Analysis
-
max time kernel
27s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
21-09-2020 10:06
Static task
static1
Behavioral task
behavioral1
Sample
RegAsm-Cleaned.bin.exe
Resource
win7v200722
General
-
Target
RegAsm-Cleaned.bin.exe
-
Size
593KB
-
MD5
916740096f7fb73f2e2b8ee87deaf675
-
SHA1
90bf01fafbd4353f295ba7987436a1950a138152
-
SHA256
557f4c234d26b35a5b4a65357b1b05b84e3ece6c59fcb265083b1545343bc854
-
SHA512
133d638202f19737700ab8d7aecb50d54ff3b0fe92def121c5125b43d2c01a2bf6c70172b0bb68341d97b1fa904378c5dff5115325a6aae6f46f552ff2cf16c5
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api.ipify.org 8 api.ipify.org 11 ip-api.com -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2668 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm-Cleaned.bin.exepid process 720 RegAsm-Cleaned.bin.exe 720 RegAsm-Cleaned.bin.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm-Cleaned.bin.exedescription pid process Token: SeDebugPrivilege 720 RegAsm-Cleaned.bin.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
RegAsm-Cleaned.bin.execmd.exedescription pid process target process PID 720 wrote to memory of 2068 720 RegAsm-Cleaned.bin.exe cmd.exe PID 720 wrote to memory of 2068 720 RegAsm-Cleaned.bin.exe cmd.exe PID 2068 wrote to memory of 2668 2068 cmd.exe timeout.exe PID 2068 wrote to memory of 2668 2068 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RegAsm-Cleaned.bin.exe"C:\Users\Admin\AppData\Local\Temp\RegAsm-Cleaned.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp45C9.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp45C9.tmp.batMD5
c6ba3c4189afcf38bb047b43eaccda24
SHA1c2574100e19f96c78f2100e08adff3028f1bea1a
SHA2568cf6bb078e819c00b0a620e47e4a0ce76351c1fc13ad472393aa7813d5d21b65
SHA51217b6a8dbc0d874ed2989e1ea93587ee0b150db00fcbf29a1393c5590d5c3e361a02bbf904c36714d6758996cf57de040c64ac640552e66cd3b76faa10cf4c2da
-
memory/720-0-0x00007FFFBC9F0000-0x00007FFFBD3DC000-memory.dmpFilesize
9.9MB
-
memory/720-1-0x00000126D0C40000-0x00000126D0C41000-memory.dmpFilesize
4KB
-
memory/720-3-0x00000126D2990000-0x00000126D2A00000-memory.dmpFilesize
448KB
-
memory/2068-4-0x0000000000000000-mapping.dmp
-
memory/2668-6-0x0000000000000000-mapping.dmp