Overview
overview
5Static
static
5Release/Ad....0.exe
windows7-x64
3Release/Ad....0.exe
windows10-2004-x64
3Source/Ado....0.ps1
windows7-x64
3Source/Ado....0.ps1
windows10-2004-x64
3Source/RunAsTI.exe
windows7-x64
3Source/RunAsTI.exe
windows10-2004-x64
3缘本初�...��.url
windows7-x64
1缘本初�...��.url
windows10-2004-x64
1Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 02:55
Static task
static1
Behavioral task
behavioral1
Sample
Release/AdobeGenP-3.4.0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Release/AdobeGenP-3.4.0.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Source/AdobeGenP-3.4.0.ps1
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Source/AdobeGenP-3.4.0.ps1
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Source/RunAsTI.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Source/RunAsTI.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
缘本初见︱分享实用好软件!ʷʷʷ.⁵²ʸᵇᶜʲ.ᶜᵒᵐ.url
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
缘本初见︱分享实用好软件!ʷʷʷ.⁵²ʸᵇᶜʲ.ᶜᵒᵐ.url
Resource
win10v2004-20240802-en
General
-
Target
Source/RunAsTI.exe
-
Size
26KB
-
MD5
80454e70784f1ddb0c91d41469e2498d
-
SHA1
2f3f04ef670895de12cdfbae17c9d427e7caa97a
-
SHA256
a3e0ba70ba908de8a75825c3a1ff36147e02c686280993c2caa8a9a6968764b0
-
SHA512
709ed0fc9e2520a5beb57379e90be12cac680060b4c72ff50e9d9897f3a4d7a57f84b9be04b78974e6f6b73cda7202bfc617835cee3011eed7f0ee6f5e82edf7
-
SSDEEP
384:8ZKqqO+5wZY//IfBbSh2u3JZEV065fC7iwUUukfR3lacMWkNgWwCy2nYPLN:+tqN5YYUBmcu5C6HrNJUbgWwCZC
Malware Config
Signatures
-
Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs
pid Process 2448 RunAsTI.exe 2756 RunAsTI.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2448 RunAsTI.exe 2756 RunAsTI.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2448 RunAsTI.exe Token: SeAssignPrimaryTokenPrivilege 2448 RunAsTI.exe Token: SeIncreaseQuotaPrivilege 2448 RunAsTI.exe Token: SeDebugPrivilege 2756 RunAsTI.exe Token: SeAssignPrimaryTokenPrivilege 2756 RunAsTI.exe Token: SeIncreaseQuotaPrivilege 2756 RunAsTI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Source\RunAsTI.exe"C:\Users\Admin\AppData\Local\Temp\Source\RunAsTI.exe"1⤵
- Access Token Manipulation: Create Process with Token
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\Source\RunAsTI.exe/t /t cmd.exe2⤵
- Access Token Manipulation: Create Process with Token
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-