Resubmissions
08-11-2024 14:28
241108-rsz24atfqk 624-10-2024 06:44
241024-hhl8taxepf 123-10-2024 13:25
241023-qpfnlsthpm 6Analysis
-
max time kernel
842s -
max time network
843s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-11-2024 14:28
Static task
static1
Behavioral task
behavioral1
Sample
AWS Secure Data Exchange - Compliance Check.rdp
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
AWS Secure Data Exchange - Compliance Check.rdp
Resource
win10v2004-20241007-en
General
-
Target
AWS Secure Data Exchange - Compliance Check.rdp
-
Size
14KB
-
MD5
e1d7de6979c84a2ccaa2aba993634c48
-
SHA1
f6fd182b93e54a3015b7d62a1a68554f9e2450e8
-
SHA256
648afcc709ac18c4fe235d24bf51a8230e9700b97c3dcc0a739816966f2b58b6
-
SHA512
7aeda74ef4ec0edaa94438fdb3f14114ba9b59c9f42d1abc208038684683cdc6616cb1125e869a34ec5d92db839e7ef6f9f814d781fb8dda8612b82487f2ba27
-
SSDEEP
192:5LMVj0bf1gnx81liTNwxYorSEZo8/eVLYOauXozHgOjSzM2owMxnt93w97S3:uVjnnx81lmaxYmo8eVLYL7A6+Pyg9O3
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: mstsc.exe File opened (read-only) \??\Y: mstsc.exe File opened (read-only) \??\G: mstsc.exe File opened (read-only) \??\N: mstsc.exe File opened (read-only) \??\S: mstsc.exe File opened (read-only) \??\T: mstsc.exe File opened (read-only) \??\M: mstsc.exe File opened (read-only) \??\U: mstsc.exe File opened (read-only) \??\Z: mstsc.exe File opened (read-only) \??\B: mstsc.exe File opened (read-only) \??\H: mstsc.exe File opened (read-only) \??\J: mstsc.exe File opened (read-only) \??\L: mstsc.exe File opened (read-only) \??\R: mstsc.exe File opened (read-only) \??\V: mstsc.exe File opened (read-only) \??\A: mstsc.exe File opened (read-only) \??\K: mstsc.exe File opened (read-only) \??\O: mstsc.exe File opened (read-only) \??\P: mstsc.exe File opened (read-only) \??\E: mstsc.exe File opened (read-only) \??\I: mstsc.exe File opened (read-only) \??\Q: mstsc.exe File opened (read-only) \??\W: mstsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2688 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2340 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2688 mstsc.exe 1568 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2688 mstsc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2660 2856 cmd.exe 31 PID 2856 wrote to memory of 2660 2856 cmd.exe 31 PID 2856 wrote to memory of 2660 2856 cmd.exe 31 PID 2340 wrote to memory of 1568 2340 rundll32.exe 38 PID 2340 wrote to memory of 1568 2340 rundll32.exe 38 PID 2340 wrote to memory of 1568 2340 rundll32.exe 38
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\AWS Secure Data Exchange - Compliance Check.rdp"1⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\system32\mstsc.exe"mstsc.exe" "C:\Users\Admin\AppData\Local\Temp\AWS Secure Data Exchange - Compliance Check.rdp"2⤵PID:2660
-
-
C:\Windows\system32\mstsc.exeC:\Windows\system32\mstsc.exe -Embedding1⤵
- Enumerates connected drives
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2688
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2532
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AWS Secure Data Exchange - Compliance Check.rdp1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\AWS Secure Data Exchange - Compliance Check.rdp2⤵
- Suspicious use of FindShellTrayWindow
PID:1568
-