| File name: | RunAsTool.exe |
| Full analysis: | https://app.any.run/tasks/74010790-279e-494b-89da-18e8d413dfa9 |
| Verdict: | Malicious activity |
| Analysis date: | November 23, 2023, 18:53:35 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 899198029F9ADC45094652DC9A629A99 |
| SHA1: | 60D5169C227500A56DD5555ABAF951D996D4203C |
| SHA256: | 13DE2EC4FB18CA9311443A8EB5495226311EE8FC58487973950A13C7E0CCCF40 |
| SSDEEP: | 12288:XaWzgMg7v3qnCiNErQohh0F4jCJ8lnyGQutkCoSMf3hUP9GAr:qaHMv6C1rjfnyGQAkwm32FG6 |
MALICIOUS
Starts NET.EXE to view/add/change user profiles
- net.exe (PID: 3468)
- cmd.exe (PID: 3496)
- net.exe (PID: 3576)
- net.exe (PID: 3624)
- net.exe (PID: 3668)
SUSPICIOUS
No suspicious indicators.INFO
Reads mouse settings
- RunAsTool.exe (PID: 3196)
Reads the computer name
- RunAsTool.exe (PID: 3196)
Checks supported languages
- RunAsTool.exe (PID: 3196)
Manual execution by a user
- cmd.exe (PID: 3496)
Create files in a temporary directory
- RunAsTool.exe (PID: 3196)
Reads the time zone
- net1.exe (PID: 3480)
- net1.exe (PID: 3596)
- net1.exe (PID: 3664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2010:04:16 09:47:33+02:00 |
| ImageFileCharacteristics: | No relocs, Executable, Large address aware, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 9 |
| CodeSize: | 524800 |
| InitializedDataSize: | 177664 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x16310 |
| OSVersion: | 5 |
| ImageVersion: | - |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.5.0.0 |
| ProductVersionNumber: | 1.5.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Unknown |
| FileSubtype: | - |
| LanguageCode: | English (British) |
| CharacterSet: | Unicode |
| FileVersion: | 1.5.0.0 |
| Comments: | RunAs Tool |
| FileDescription: | RunAs Tool |
| LegalCopyright: | Copyright © 2015-2022 www.sordum.org All Rights Reserved. |
| Coder: | By BlueLife |
| CompanyName: | www.sordum.org |
| ProductVersion: | 1.5.0.0 |
| OriginalFileName: | RunAsTool.exe |
Total processes
44
Monitored processes
10
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3196 | "C:\Users\admin\Downloads\RunAsTool.exe" | C:\Users\admin\Downloads\RunAsTool.exe | — | explorer.exe | |||||||||||
User: admin Company: www.sordum.org Integrity Level: MEDIUM Description: RunAs Tool Exit code: 0 Version: 1.5.0.0 Modules
| |||||||||||||||
| 3424 | C:\Windows\system32\net1 user | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3468 | net user Administrator | C:\Windows\System32\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3480 | C:\Windows\system32\net1 user Administrator | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3496 | "C:\Windows\system32\cmd.exe" | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3576 | net user | C:\Windows\System32\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3596 | C:\Windows\system32\net1 user admin | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3624 | net user admin | C:\Windows\System32\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3664 | C:\Windows\system32\net1 user admin } | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3668 | net user admin } | C:\Windows\System32\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
168
Read events
168
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
3
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3196 | RunAsTool.exe | C:\Users\admin\AppData\Local\Temp\3b1c9z6r.tmp | text | |
MD5:603B9431AAC02883882DEC7A5A9F518D | SHA256:60734D71C7E8A3F4597CA9BCD2307668C65F71EE07C321A1A43A563BE48C47D5 | |||
| 3196 | RunAsTool.exe | C:\Users\admin\AppData\Local\Temp\aut6EAE.tmp | binary | |
MD5:CC59A138FF3954A2D0888D71CB12B3A1 | SHA256:A4A0D9FA41467D3C5BCA1A33AAA1F75EE9FA62064B05B5023401F32523C1EE6D | |||
| 3196 | RunAsTool.exe | C:\Users\admin\AppData\Local\Temp\aut6EAD.tmp | binary | |
MD5:64E3579ED74175DE5C10EE8F27DBF2FA | SHA256:97DCFBCC84F34BF03D3EAE1F70CC1C91476836F4AEE8CB9C38FF4E19734240AB | |||
| 3196 | RunAsTool.exe | C:\Users\admin\AppData\Local\Temp\aut6EAF.tmp | binary | |
MD5:FE971CFB8535AF5955F574609FD96D48 | SHA256:7D05ED3680FDE460C80A9E0DC0CD0DD814802C862B4CEB4AC20DABF9242EEABB | |||
| 3196 | RunAsTool.exe | C:\Users\admin\Downloads\RunAsTool.ini | text | |
MD5:9F4514CC8BFBFB5259EA027A0C2B5A7B | SHA256:69B2F9E7BDD363577C30AFEF09B0492E658C8E2A603BCF5FF8C330280BB379B8 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |