Analysis
-
max time kernel
7s -
max time network
126s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
21-09-2020 10:06
Static task
static1
Behavioral task
behavioral1
Sample
RegAsm-Cleaned.bin.exe
Resource
win7v200722
0 signatures
0 seconds
General
-
Target
RegAsm-Cleaned.bin.exe
-
Size
593KB
-
MD5
916740096f7fb73f2e2b8ee87deaf675
-
SHA1
90bf01fafbd4353f295ba7987436a1950a138152
-
SHA256
557f4c234d26b35a5b4a65357b1b05b84e3ece6c59fcb265083b1545343bc854
-
SHA512
133d638202f19737700ab8d7aecb50d54ff3b0fe92def121c5125b43d2c01a2bf6c70172b0bb68341d97b1fa904378c5dff5115325a6aae6f46f552ff2cf16c5
Score
6/10
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2016 1456 WerFault.exe RegAsm-Cleaned.bin.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegAsm-Cleaned.bin.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1456 RegAsm-Cleaned.bin.exe Token: SeDebugPrivilege 2016 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
RegAsm-Cleaned.bin.exedescription pid process target process PID 1456 wrote to memory of 2016 1456 RegAsm-Cleaned.bin.exe WerFault.exe PID 1456 wrote to memory of 2016 1456 RegAsm-Cleaned.bin.exe WerFault.exe PID 1456 wrote to memory of 2016 1456 RegAsm-Cleaned.bin.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RegAsm-Cleaned.bin.exe"C:\Users\Admin\AppData\Local\Temp\RegAsm-Cleaned.bin.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1456 -s 17562⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1456-0-0x000007FEF6800000-0x000007FEF71EC000-memory.dmpFilesize
9.9MB
-
memory/1456-1-0x0000000000D70000-0x0000000000D71000-memory.dmpFilesize
4KB
-
memory/1456-3-0x0000000002210000-0x0000000002280000-memory.dmpFilesize
448KB
-
memory/2016-4-0x0000000000000000-mapping.dmp
-
memory/2016-5-0x0000000001F40000-0x0000000001F51000-memory.dmpFilesize
68KB
-
memory/2016-6-0x0000000002AF0000-0x0000000002B01000-memory.dmpFilesize
68KB