Managed XDR

rdv.exe (Apocalypse, Hive) — malware analysis report

File info

Filename
rdv.exe
File type
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File size
2.2 MB
First seen
Last seen

Environment

w10/x86 en

Hashes

SHA1
eaa840246c6aa24e34e293e560e145c5514b4239
SHA256
bfee405cd72f782953c3937198d3beb0ea237ad8dee3ef105f7b3aab83bdb656
MD5
b2d88e4f06cdd0d25fd415c72178387a

Malwares

  • Apocalypse
  • Hive

Signatures

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1070.004 deletes_self: Moves to different location or removes the original executable file
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1027.001 static_overlay_padding: Overlay contents padding
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1057 process_interest: Enumerates processes

Impact

T1486 ransomware_files: Ransomware indicators detected BasilisqueLocker (creates keys and the instruction on how to unlock the files)
T1486 ransomware_files_2: Ransomware(s) Apocalypse indicators detected (creates keys and the instruction on how to unlock the files)
T1489 service_control_stop: Stops services via ControlService

Other

hive: Detected Hive ransomware
yara_rules: Static rules
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
writes_data: Writes big amount of data to disk
pe_overlay: PE file contains overlay

Related reports

Managed XDR