77b56700bf5d1cc5530d72d4800825b46d719fff11b36f2a02305e89cb2e48e7

Analysis

max time kernel
148s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04/09/2024, 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdobeGenP.exe
Size

1.2MB
MD5

2775c961fa031d03825179c4e7749f3d
SHA1

7ba13448cabdae6c9573ed95fba841a10b687cc9
SHA256

77b56700bf5d1cc5530d72d4800825b46d719fff11b36f2a02305e89cb2e48e7
SHA512

2aa0d8274fe1317d432666c11af87b6ec0826fabee3ea94f9cf9475c4cc255a2dd138db607da9db475a5eacc495c525dec86eac7af2f25fab1c708dfb7bf993c
SSDEEP

24576:7rORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaCHeqtGfw7O:72EYTb8atv1orq+pEiSDTj1VyvBaCHeq

Score

7^/10

defense_evasion privilege_escalation

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4516	RunAsTI.exe
4328	RunAsTI.exe

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
4516	RunAsTI.exe
4328	RunAsTI.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4516	RunAsTI.exe
4516	RunAsTI.exe
4328	RunAsTI.exe
4328	RunAsTI.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4516	RunAsTI.exe
Token: SeAssignPrimaryTokenPrivilege	4516	RunAsTI.exe
Token: SeIncreaseQuotaPrivilege	4516	RunAsTI.exe
Token: SeDebugPrivilege	4328	RunAsTI.exe
Token: SeAssignPrimaryTokenPrivilege	4328	RunAsTI.exe
Token: SeIncreaseQuotaPrivilege	4328	RunAsTI.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 4516	3080	AdobeGenP.exe	73
PID 3080 wrote to memory of 4516	3080	AdobeGenP.exe	73

C:\Users\Admin\AppData\Local\Temp\AdobeGenP.exe
"C:\Users\Admin\AppData\Local\Temp\AdobeGenP.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\Temp\RunAsTI.exe
  C:\Windows\Temp\RunAsTI.exe "C:\Users\Admin\AppData\Local\Temp\AdobeGenP.exe"
  2⤵
  - Executes dropped EXE
  - Access Token Manipulation: Create Process with Token
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- - C:\Windows\Temp\RunAsTI.exe
    /t /t C:\Users\Admin\AppData\Local\Temp\AdobeGenP.exe
    3⤵
    - Executes dropped EXE
    - Access Token Manipulation: Create Process with Token
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
6KB

MD5
eced1675be4e760362325cea0df7b4a3

SHA1
3416f40c117b8d63489a1fd69d7c1854daf213b4

SHA256
cd95b22ff63207cd4182d9f9a50a700739dfcaedb0589e02c677c00bb8077a0a

SHA512
2821e612d45273d1c8e59380a382c2a03a90aa2c310b7ad07fa1fd434286913b85fcb1a01bb58019f5093c74f4a773f7cbd8e5a37bd875bbe4e9081139f006a1

Download Submit
C:\Windows\Temp\RunAsTI.exe

Filesize
26KB

MD5
80454e70784f1ddb0c91d41469e2498d

SHA1
2f3f04ef670895de12cdfbae17c9d427e7caa97a

SHA256
a3e0ba70ba908de8a75825c3a1ff36147e02c686280993c2caa8a9a6968764b0

SHA512
709ed0fc9e2520a5beb57379e90be12cac680060b4c72ff50e9d9897f3a4d7a57f84b9be04b78974e6f6b73cda7202bfc617835cee3011eed7f0ee6f5e82edf7

Download Submit