bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea

General

Target

bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe
Size

47KB
MD5

268c50b286c5e44c889b6c5489e9d337
SHA1

addbcadf2d4b2d59ff434deed3ce5605ec7dd35e
SHA256

bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea
SHA512

71c240d4598131e1f78ae09042b7e4883713d5b94001cf3634543941e1cffa3efa8890d3c75d8b10f9ec368e3c4fb27fdd929228120ad1eaaff32159fa8a25f6

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe

description	pid	process	target process
PID 1908 set thread context of 1636	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exeRegAsm.exe

pid	process
1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe
1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe
Token: SeDebugPrivilege	1636	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

1636 RegAsm.exe
1636 RegAsm.exe

pid	process
1636	RegAsm.exe
1636	RegAsm.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exeRegAsm.exe

description	pid	process	target process
PID 1908 wrote to memory of 1616	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1908 wrote to memory of 1616	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1908 wrote to memory of 1616	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1908 wrote to memory of 1616	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1908 wrote to memory of 1616	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1908 wrote to memory of 1616	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1908 wrote to memory of 1616	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1908 wrote to memory of 1636	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1908 wrote to memory of 1636	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1908 wrote to memory of 1636	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1908 wrote to memory of 1636	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1908 wrote to memory of 1636	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1908 wrote to memory of 1636	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1908 wrote to memory of 1636	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1908 wrote to memory of 1636	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1908 wrote to memory of 1636	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1908 wrote to memory of 1636	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1908 wrote to memory of 1636	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1908 wrote to memory of 1636	1908	bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe	RegAsm.exe
PID 1636 wrote to memory of 616	1636	RegAsm.exe	cmstp.exe
PID 1636 wrote to memory of 616	1636	RegAsm.exe	cmstp.exe
PID 1636 wrote to memory of 616	1636	RegAsm.exe	cmstp.exe
PID 1636 wrote to memory of 616	1636	RegAsm.exe	cmstp.exe
PID 1636 wrote to memory of 616	1636	RegAsm.exe	cmstp.exe
PID 1636 wrote to memory of 616	1636	RegAsm.exe	cmstp.exe
PID 1636 wrote to memory of 616	1636	RegAsm.exe	cmstp.exe

C:\Users\Admin\AppData\Local\Temp\bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe
"C:\Users\Admin\AppData\Local\Temp\bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\ysm4ghc5.inf
3⤵
PID:616

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\temp\ysm4ghc5.inf
MD5
a7875c854c7284ef6ee9061e7528e133

SHA1
8d733ba8674dc2a7d4a12a024d828966141e1ef8

SHA256
c6a67fc3593d7f00dd2204a9b3fe5aeeca6bda1362f34a834316602b9042d77d

SHA512
06093f68492363892c27ac7b7129b64fa1a35e446c526ec459bef411f81d8b12633d8b3508da0cd957736185e7aec7210e770cc8f71789109b5f97f9926a4174

Download Submit
memory/616-63-0x0000000000000000-mapping.dmp

Download
memory/1636-57-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1636-58-0x0000000000408F5E-mapping.dmp

Download
memory/1636-59-0x0000000075471000-0x0000000075473000-memory.dmp

Filesize
8KB

Download
memory/1636-60-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1636-62-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/1636-66-0x0000000004C95000-0x0000000004CA6000-memory.dmp

Filesize
68KB

Download
memory/1908-53-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1908-55-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/1908-56-0x0000000001EC0000-0x0000000001ECB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads