filesize
551KB

MD5
8147bd2f71221360338cd14e3e7ea323

SHA1
e59ac3f40454e7a4e8abd63945994b836f283c80

SHA256
e0976cceaced3fcb2c93821d760381acd8bcb59b02d2e4df8468cd021c65d96a

SHA512
f7faac494aa4347545b7a17ef56f3e05751d43425a17b80b9c9923924251cc5dff306e5ceed18f856c84236a5ae174519c5fcb91726352b7b31ed73f399400b2

Download Submit
memory/2744-134-0x000002E2C79A0000-0x000002E2C79A1000-memory.dmp

Filesize
4KB

Download
memory/2744-135-0x000002E2C7B00000-0x000002E2C8791000-memory.dmp

Filesize
12.6MB

Download
memory/2744-136-0x000002E2C7B00000-0x000002E2C8791000-memory.dmp

Filesize
12.6MB

Download
memory/2744-137-0x000002E2C7B00000-0x000002E2C8791000-memory.dmp

Filesize
12.6MB

Download
memory/2744-160-0x000002E2C8D50000-0x000002E2C8D51000-memory.dmp

Filesize
4KB

Download