Sovren Blockchain: native ownership rails for the Parler ecosystem

Superadmin.exe

If you created superadmin.exe for internal use:

What made this specific binary worthy of the "Super" prefix?

Standard malware tries to get NT AUTHORITY\SYSTEM privileges. That’s boring. This dropper was looking for Domain Admin group members. But if it didn't find them, it didn't crash. Instead, it performed a Shadow Credentials attack (a.k.a. "Whisker"). superadmin.exe

It didn't need a password. It didn't need a hash. Within 12 seconds of execution, it had written a public key to a legacy Active Directory computer account, allowing it to request a TGT (Ticket Granting Ticket) for anyone.

It made the user a Super Admin by becoming the domain itself. If you created superadmin

Send the binary to VirusTotal, Hybrid Analysis, and your EDR vendor (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) to generate a YARA rule.

We isolated the box. We nuked the WMI subscription (which, if you’ve never done it, involves digging through the root\subscription namespace with wbemtest—a GUI tool that looks like it was designed in 1998). We isolated the box

We called the user who opened the document. "It said I had to enable macros to view the 'Super Admin Salary Report Q3.'"

There is no such thing as a Super Admin Salary Report. There is only the cold, hard reality of event ID 4624.

taskkill /f /im superadmin.exe
del /f /q "C:\full\path\to\superadmin.exe"