fc20fd159eea217fa8ba30309aef177ec00913007f42b325e6b7dd1f21a2f245

Analysis

max time kernel
600s
max time network
593s
platform
windows10-1703_x64
resource
win10-20240404-de
resource tags

arch:x64arch:x86image:win10-20240404-delocale:de-deos:windows10-1703-x64systemwindows
submitted
23-10-2024 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rustdesk-1.3.1-x86_64.exe
Size

20.8MB
MD5

141be4755517fc72c9bb3bc4efaadbfb
SHA1

e460a4fe639730302d8718ff6d5f2b679b6502e6
SHA256

fc20fd159eea217fa8ba30309aef177ec00913007f42b325e6b7dd1f21a2f245
SHA512

4f223cda176d974882bb0647b2e32a90d3cd6fb5595423dda1fb442966977aa3e42c47a9c711bd36c8f1ba345ff596755c2ffcdcbdcd55f1940330239d2e322a
SSDEEP

393216:xWgm1PDyiqYWl07NAJkdzs297RK5OYyDCy8EVJNuVMTkD4A:xjm1Lytsae5I/ANuS8r

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3320	rustdesk.exe
4120	rustdesk.exe
4728	rustdesk.exe
4248	rustdesk.exe

Loads dropped DLL 56 IoCs

pid	Process
3320	rustdesk.exe
3320	rustdesk.exe
3320	rustdesk.exe
3320	rustdesk.exe
3320	rustdesk.exe
3320	rustdesk.exe
3320	rustdesk.exe
3320	rustdesk.exe
3320	rustdesk.exe
3320	rustdesk.exe
3320	rustdesk.exe
3320	rustdesk.exe
3320	rustdesk.exe
3320	rustdesk.exe
3320	rustdesk.exe
3320	rustdesk.exe
3320	rustdesk.exe
4120	rustdesk.exe
4120	rustdesk.exe
4120	rustdesk.exe
4120	rustdesk.exe
4120	rustdesk.exe
4120	rustdesk.exe
4120	rustdesk.exe
4120	rustdesk.exe
4120	rustdesk.exe
4120	rustdesk.exe
4120	rustdesk.exe
4120	rustdesk.exe
4120	rustdesk.exe
4728	rustdesk.exe
4728	rustdesk.exe
4728	rustdesk.exe
4728	rustdesk.exe
4728	rustdesk.exe
4728	rustdesk.exe
4728	rustdesk.exe
4728	rustdesk.exe
4728	rustdesk.exe
4728	rustdesk.exe
4728	rustdesk.exe
4728	rustdesk.exe
4728	rustdesk.exe
4248	rustdesk.exe
4248	rustdesk.exe
4248	rustdesk.exe
4248	rustdesk.exe
4248	rustdesk.exe
4248	rustdesk.exe
4248	rustdesk.exe
4248	rustdesk.exe
4248	rustdesk.exe
4248	rustdesk.exe
4248	rustdesk.exe
4248	rustdesk.exe
4248	rustdesk.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5016	icacls.exe
3468	icacls.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\rustdesk_rCURRENT.log	rustdesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
4100	taskkill.exe
3160	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3320	rustdesk.exe
4120	rustdesk.exe
4120	rustdesk.exe
4248	rustdesk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4100	taskkill.exe
Token: SeDebugPrivilege	4120	rustdesk.exe
Token: SeDebugPrivilege	3160	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3320	rustdesk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3320	rustdesk.exe
3320	rustdesk.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 4100	2204	rustdesk-1.3.1-x86_64.exe	74
PID 2204 wrote to memory of 4100	2204	rustdesk-1.3.1-x86_64.exe	74
PID 2204 wrote to memory of 3320	2204	rustdesk-1.3.1-x86_64.exe	77
PID 2204 wrote to memory of 3320	2204	rustdesk-1.3.1-x86_64.exe	77
PID 3320 wrote to memory of 3468	3320	rustdesk.exe	78
PID 3320 wrote to memory of 3468	3320	rustdesk.exe	78
PID 3320 wrote to memory of 5016	3320	rustdesk.exe	79
PID 3320 wrote to memory of 5016	3320	rustdesk.exe	79
PID 3320 wrote to memory of 4120	3320	rustdesk.exe	82
PID 3320 wrote to memory of 4120	3320	rustdesk.exe	82
PID 3320 wrote to memory of 5000	3320	rustdesk.exe	83
PID 3320 wrote to memory of 5000	3320	rustdesk.exe	83
PID 3320 wrote to memory of 4728	3320	rustdesk.exe	84
PID 3320 wrote to memory of 4728	3320	rustdesk.exe	84
PID 5000 wrote to memory of 3160	5000	cmd.exe	87
PID 5000 wrote to memory of 3160	5000	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\rustdesk-1.3.1-x86_64.exe
"C:\Users\Admin\AppData\Local\Temp\rustdesk-1.3.1-x86_64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RuntimeBroker_rustdesk.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4100
- C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
  "C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\system32\icacls.exe
    "icacls" C:\ProgramData\RustDesk /grant *S-1-1-0:(OI)(CI)F /T
    3⤵
    - Modifies file permissions
    PID:3468
- - C:\Windows\system32\icacls.exe
    "icacls" C:\ProgramData\RustDesk\shared_memory_portable_service /grant *S-1-1-0:(OI)(CI)F /T
    3⤵
    - Modifies file permissions
    PID:5016
- - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
    "C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe" --portable-service
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4120
  - - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
      "C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe" --run-as-system
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:4248
- - C:\Windows\system32\cmd.exe
    "cmd" /c "taskkill /F /IM RuntimeBroker_rustdesk.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM RuntimeBroker_rustdesk.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3160
- - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
    "C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe" --check-hwcodec-config
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RustDesk\shared_memory_portable_service

Filesize
23B

MD5
9176b875243c0cde3eb97e22a4ad7277

SHA1
a8e9a1beef803c4862e9b255a3780be766ac5f1f

SHA256
2090043cdcaf4869df59126cb353ab886e34efbbfd31f1e16956b16d237e1bc8

SHA512
38ee74022bf455493e7fcb87423a6673abd8c6b2b85edb0bd23e1fca5c6df732c397be8a1c258d7ddea48d31c81130bf5d25a595f86605ed168be23410823e0c

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\data\app.so

Filesize
11.9MB

MD5
0137d26bdb7328ef0665582699b31461

SHA1
9d8d39516c7b5085e159ff06ff9af63838f27f24

SHA256
690a5c2802c952c1c1fc846a3c96cd029de648e97606d3451807c05d1ffe2bfd

SHA512
4f802c2766785fe03c33a0da9ac81e6795c0946caf27589aace752ae43cb518f681677edb9b0c93899be102ca41aa858a212ff925b4920bbaea552c6fcda53be

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\data\icudtl.dat

Filesize
798KB

MD5
da48e432fe61f451154f0715b2a7b174

SHA1
51b6add0bbc4e0b5200b01deca5d009f1daf9f39

SHA256
65ea729083128dfce1c00726ba932b91aaaf5e48736b5644dd37478e5f2875ac

SHA512
5af9c1e43b52536272a575ca400a9eee830a8fcecb83bb1a490515851bef48957d8de669b9f77b8614eb586838af23385e1afce622edb82a90ec7549f882d381

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\desktop_drop_plugin.dll

Filesize
316KB

MD5
ea772698fa6169aa5e68d74ba947a6ba

SHA1
3f9b0a8da21945dd9f27436b3af60c64f7340d36

SHA256
77485880ea8b85bef96439de30eb409831adb74e7c39fe07332657ca2829c789

SHA512
069e9dfedc477a407acf9270a886884aeeb50327aa2bc340cab517b2314d6dbca2c712b3b7a9a669a471886d3188d9cea3229e6771b9949f8f7c50186727eb63

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\file_selector_windows_plugin.dll

Filesize
340KB

MD5
94d93801a592b1771f6a9f2aecaeb295

SHA1
db95a4622a8223beaa1a519b00131a108fe776b6

SHA256
92046e216841a3cb533d62e74463ef31b0201e8c6bfe86e698a9708f9a101853

SHA512
0034e63fb445f1cd5a0aa51766105fb702469d784332ffa1b93b1d4d815b049e0550d5556e547c336bd5ea9e4d962ea18f9faeb9ef3abd18dd9452e2c8ad419d

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\flutter_gpu_texture_renderer_plugin.dll

Filesize
339KB

MD5
9042c38a7c9e19f62424be56d2df4034

SHA1
198483afa1bf494d354a4c0ac730672bd6b347f1

SHA256
a34f4f7c51b97c2f23459e1fe4eba9c64aee2d891a7a87c5d516fcd05187651e

SHA512
ac6fffd419b5b280eeb5c2e475ef07d42a8a2bbcd8ae1554e5e18ec56ab091bdeb1119ea2309b6ec178d2a43b0ddfa09552967f8ad3e451367c9e36213d45cdc

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\librustdesk.dll

Filesize
28.9MB

MD5
03b2dde092f5ed1aef5b393448457421

SHA1
c85b91d08ae9325c8d16c74900ce185b620378e3

SHA256
ace05fcf9eb002be7d2dbdb5fad135610428344b15c722f38b136e84f5a36ac1

SHA512
4773951a702e90af7e42bde251f3504f1d0123d71ddc184c50c0a40e5a3c631cd792c6bfcab337be9631756d34ef4212d9a863cb6e551558b764ce368ea018bc

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe

Filesize
260KB

MD5
b720a786b6b1d86cde5d20075cfaa80d

SHA1
8b59f7f0929f596b5d110757b996bee45e914e64

SHA256
402bd9766da3101a56a0be1f730760f1429d006b2b664322f9b5f010b0e0c887

SHA512
27a152818ee6ce970e8dff791d1d1c8e4785f87232a077ff029a55aa44b9c27b210d7f1c0bf8da5c89a12f9dcbbba90c5225bd7e7e4de5a3deaf10f017d224fd

Download Submit
\Users\Admin\AppData\Local\rustdesk\desktop_multi_window_plugin.dll

Filesize
391KB

MD5
2c3eab74536dfb70d8d990b09343685b

SHA1
40187d865137f49e27ed832c4b8b624dfae44851

SHA256
fc81d07d452aff704fae1b0ee2246fb8692bdf8ad0cb20e528d73cc576be0e4c

SHA512
cc3400275680b09f59cfdc3cd276f6afc27f4191b9c93515ae24908e825ebefe0ac13e027845e25cd3779685c49a41516ed2190108d836aa909ed05dae570e5d

Download Submit
\Users\Admin\AppData\Local\rustdesk\flutter_custom_cursor_plugin.dll

Filesize
308KB

MD5
05e0c5d98e60a6c9cf046b6d685784fc

SHA1
3596279d829ea057af11c5092fe26abd9074b08a

SHA256
988918da0b4aaf2b7e6fadd422dea34b6c9753109289195c63425b263e8c3bb8

SHA512
a4d53490b47bf6e34d0b129672c37d3aff1527e9fda2c7bb1b707229ac947a0528304a68d82c7bb668310294ca33010a950a051cc61de417731c6124e35bcff1

Download Submit
\Users\Admin\AppData\Local\rustdesk\flutter_windows.dll

Filesize
17.2MB

MD5
751485cb3e17775d24beff211ead4b95

SHA1
a9819e44e05d375b9c1aa5b155681eb3f243b1af

SHA256
b72c3bfd095ab305114599b4b5bc611499c085247ba9f5dab7a366d791d21a25

SHA512
b026565660a19c5ad3b098eb74307d756b6d09e90ce26eb8b3bb5a579a996f0bf4c991bf575c8c5363d0cb0e68fa57b2294c044d35b4f88b542edd8ee4d02278

Download Submit
\Users\Admin\AppData\Local\rustdesk\screen_retriever_plugin.dll

Filesize
535KB

MD5
b8b4285c90991d268c0e2e64a84239d9

SHA1
7001ef4df83b0fa5e195159e2415c6f2dde1465e

SHA256
3f128268915493aaafbccfcd4f1c342c4f74548260857099fc469d7237a0a61f

SHA512
a5166d55641f8a49a9c1b9557549e4953e4b42f632a9e0aa82b82fb64a7d7a97b425ce2d7a0ff3d8ec70d094d917e92e133c3f140d3051019d2ee84843912dfa

Download Submit
\Users\Admin\AppData\Local\rustdesk\texture_rgba_renderer_plugin.dll

Filesize
318KB

MD5
a3c631f16f5a757e90a77439b71cd66a

SHA1
5f54fb7db791f2a12188b8d6eb8409a7f92735aa

SHA256
e254e9eec315ee75a49a7c8c64f6f84824ef1987d700acee3f82fc6c533e0df4

SHA512
821c8af5d7686cdaecc7afbc692b7ef22e36944554c58b919cad636a05c12c875b27a1bc227d766692cbbb7aa19145b669335360d8b792619e09265dbd55e35a

Download Submit
\Users\Admin\AppData\Local\rustdesk\uni_links_desktop_plugin.dll

Filesize
533KB

MD5
376649d042211c8cb0ac44b5e6903cf4

SHA1
e3103b66352a8b138fa9a7d4c2c906a9f65c0719

SHA256
ba4ae2b2d47bf50ed4fe246c4ca2a2421b4bba813bf5f86b4edf4f24feb00f4b

SHA512
55e28fb26df7beff3bc06792a33246804cee28c61cb7d6ec263bf4e13856e3ab05e7c88f84bd11df948d85eb63344a8b5b02d45c0f1db0fdb2600ec0dd1b4117

Download Submit
\Users\Admin\AppData\Local\rustdesk\url_launcher_windows_plugin.dll

Filesize
318KB

MD5
4cae4f585209718154c46af73af1fe70

SHA1
56278b0e5779bbbfc77e0d86060ef42406d3bf24

SHA256
d2cda4598f2733f4341b91a78612f9598762d1d69ef36d5b0df4adea8649af3e

SHA512
c818794ae58290b699258de812370f2b199dab5a6bcb346793b4266f5a023fe15e32760966c12e18b8d3fab3a3b8bba2bef6b751c0e54c63448203128faa2b82

Download Submit
\Users\Admin\AppData\Local\rustdesk\window_manager_plugin.dll

Filesize
578KB

MD5
4255c58bc699f6ac7c8b096805d23666

SHA1
94bdfb6fcd1b4004c10d79f2b054a22678df10fd

SHA256
944bd554957680277b649f9eb87af9335737aba31b0b4457f027c8933bd10ffa

SHA512
ffa4643154938663aa70cc020733704c69e6f31de5d2389bf495fdb2d9daa778fe59f6a429169422d615cca0fbab7a6023ec0b29d297f076cc20e57b2f9403d4

Download Submit
\Users\Admin\AppData\Local\rustdesk\window_size_plugin.dll

Filesize
529KB

MD5
fe623217cab7bad77736461a9634af9c

SHA1
4e51b7460016137c0ceeb9158dd730cce2dcee09

SHA256
4113a493ff58578dbc1e867b23363289c3de3f4592009a2976e350b76f4648de

SHA512
b57a07c1e14d9a307d94c0ac6b92594dc7c25fd5069f9bcc62844f5fa1c11a290bfbd6850b5374875c03936a86f87385db65ebea508c3c7a6ec3609b7bb33d13

Download Submit
memory/3320-152-0x0000027ACFAD0000-0x0000027ACFAD1000-memory.dmp

Filesize
4KB

Download
memory/3320-169-0x0000027ACFB10000-0x0000027ACFB11000-memory.dmp

Filesize
4KB

Download
memory/3320-153-0x0000027AD1E10000-0x0000027AD29FD000-memory.dmp

Filesize
11.9MB

Download
memory/3320-154-0x0000027AD1E10000-0x0000027AD29FD000-memory.dmp

Filesize
11.9MB

Download
memory/3320-156-0x0000027AD1E10000-0x0000027AD29FD000-memory.dmp

Filesize
11.9MB

Download