RegAsm.exe

  • File Path: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  • Description: Microsoft .NET Assembly Registration Utility
  • Comments: Flavor=Retail

Hashes

Type Hash
MD5 42AB6E035DF99A43DBB879C86B620B91
SHA1 C6E116569D17D8142DBB217B1F8BFA95BC148C38
SHA256 53195987D396986EBCB20425AC130E78AD308FDBD918F33F3FD92B99ABDA314B
SHA384 E995161CE063BF98E2D138EED0BBF4AF911B81A6552D21B17F43603C184D6705C6F6F3D450CFE40E88BF056E39FFEC1F
SHA512 2E79DE2D394AD33023D71611BB728B254AA4680B5A3A1EF5282B1155DDFAA2F3585C840A6700DFE0D1A276DAC801298431F0187086D2E8F96B22F6C808FB97E5
SSDEEP 768:X8XcJiMjm2ieHlPyCsSuJbn8dBhF++iSMH6Iq8ASYDKCGjW3l:rYMaNylPYSAb8dBnFiH+lDKCGK3l
IMP F34D5F2D4577ED6D9CEEC516C1F5A744
PESHA1 65A5EC4003D22E08E96808DD0BB9E81023356875
PE256 C1D9A38E75E3572B594C42B9326B21415B8FAB7D6081CB31F523D55B9C916E75

Runtime Data

Usage (stdout):

Microsoft .NET Framework Assembly Registration Utility version 4.8.4161.0
for Microsoft .NET Framework version 4.8.4161.0
Copyright (C) Microsoft Corporation.  All rights reserved.

Syntax: RegAsm AssemblyName [Options]
Options:
    /unregister          Unregister types
    /tlb[:FileName]      Export the assembly to the specified type library
                         and register it
    /regfile[:FileName]  Generate a reg file with the specified name
                         instead of registering the types. This option
                         cannot be used with the /u or /tlb options
    /codebase            Set the code base in the registry
    /registered          Only refer to already registered type libraries
    /asmpath:Directory   Look for assembly references here
    /nologo              Prevents RegAsm from displaying logo
    /silent              Silent mode. Prevents displaying of success messages
    /verbose             Displays extra information
    /? or /help          Display this usage message

Usage (stderr):

RegAsm : error RA0000 : Could not load file or assembly 'file:///C:\WINDOWS\help' or one of its dependencies. Access is denied.

Loaded Modules:

Path
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: RegAsm.exe
  • Product Name: Microsoft .NET Framework
  • Company Name: Microsoft Corporation
  • File Version: 4.8.4161.0 built by: NET48REL1
  • Product Version: 4.8.4161.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b/detection

File Similarity (ssdeep match)

File Score
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 77
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe 86
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe 75

Possible Misuse

The following table contains possible examples of RegAsm.exe being misused. While RegAsm.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_bad_opsec_sacrificial_processes.yml - https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool DRL 1.0
sigma win_bad_opsec_sacrificial_processes.yml Image\|endswith: '\regasm.exe' DRL 1.0
sigma win_bad_opsec_sacrificial_processes.yml CommandLine\|endswith: '\regasm.exe' DRL 1.0
sigma win_possible_applocker_bypass.yml - '\regasm.exe' DRL 1.0
LOLBAS Regasm.yml Name: Regasm.exe  
LOLBAS Regasm.yml - Command: regasm.exe AllTheThingsx64.dll  
LOLBAS Regasm.yml - Command: regasm.exe /U AllTheThingsx64.dll  
LOLBAS Regasm.yml - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe  
LOLBAS Regasm.yml - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe  
LOLBAS Regasm.yml - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe  
LOLBAS Regasm.yml - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe  
LOLBAS Regasm.yml - IOC: regasm.exe executing dll file  
LOLBAS Regasm.yml - Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/  
LOLBAS Regsvcs.yml Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies  
LOLBAS Regsvcs.yml - Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/  
atomic-red-team index.md - T1218.009 Regsvcs/Regasm MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Regasm Uninstall Method Call Test [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1218.009 Regsvcs/Regasm MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Regasm Uninstall Method Call Test [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | | | Regsvcs/Regasm | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | | | Regsvcs/Regasm | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md # T1218.009 - Regsvcs/Regasm MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md <blockquote>Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm) MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md - Atomic Test #1 - Regasm Uninstall Method Call Test MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md ## Atomic Test #1 - Regasm Uninstall Method Call Test MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file} MIT License. © 2018 Red Canary
signature-base apt_oilrig_oct17.yar $s2 = “C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe” fullword wide CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.