cf1f27779dbe5a64dcdfd0b5d36dcea9858c0e2cd2b78e6e8aa759632c281ae5

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Source/RunAsTI.exe
Size

26KB
MD5

80454e70784f1ddb0c91d41469e2498d
SHA1

2f3f04ef670895de12cdfbae17c9d427e7caa97a
SHA256

a3e0ba70ba908de8a75825c3a1ff36147e02c686280993c2caa8a9a6968764b0
SHA512

709ed0fc9e2520a5beb57379e90be12cac680060b4c72ff50e9d9897f3a4d7a57f84b9be04b78974e6f6b73cda7202bfc617835cee3011eed7f0ee6f5e82edf7
SSDEEP

384:8ZKqqO+5wZY//IfBbSh2u3JZEV065fC7iwUUukfR3lacMWkNgWwCy2nYPLN:+tqN5YYUBmcu5C6HrNJUbgWwCZC

Score

3^/10

defense_evasion privilege_escalation

Malware Config

Signatures

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2448	RunAsTI.exe
2756	RunAsTI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2448	RunAsTI.exe
2756	RunAsTI.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	RunAsTI.exe
Token: SeAssignPrimaryTokenPrivilege	2448	RunAsTI.exe
Token: SeIncreaseQuotaPrivilege	2448	RunAsTI.exe
Token: SeDebugPrivilege	2756	RunAsTI.exe
Token: SeAssignPrimaryTokenPrivilege	2756	RunAsTI.exe
Token: SeIncreaseQuotaPrivilege	2756	RunAsTI.exe

C:\Users\Admin\AppData\Local\Temp\Source\RunAsTI.exe
"C:\Users\Admin\AppData\Local\Temp\Source\RunAsTI.exe"
1⤵
- Access Token Manipulation: Create Process with Token
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
- C:\Users\Admin\AppData\Local\Temp\Source\RunAsTI.exe
  /t /t cmd.exe
  2⤵
  - Access Token Manipulation: Create Process with Token
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads