revengerat | 5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6

General

Target

5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe
Size

1.1MB
MD5

90db2df33725d3ee85ccc9f2c241e3c3
SHA1

7efae20c555d7b92255a90097f876183f9a0ac3b
SHA256

5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6
SHA512

8ff581a8b090ee451b5bcad3bf97535abffd92e56c85a48d93a2a356ede94f210c2516161d02a123c4a541fdf4920e77fb51aa2601efe81d4e6771ac1c918c74

Score

10^/10

revengerat guest persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

127.0.0.1:333

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 29 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2180-134-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/2180-135-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral2/memory/1612-144-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/4180-147-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/552-151-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/1820-154-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/3736-157-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/4536-160-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/1996-167-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/5000-170-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/3092-173-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/4752-176-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/4416-180-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/4832-185-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/2424-188-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/1884-191-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/4692-195-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/2376-198-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/3572-201-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/1584-204-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/772-207-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/4176-210-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/3628-214-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/2008-219-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/1060-222-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/416-225-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/2464-228-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/4660-235-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/4872-238-0x0000000000000000-mapping.dmp	revengerat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\Run	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nvidia.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Nvidia\\Nvidia.exe"	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe

Suspicious use of SetThreadContext 39 IoCs

Processes:

5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe

description	pid	process	target process
PID 5064 set thread context of 1132	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 2180	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 5024	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 4072	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 1916	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 1612	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 4180	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 552	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 1820	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 3736	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 4536	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 1816	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 1460	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 1996	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 5000	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 3092	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 4752	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 4416	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 4864	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 4832	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 2424	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 1884	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 4692	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 2376	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 3572	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 1584	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 772	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 4176	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 3628	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 2488	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 2008	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 1060	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 416	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 2464	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 4084	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 4348	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 4660	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 4872	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 set thread context of 1264	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE

Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1284	1132	WerFault.exe	RegAsm.ExE
4892	5024	WerFault.exe	RegAsm.ExE
4980	4072	WerFault.exe	RegAsm.ExE
4440	1916	WerFault.exe	RegAsm.ExE
4660	1816	WerFault.exe	RegAsm.ExE
388	1460	WerFault.exe	RegAsm.ExE
4472	4864	WerFault.exe	RegAsm.ExE
3588	2488	WerFault.exe	RegAsm.ExE
2172	4084	WerFault.exe	RegAsm.ExE
3592	4348	WerFault.exe	RegAsm.ExE
2444	1264	WerFault.exe	RegAsm.ExE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

RegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExEdw20.exeRegAsm.ExERegAsm.ExERegAsm.ExE

description	pid	process
Token: SeDebugPrivilege	2180	RegAsm.ExE
Token: SeDebugPrivilege	1612	RegAsm.ExE
Token: SeDebugPrivilege	552	RegAsm.ExE
Token: SeDebugPrivilege	5000	RegAsm.ExE
Token: SeDebugPrivilege	3092	RegAsm.ExE
Token: SeDebugPrivilege	4752	RegAsm.ExE
Token: SeDebugPrivilege	1884	RegAsm.ExE
Token: SeDebugPrivilege	1584	RegAsm.ExE
Token: SeRestorePrivilege	3424	dw20.exe
Token: SeBackupPrivilege	3424	dw20.exe
Token: SeBackupPrivilege	3424	dw20.exe
Token: SeBackupPrivilege	3424	dw20.exe
Token: SeBackupPrivilege	3424	dw20.exe
Token: SeDebugPrivilege	3628	RegAsm.ExE
Token: SeDebugPrivilege	2464	RegAsm.ExE
Token: SeDebugPrivilege	4872	RegAsm.ExE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe

pid process

5064 5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe

pid	process
5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe

description	pid	process	target process
PID 5064 wrote to memory of 1132	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1132	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1132	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1132	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 2180	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 2180	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 2180	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 2180	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 2180	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 2180	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 2180	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 5024	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 5024	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 5024	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 5024	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 4072	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 4072	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 4072	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 4072	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1916	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1916	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1916	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1916	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1612	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1612	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1612	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1612	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1612	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1612	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1612	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 4180	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 4180	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 4180	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 4180	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 4180	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 4180	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 4180	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 552	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 552	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 552	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 552	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 552	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 552	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 552	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1820	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1820	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1820	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1820	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1820	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1820	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 1820	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 3736	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 3736	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 3736	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 3736	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 3736	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 3736	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 3736	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 4536	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 4536	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 4536	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 4536	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 4536	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 5064 wrote to memory of 4536	5064	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE

C:\Users\Admin\AppData\Local\Temp\5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe
"C:\Users\Admin\AppData\Local\Temp\5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 80
3⤵
- Program crash
PID:1284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 80
3⤵
- Program crash
PID:4892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 80
3⤵
- Program crash
PID:4980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 80
3⤵
- Program crash
PID:4440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:4180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:1820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:3736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:4536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 80
3⤵
- Program crash
PID:4660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 80
3⤵
- Program crash
PID:388

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:4416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 80
3⤵
- Program crash
PID:4472

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:4832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:2424

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:4692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:2376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:3572

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:4176

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 704
3⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 80
3⤵
- Program crash
PID:3588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:2008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:1060

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 80
3⤵
- Program crash
PID:2172

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 80
3⤵
- Program crash
PID:3592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:4660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 80
3⤵
- Program crash
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1132 -ip 1132
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5024 -ip 5024
1⤵
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4072 -ip 4072
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1916 -ip 1916
1⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1816 -ip 1816
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1460 -ip 1460
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4864 -ip 4864
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2488 -ip 2488
1⤵
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4084 -ip 4084
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4348 -ip 4348
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1264 -ip 1264
1⤵
PID:3100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.ExE.log
Filesize
411B

MD5
aa1e14353932d87c160bcc8b1f025429

SHA1
8be59f98296c1c5b9fb5ad84888d2a8dc6a3377d

SHA256
1c644f557743292853209410644526419eee72bfee8bfec839212b06d3b5e739

SHA512
7aec11c636bfe228d2029b87f980e979de9c214264eb2dbaa25186084e39f8732a83d44580300f98a15a1a9c0637e748c1f3eb4f46520ef4c6caaae07347033b

Download Submit
memory/416-225-0x0000000000000000-mapping.dmp

Download
memory/416-227-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/552-153-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/552-151-0x0000000000000000-mapping.dmp

Download
memory/772-209-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/772-207-0x0000000000000000-mapping.dmp

Download
memory/1060-222-0x0000000000000000-mapping.dmp

Download
memory/1060-224-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/1132-132-0x0000000000000000-mapping.dmp

Download
memory/1264-241-0x0000000000000000-mapping.dmp

Download
memory/1460-165-0x0000000000000000-mapping.dmp

Download
memory/1584-206-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/1584-204-0x0000000000000000-mapping.dmp

Download
memory/1612-146-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/1612-144-0x0000000000000000-mapping.dmp

Download
memory/1816-163-0x0000000000000000-mapping.dmp

Download
memory/1820-154-0x0000000000000000-mapping.dmp

Download
memory/1820-156-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/1884-191-0x0000000000000000-mapping.dmp

Download
memory/1884-193-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/1884-194-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/1916-141-0x0000000000000000-mapping.dmp

Download
memory/1996-169-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/1996-167-0x0000000000000000-mapping.dmp

Download
memory/2008-221-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/2008-219-0x0000000000000000-mapping.dmp

Download
memory/2180-135-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-143-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/2180-136-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/2180-134-0x0000000000000000-mapping.dmp

Download
memory/2376-198-0x0000000000000000-mapping.dmp

Download
memory/2376-200-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/2424-190-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/2424-188-0x0000000000000000-mapping.dmp

Download
memory/2464-230-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/2464-228-0x0000000000000000-mapping.dmp

Download
memory/2488-217-0x0000000000000000-mapping.dmp

Download
memory/3092-175-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/3092-173-0x0000000000000000-mapping.dmp

Download
memory/3424-212-0x0000000000000000-mapping.dmp

Download
memory/3572-203-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/3572-201-0x0000000000000000-mapping.dmp

Download
memory/3628-214-0x0000000000000000-mapping.dmp

Download
memory/3628-216-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/3736-159-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/3736-157-0x0000000000000000-mapping.dmp

Download
memory/4072-139-0x0000000000000000-mapping.dmp

Download
memory/4084-231-0x0000000000000000-mapping.dmp

Download
memory/4176-210-0x0000000000000000-mapping.dmp

Download
memory/4176-213-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/4180-147-0x0000000000000000-mapping.dmp

Download
memory/4180-150-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/4348-233-0x0000000000000000-mapping.dmp

Download
memory/4416-180-0x0000000000000000-mapping.dmp

Download
memory/4416-182-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/4536-162-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/4536-160-0x0000000000000000-mapping.dmp

Download
memory/4660-237-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/4660-235-0x0000000000000000-mapping.dmp

Download
memory/4692-195-0x0000000000000000-mapping.dmp

Download
memory/4692-197-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/4752-176-0x0000000000000000-mapping.dmp

Download
memory/4752-178-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/4752-179-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/4832-185-0x0000000000000000-mapping.dmp

Download
memory/4832-187-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/4864-183-0x0000000000000000-mapping.dmp

Download
memory/4872-238-0x0000000000000000-mapping.dmp

Download
memory/4872-240-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/5000-170-0x0000000000000000-mapping.dmp

Download
memory/5000-172-0x0000000073B60000-0x0000000074111000-memory.dmp

Filesize
5.7MB

Download
memory/5024-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads