d3da1e9964568d51645d337f8d15655287067cbd6aac93b12b5f9d76da411c5b

Analysis

max time kernel
133s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CertEnroll.dll
Size

2.5MB
MD5

46368e4e463104e133b8ce61ae5a3f60
SHA1

1b5b61dd2e2248f250ab9df206d288756de0507b
SHA256

d3da1e9964568d51645d337f8d15655287067cbd6aac93b12b5f9d76da411c5b
SHA512

386a04a922054c67b85dcff44544f5c9adf8e77151f7f2109373183c41bdada795f69fb760184f0fb1dd8af6397e057ae7ed72964328449fd58b897efc668392
SSDEEP

49152:dHytmHWAcw4kcw4kzbzMT/UwtfMHIk+WChJEON4szO:dHykvIUwtTk+hJ

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CX500DistinguishedName\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CCertPropertyArchived.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CCertPropertyRequestOriginator\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884E2026-217D-11DA-B2A4-000E7BBB2B09}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CCAStatuses\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e2051-217d-11da-b2a4-000e7bbb2b09}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11a25a1d-b9a3-4edd-af83-3b59adbed361}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884E2045-217D-11DA-B2A4-000E7BBB2B09}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e200f-217d-11da-b2a4-000e7bbb2b09}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e2046-217d-11da-b2a4-000e7bbb2b09}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e2046-217d-11da-b2a4-000e7bbb2b09}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e202e-217d-11da-b2a4-000e7bbb2b09}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e202c-217d-11da-b2a4-000e7bbb2b09}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CCspInformation.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e2038-217d-11da-b2a4-000e7bbb2b09}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CX509MachineEnrollmentFactory	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CCryptAttributes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e2010-217d-11da-b2a4-000e7bbb2b09}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91F39023-217F-11DA-B2A4-000E7BBB2B09}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CertEnroll.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CCertPropertyRenewal.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CX509PrivateKey.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e2030-217d-11da-b2a4-000e7bbb2b09}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e204c-217d-11da-b2a4-000e7bbb2b09}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e2017-217d-11da-b2a4-000e7bbb2b09}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CX509Extension\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e200e-217d-11da-b2a4-000e7bbb2b09}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CX509AttributeOSVersion.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91F39006-217F-11DA-B2A4-000E7BBB2B09}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CX509PolicyServerUrl.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e2008-217d-11da-b2a4-000e7bbb2b09}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CCertPropertyFriendlyName\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CX509AttributeRenewalCertificate\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CX509ExtensionSubjectKeyIdentifier\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CCertificatePolicies\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91F39006-217F-11DA-B2A4-000E7BBB2B09}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91F39007-217F-11DA-B2A4-000E7BBB2B09}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CertEnroll.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e2049-217d-11da-b2a4-000e7bbb2b09}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CX509NameValuePair	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884E2042-217D-11DA-B2A4-000E7BBB2B09}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e203f-217d-11da-b2a4-000e7bbb2b09}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884E2013-217D-11DA-B2A4-000E7BBB2B09}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e2009-217d-11da-b2a4-000e7bbb2b09}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11a25a1d-b9a3-4edd-af83-3b59adbed361}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e2010-217d-11da-b2a4-000e7bbb2b09}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884E200D-217D-11DA-B2A4-000E7BBB2B09}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e2043-217d-11da-b2a4-000e7bbb2b09}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CX509ExtensionTemplateName	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884E2015-217D-11DA-B2A4-000E7BBB2B09}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1362ada1-eb60-456a-b6e1-118050db741b}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CX509Attributes.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CCspInformation.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CX509AttributeClientId\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91f3902a-217f-11da-b2a4-000e7bbb2b09}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e201b-217d-11da-b2a4-000e7bbb2b09}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91F39006-217F-11DA-B2A4-000E7BBB2B09}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e200c-217d-11da-b2a4-000e7bbb2b09}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e205f-217d-11da-b2a4-000e7bbb2b09}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884E202E-217D-11DA-B2A4-000E7BBB2B09}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884E2060-217D-11DA-B2A4-000E7BBB2B09}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e2037-217d-11da-b2a4-000e7bbb2b09}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CCertificatePolicies	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X509Enrollment.CCryptAttribute.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884E2010-217D-11DA-B2A4-000E7BBB2B09}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e203d-217d-11da-b2a4-000e7bbb2b09}	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 5040	1432	regsvr32.exe	91
PID 1432 wrote to memory of 5040	1432	regsvr32.exe	91
PID 1432 wrote to memory of 5040	1432	regsvr32.exe	91

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CertEnroll.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\CertEnroll.dll
  2⤵
  - Modifies registry class
  PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4276,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:8
1⤵
PID:4496

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads