ba4f0f99a57739a9bc7612c95496305fda3afbfea012c9478a66299f69c650df

Analysis

max time kernel
140s
max time network
125s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10/08/2024, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rdp.exe
Size

261KB
MD5

c56cd6a873e360c58dc80796e1ff6cde
SHA1

49be32431f0e18d8266f0cc2e561a23aca092a0c
SHA256

ba4f0f99a57739a9bc7612c95496305fda3afbfea012c9478a66299f69c650df
SHA512

aaed7750d1207d04cd5726d79692bf09323352a6f3b9d4b5fd6c839531f2ea99f05dd85e443e4473398b52ebc753715b30e0731202861102d4cae4ac7f9c5fbe
SSDEEP

6144:xbDHWT8YkZRXn4X8PiAEiT4pLTpHn6H9Ll20kKqiySU:xbBXoxnaZQ

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	rdp.exe
File opened (read-only)	\??\F:	rdp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2856	rdp.exe
2856	rdp.exe
2856	rdp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	rdp.exe

C:\Users\Admin\AppData\Local\Temp\rdp.exe
"C:\Users\Admin\AppData\Local\Temp\rdp.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2856-0-0x00007FFE671E3000-0x00007FFE671E5000-memory.dmp

Filesize
8KB

Download
memory/2856-1-0x0000000000EF0000-0x0000000000F36000-memory.dmp

Filesize
280KB

Download
memory/2856-2-0x00007FFE671E0000-0x00007FFE67CA2000-memory.dmp

Filesize
10.8MB

Download
memory/2856-4-0x00007FFE671E0000-0x00007FFE67CA2000-memory.dmp

Filesize
10.8MB

Download
memory/2856-3-0x000000001CE20000-0x000000001CE34000-memory.dmp

Filesize
80KB

Download
memory/2856-5-0x00007FFE671E0000-0x00007FFE67CA2000-memory.dmp

Filesize
10.8MB

Download
memory/2856-6-0x00007FFE671E0000-0x00007FFE67CA2000-memory.dmp

Filesize
10.8MB

Download
memory/2856-7-0x00007FFE671E0000-0x00007FFE67CA2000-memory.dmp

Filesize
10.8MB

Download
memory/2856-9-0x00007FFE671E0000-0x00007FFE67CA2000-memory.dmp

Filesize
10.8MB

Download