Analysis
-
max time kernel
66s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-04-2022 02:29
Static task
static1
Behavioral task
behavioral1
Sample
8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe
Resource
win10v2004-20220414-en
General
-
Target
8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe
-
Size
921KB
-
MD5
40f39933c67ea2045c887db44e9ba666
-
SHA1
611422b9d996fe8e6070fd107412cb61efbef483
-
SHA256
8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2
-
SHA512
363cd33c4ed51d8d8aa89c506f7392ec921479a2a3a010af1c48917e82be5166c9c09ba817aad417dff7e62e17ceef9d173899ff0c706ff18e3e3e10b74c26bc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
RegAsm.exepid process 1724 RegAsm.exe -
Processes:
resource yara_rule behavioral1/memory/1724-61-0x0000000000090000-0x0000000000186000-memory.dmp upx behavioral1/memory/1724-63-0x0000000000090000-0x0000000000186000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exepid process 2016 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe 2016 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exedescription pid process target process PID 2016 set thread context of 1724 2016 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exepid process 2016 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exedescription pid process Token: SeDebugPrivilege 2016 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe Token: SeTakeOwnershipPrivilege 2016 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe Token: SeRestorePrivilege 2016 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exedescription pid process target process PID 2016 wrote to memory of 1724 2016 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe RegAsm.exe PID 2016 wrote to memory of 1724 2016 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe RegAsm.exe PID 2016 wrote to memory of 1724 2016 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe RegAsm.exe PID 2016 wrote to memory of 1724 2016 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe RegAsm.exe PID 2016 wrote to memory of 1724 2016 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe RegAsm.exe PID 2016 wrote to memory of 1724 2016 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe RegAsm.exe PID 2016 wrote to memory of 1724 2016 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe RegAsm.exe PID 2016 wrote to memory of 1724 2016 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe RegAsm.exe PID 2016 wrote to memory of 1724 2016 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe RegAsm.exe PID 2016 wrote to memory of 1724 2016 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe RegAsm.exe PID 2016 wrote to memory of 1724 2016 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe"C:\Users\Admin\AppData\Local\Temp\8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeFilesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Local\Temp\RegAsm.exeFilesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Local\Temp\b35bc50e-fc56-4239-a7d0-bb79118b31c9\AgileDotNetRT.dllFilesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
memory/1724-60-0x0000000000090000-0x0000000000186000-memory.dmpFilesize
984KB
-
memory/1724-61-0x0000000000090000-0x0000000000186000-memory.dmpFilesize
984KB
-
memory/1724-63-0x0000000000090000-0x0000000000186000-memory.dmpFilesize
984KB
-
memory/1724-65-0x00000000004F4AE0-mapping.dmp
-
memory/2016-54-0x0000000001290000-0x000000000137C000-memory.dmpFilesize
944KB
-
memory/2016-55-0x0000000000A50000-0x0000000000A7A000-memory.dmpFilesize
168KB
-
memory/2016-56-0x0000000000B20000-0x0000000000B3C000-memory.dmpFilesize
112KB
-
memory/2016-58-0x0000000075560000-0x00000000755E0000-memory.dmpFilesize
512KB