RegAsm.exe
- File Path:
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe - Description: Microsoft .NET Assembly Registration Utility
- Comments: Flavor=Retail
Hashes
| Type | Hash |
|---|---|
| MD5 | 42AB6E035DF99A43DBB879C86B620B91 |
| SHA1 | C6E116569D17D8142DBB217B1F8BFA95BC148C38 |
| SHA256 | 53195987D396986EBCB20425AC130E78AD308FDBD918F33F3FD92B99ABDA314B |
| SHA384 | E995161CE063BF98E2D138EED0BBF4AF911B81A6552D21B17F43603C184D6705C6F6F3D450CFE40E88BF056E39FFEC1F |
| SHA512 | 2E79DE2D394AD33023D71611BB728B254AA4680B5A3A1EF5282B1155DDFAA2F3585C840A6700DFE0D1A276DAC801298431F0187086D2E8F96B22F6C808FB97E5 |
| SSDEEP | 768:X8XcJiMjm2ieHlPyCsSuJbn8dBhF++iSMH6Iq8ASYDKCGjW3l:rYMaNylPYSAb8dBnFiH+lDKCGK3l |
| IMP | F34D5F2D4577ED6D9CEEC516C1F5A744 |
| PESHA1 | 65A5EC4003D22E08E96808DD0BB9E81023356875 |
| PE256 | C1D9A38E75E3572B594C42B9326B21415B8FAB7D6081CB31F523D55B9C916E75 |
Runtime Data
Usage (stdout):
Microsoft .NET Framework Assembly Registration Utility version 4.8.4161.0
for Microsoft .NET Framework version 4.8.4161.0
Copyright (C) Microsoft Corporation. All rights reserved.
Syntax: RegAsm AssemblyName [Options]
Options:
/unregister Unregister types
/tlb[:FileName] Export the assembly to the specified type library
and register it
/regfile[:FileName] Generate a reg file with the specified name
instead of registering the types. This option
cannot be used with the /u or /tlb options
/codebase Set the code base in the registry
/registered Only refer to already registered type libraries
/asmpath:Directory Look for assembly references here
/nologo Prevents RegAsm from displaying logo
/silent Silent mode. Prevents displaying of success messages
/verbose Displays extra information
/? or /help Display this usage message
Usage (stderr):
RegAsm : error RA0000 : Could not load file or assembly 'file:///C:\WINDOWS\help' or one of its dependencies. Access is denied.
Loaded Modules:
| Path |
|---|
| C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
| C:\WINDOWS\System32\wow64.dll |
| C:\WINDOWS\System32\wow64base.dll |
| C:\WINDOWS\System32\wow64con.dll |
| C:\WINDOWS\System32\wow64cpu.dll |
| C:\WINDOWS\System32\wow64win.dll |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: RegAsm.exe
- Product Name: Microsoft .NET Framework
- Company Name: Microsoft Corporation
- File Version: 4.8.4161.0 built by: NET48REL1
- Product Version: 4.8.4161.0
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b/detection
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | 77 |
| C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | 86 |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | 75 |
Possible Misuse
The following table contains possible examples of RegAsm.exe being misused. While RegAsm.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_bad_opsec_sacrificial_processes.yml | - https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool |
DRL 1.0 |
| sigma | proc_creation_win_bad_opsec_sacrificial_processes.yml | Image\|endswith: '\regasm.exe' |
DRL 1.0 |
| sigma | proc_creation_win_bad_opsec_sacrificial_processes.yml | CommandLine\|endswith: '\regasm.exe' |
DRL 1.0 |
| sigma | proc_creation_win_possible_applocker_bypass.yml | - '\regasm.exe' |
DRL 1.0 |
| LOLBAS | Regasm.yml | Name: Regasm.exe |
|
| LOLBAS | Regasm.yml | - Command: regasm.exe AllTheThingsx64.dll |
|
| LOLBAS | Regasm.yml | - Command: regasm.exe /U AllTheThingsx64.dll |
|
| LOLBAS | Regasm.yml | - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe |
|
| LOLBAS | Regasm.yml | - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe |
|
| LOLBAS | Regasm.yml | - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe |
|
| LOLBAS | Regasm.yml | - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe |
|
| LOLBAS | Regasm.yml | - IOC: regasm.exe executing dll file |
|
| LOLBAS | Regasm.yml | - Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ |
|
| LOLBAS | Regsvcs.yml | Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies |
|
| LOLBAS | Regsvcs.yml | - Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ |
|
| atomic-red-team | index.md | - T1218.009 Regsvcs/Regasm | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #1: Regasm Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - T1218.009 Regsvcs/Regasm | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #1: Regasm Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | matrix.md | | | | | | Regsvcs/Regasm | | | | | | | | | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-matrix.md | | | | | | Regsvcs/Regasm | | | | | | | | | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | # T1218.009 - Regsvcs/Regasm | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | <blockquote>Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)</blockquote> |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | - Atomic Test #1 - Regasm Uninstall Method Call Test | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | ## Atomic Test #1 - Regasm Uninstall Method Call Test | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file} | MIT License. © 2018 Red Canary |
| signature-base | apt_oilrig_oct17.yar | $s2 = “C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe” fullword wide | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.