cf1f27779dbe5a64dcdfd0b5d36dcea9858c0e2cd2b78e6e8aa759632c281ae5

Analysis

max time kernel
93s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Source/RunAsTI.exe
Size

26KB
MD5

80454e70784f1ddb0c91d41469e2498d
SHA1

2f3f04ef670895de12cdfbae17c9d427e7caa97a
SHA256

a3e0ba70ba908de8a75825c3a1ff36147e02c686280993c2caa8a9a6968764b0
SHA512

709ed0fc9e2520a5beb57379e90be12cac680060b4c72ff50e9d9897f3a4d7a57f84b9be04b78974e6f6b73cda7202bfc617835cee3011eed7f0ee6f5e82edf7
SSDEEP

384:8ZKqqO+5wZY//IfBbSh2u3JZEV065fC7iwUUukfR3lacMWkNgWwCy2nYPLN:+tqN5YYUBmcu5C6HrNJUbgWwCZC

Score

3^/10

defense_evasion privilege_escalation

Malware Config

Signatures

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2816	RunAsTI.exe
4836	RunAsTI.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2816	RunAsTI.exe
2816	RunAsTI.exe
4836	RunAsTI.exe
4836	RunAsTI.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	RunAsTI.exe
Token: SeAssignPrimaryTokenPrivilege	2816	RunAsTI.exe
Token: SeIncreaseQuotaPrivilege	2816	RunAsTI.exe
Token: SeDebugPrivilege	4836	RunAsTI.exe
Token: SeAssignPrimaryTokenPrivilege	4836	RunAsTI.exe
Token: SeIncreaseQuotaPrivilege	4836	RunAsTI.exe

C:\Users\Admin\AppData\Local\Temp\Source\RunAsTI.exe
"C:\Users\Admin\AppData\Local\Temp\Source\RunAsTI.exe"
1⤵
- Access Token Manipulation: Create Process with Token
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
- C:\Users\Admin\AppData\Local\Temp\Source\RunAsTI.exe
  /t /t cmd.exe
  2⤵
  - Access Token Manipulation: Create Process with Token
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads