1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e

Analysis

max time kernel
58s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
Size

416KB
MD5

5ac2af7ef78cacb1e54321a938aec045
SHA1

949d5734c40864f7ec3b291059fa7448badf37ea
SHA256

1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e
SHA512

dae6ccb702480a634fea987b2d2d876e2cd96a73345c2beb173e873eb27b5cf7bba26b74cd043a95a0e7f867aff15393903f4b70ace3280ac93a4d3d7499904c
SSDEEP

12288:gmNOqos4qQXvvcKKHGVuO+RfwWs3ODb3lI:vx+uOuseDbl

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.execertreq.execertreq.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	certreq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	certreq.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

certreq.exe1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEUpdate\\certreq.exe\""	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEUpdate\\certreq.exe\""	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe

Executes dropped EXE 4 IoCs

Processes:

certreq.exetmp14C0.execertreq.exetmp14C0.exe

pid process

596 certreq.exe
944 tmp14C0.exe
2136 certreq.exe
2028 tmp14C0.exe

pid	process
596	certreq.exe
944	tmp14C0.exe
2136	certreq.exe
2028	tmp14C0.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe

Drops startup file 1 IoCs

Processes:

1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\certreq.lnk	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.execertreq.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\certreq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEUpdate\\certreq.exe\""	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\certreq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEUpdate\\certreq.exe\""	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\certreq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEUpdate\\certreq.exe\""	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\certreq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEUpdate\\certreq.exe\""	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exetmp14C0.exe

description	pid	process	target process
PID 5044 set thread context of 2676	5044	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
PID 944 set thread context of 2028	944	tmp14C0.exe	tmp14C0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

Processes:

1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.execertreq.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEUpdate\\certreq.exe\""	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEUpdate\\certreq.exe\""	certreq.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3992 PING.EXE

pid	process
3992	PING.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exetmp14C0.exe

pid	process
5044	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
5044	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
5044	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
5044	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
944	tmp14C0.exe
944	tmp14C0.exe
944	tmp14C0.exe
944	tmp14C0.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

certreq.exe

pid process

596 certreq.exe
596 certreq.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

certreq.exe

pid process

596 certreq.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

certreq.exe

pid process

596 certreq.exe

pid	process
596	certreq.exe
596	certreq.exe

pid	process
596	certreq.exe

pid	process
596	certreq.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.execmd.exetmp14C0.exe

description	pid	process	target process
PID 5044 wrote to memory of 2676	5044	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
PID 5044 wrote to memory of 2676	5044	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
PID 5044 wrote to memory of 2676	5044	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
PID 5044 wrote to memory of 2676	5044	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
PID 5044 wrote to memory of 2676	5044	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
PID 5044 wrote to memory of 2676	5044	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
PID 5044 wrote to memory of 2676	5044	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
PID 5044 wrote to memory of 2676	5044	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
PID 5044 wrote to memory of 2676	5044	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
PID 2676 wrote to memory of 596	2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe	certreq.exe
PID 2676 wrote to memory of 596	2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe	certreq.exe
PID 2676 wrote to memory of 944	2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe	tmp14C0.exe
PID 2676 wrote to memory of 944	2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe	tmp14C0.exe
PID 2676 wrote to memory of 944	2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe	tmp14C0.exe
PID 2676 wrote to memory of 3636	2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe	cmd.exe
PID 2676 wrote to memory of 3636	2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe	cmd.exe
PID 2676 wrote to memory of 3636	2676	1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe	cmd.exe
PID 3636 wrote to memory of 2136	3636	cmd.exe	certreq.exe
PID 3636 wrote to memory of 2136	3636	cmd.exe	certreq.exe
PID 3636 wrote to memory of 3992	3636	cmd.exe	PING.EXE
PID 3636 wrote to memory of 3992	3636	cmd.exe	PING.EXE
PID 3636 wrote to memory of 3992	3636	cmd.exe	PING.EXE
PID 944 wrote to memory of 2028	944	tmp14C0.exe	tmp14C0.exe
PID 944 wrote to memory of 2028	944	tmp14C0.exe	tmp14C0.exe
PID 944 wrote to memory of 2028	944	tmp14C0.exe	tmp14C0.exe
PID 944 wrote to memory of 2028	944	tmp14C0.exe	tmp14C0.exe
PID 944 wrote to memory of 2028	944	tmp14C0.exe	tmp14C0.exe
PID 944 wrote to memory of 2028	944	tmp14C0.exe	tmp14C0.exe
PID 944 wrote to memory of 2028	944	tmp14C0.exe	tmp14C0.exe
PID 944 wrote to memory of 2028	944	tmp14C0.exe	tmp14C0.exe
PID 944 wrote to memory of 2028	944	tmp14C0.exe	tmp14C0.exe

C:\Users\Admin\AppData\Local\Temp\1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
"C:\Users\Admin\AppData\Local\Temp\1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5044

C:\Users\Admin\AppData\Local\Temp\1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe
"C:\Users\Admin\AppData\Local\Temp\1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Looks for VirtualBox Guest Additions in registry
- Adds policy Run key to start application
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\certreq.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\certreq.exe"
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies Control Panel
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:596

C:\Users\Admin\AppData\Local\Temp\tmp14C0.exe
"C:\Users\Admin\AppData\Local\Temp\tmp14C0.exe" "C:\Users\Admin\AppData\Local\Temp\1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\Temp\tmp14C0.exe
"C:\Users\Admin\AppData\Local\Temp\tmp14C0.exe" "C:\Users\Admin\AppData\Local\Temp\1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e.exe"
4⤵
- Executes dropped EXE
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 >> nul
3⤵
- Suspicious use of WriteProcessMemory
PID:3636

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\certreq.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\certreq.exe"
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
PID:2136

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:3992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.bin\S-1-5-21-2295526160-1155304984-640977766-1000\$ast-S-1-5-21-2295526160-1155304984-640977766-1000\8HDkCa0a_rQ1ZPxEHYEIVBzV.dat

Filesize
5KB

MD5
3a3f8bdf6cc1e3dfdcd38815830a8441

SHA1
d2d4bebbb0921aa653a70baa8b9bebb0561fbfb0

SHA256
58b72dcca074e78da948855921a6725e1bd494ce8c927ea0bc00d72907139424

SHA512
893d05aeb5d36250a728cbfec78f59662ee1bc6a1f235ccfa1808262d5994c7c50f05fd00711ec9afbf5e8445f94af396f45beece82fec8f6011a01c46c66648

Download Submit
C:\$Recycle.bin\S-1-5-21-2295526160-1155304984-640977766-1000\$ast-S-1-5-21-2295526160-1155304984-640977766-1000\pFJlpF3LXuXDvKn1hA5hHgzZJ.dat

Filesize
130KB

MD5
c062426b9f1c8d75f2dbcf1673e1bdf1

SHA1
f53aa0c7ba81e3975c5392112480837cb419ae0c

SHA256
b592055975c24fc8e35783a61a57db607a05f3bbc967b4d68d5aacc2db56b793

SHA512
0178d74e92e263e683b2e44a14a6e8705af04be864133afdba10d818d87e98b5522b4d762cd5fb999f8cd7446eae275522e692957463cc3b8e082872d63a6216

Download Submit
C:\$Recycle.bin\S-1-5-21-2295526160-1155304984-640977766-1000\$ast-S-1-5-21-2295526160-1155304984-640977766-1000\qynAi5mkGMjqMe9AN.dat

Filesize
21KB

MD5
cea0778e168a2748de2550b29abc9984

SHA1
169b20226fc5ce25062373b2d9ede62970924f51

SHA256
80f30efe1aa1dfb82f908ad16e8121fec6d5c7e81c7ec40855bb673b47cabc47

SHA512
0efd0457a3b9c6f05d0d1c7d3eabc548a20dbd58447cd1292364ba194ec6dfd0d1ee2dcb819787b836f7e8493fcc58b7de495700c6fbfbfe81ceee14ba77e022

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp14C0.exe

Filesize
416KB

MD5
5ac2af7ef78cacb1e54321a938aec045

SHA1
949d5734c40864f7ec3b291059fa7448badf37ea

SHA256
1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e

SHA512
dae6ccb702480a634fea987b2d2d876e2cd96a73345c2beb173e873eb27b5cf7bba26b74cd043a95a0e7f867aff15393903f4b70ace3280ac93a4d3d7499904c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp14C0.exe

Filesize
416KB

MD5
5ac2af7ef78cacb1e54321a938aec045

SHA1
949d5734c40864f7ec3b291059fa7448badf37ea

SHA256
1ee8eaa2d5a11ba162d890542b8f1e5c54cfc3ff98e27e7f51fcf33f7fd6097e

SHA512
dae6ccb702480a634fea987b2d2d876e2cd96a73345c2beb173e873eb27b5cf7bba26b74cd043a95a0e7f867aff15393903f4b70ace3280ac93a4d3d7499904c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp14C0.exe

Filesize
406KB

MD5
beb0b521683495855a45a9cb637545ae

SHA1
e130ff9c724d1aee07eefdd7bc01ebad0346be80

SHA256
aa6651bf08476fafd4a1719cd2370e368600873b348a71041b8d197be9e296ef

SHA512
303baa05f7dacb1f6abc2adad02d887210f5fd8e94de61690d76750f86e70f33f76cb551818dbe0fa59c59af31c7676f97791990915b48f85d1291e5a571a26a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\certreq.exe

Filesize
130KB

MD5
c9ee8262d460488f6b51312e15ff9934

SHA1
d8bcc7546017ef31be02fe20a77fe4a6b144086a

SHA256
3bf69a0352f137e0e41de4f11949c79908319253ea6af9e5d022c4853a872af4

SHA512
42b81243343ac0e5036874157630533756c37398b926d996c5af054a36c499c729383ae000b6167485b07ec10ae53566325ba2aed209d8c3ba55582134c2ef7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\certreq.exe

Filesize
130KB

MD5
c9ee8262d460488f6b51312e15ff9934

SHA1
d8bcc7546017ef31be02fe20a77fe4a6b144086a

SHA256
3bf69a0352f137e0e41de4f11949c79908319253ea6af9e5d022c4853a872af4

SHA512
42b81243343ac0e5036874157630533756c37398b926d996c5af054a36c499c729383ae000b6167485b07ec10ae53566325ba2aed209d8c3ba55582134c2ef7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\certreq.exe

Filesize
130KB

MD5
c9ee8262d460488f6b51312e15ff9934

SHA1
d8bcc7546017ef31be02fe20a77fe4a6b144086a

SHA256
3bf69a0352f137e0e41de4f11949c79908319253ea6af9e5d022c4853a872af4

SHA512
42b81243343ac0e5036874157630533756c37398b926d996c5af054a36c499c729383ae000b6167485b07ec10ae53566325ba2aed209d8c3ba55582134c2ef7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\certreq.lnk

Filesize
1KB

MD5
974cd2cf7d001877034e95745ad87d87

SHA1
ad1c0f2fbb28f3d2c901614155c6ed8549544c9b

SHA256
61b94d9d3a40faf58acfa8d53b8de6c8dad8e68155ef877bdeeff651b8fa2fd8

SHA512
c722fd96f77da79f98535ba1e8dc41f15953bd52e6afee2a3b286f6e51ca393d921c4a40be6e4c21b51a7111f89294025d542f04515644c8bbc24ac234f32c54

Download Submit
memory/596-157-0x0000000000000000-mapping.dmp

Download
memory/596-174-0x0000000003BC0000-0x0000000003BCB000-memory.dmp

Filesize
44KB

Download
memory/596-173-0x0000000003BC0000-0x0000000003BCB000-memory.dmp

Filesize
44KB

Download
memory/944-160-0x0000000000000000-mapping.dmp

Download
memory/2028-195-0x0000000000000000-mapping.dmp

Download
memory/2136-165-0x0000000000000000-mapping.dmp

Download
memory/2676-156-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2676-155-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2676-164-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2676-152-0x0000000000000000-mapping.dmp

Download
memory/2676-153-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3008-172-0x0000000002140000-0x0000000002165000-memory.dmp

Filesize
148KB

Download
memory/3636-162-0x0000000000000000-mapping.dmp

Download
memory/3992-168-0x0000000000000000-mapping.dmp

Download