It is unlikely that he put much effort into it. He was far more likely just running a bunch of scripts/tools created by someone else. And he was likely attacking RDP endpoints en-masse at the same time as attacking yours.

Also, he/she could well be living somewhere that where $300 a couple of times a month is a good living.