Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

ͨCF...64.exe

windows7-x64

8

ͨCF...64.exe

windows10-2004-x64

8

ͨCF...86.exe

windows7-x64

7

ͨCF...86.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    100s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ͨCFCAؼ v3.4.0.4/CryptoKit.AmericanExpress.x64.exe

  • Size

    747KB

  • MD5

    fe48508635c0f38d53acf80713ecf463

  • SHA1

    3697f5d2a0f7a8e8dbc71b21e52f3676de2ac8f8

  • SHA256

    d9fe28b4399aafc7c5c666d066bbbf9d56ac62197884c348bcbab6bb57cb8896

  • SHA512

    5e2804c139d8e80177fb9f9e6f804f7bdd8afffd251abe994d4de6430a413d7805dc57287bbdf7733f411a4a224c067ee838ad2dbadf2f0844c2b9572ee04e32

  • SSDEEP

    12288:3zZ4UjD5HOMZUpS2lmLrt06x6tKPIh8cR6Sr67idYHUZ6d25PlJKkBy5Y+Z:3zZfOMZUpRmLrt06YtKPIh8M3r67lS6P

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 46 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ͨCFCAؼ v3.4.0.4\CryptoKit.AmericanExpress.x64.exe
    "C:\Users\Admin\AppData\Local\Temp\ͨCFCAؼ v3.4.0.4\CryptoKit.AmericanExpress.x64.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" "C:\Windows\system32\CryptoKit.AmericanExpress.x64.dll" /s
      2⤵
      • Registers COM server for autorun
      • Loads dropped DLL
      • Modifies registry class
      PID:2032

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsg2413.tmp\System.dll
    Filesize

    11KB

    MD5

    959ea64598b9a3e494c00e8fa793be7e

    SHA1

    40f284a3b92c2f04b1038def79579d4b3d066ee0

    SHA256

    03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

    SHA512

    5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

    Download Submit

  • C:\Windows\System32\CryptoKit.AmericanExpress.x64.dll
    Filesize

    1.4MB

    MD5

    c8b24d96f964062635de3b322fddf246

    SHA1

    d9f984a22273d4a7c4b2a8d5f14210683b44a9be

    SHA256

    a25b6c064dda554064f6217aca87083fd27d8f54e40dd27dfeaa7b251cc93665

    SHA512

    d5febcdcece0501f7ccdf882a31196c1915c813e5b0175a123b69aa2ceb4d73706abdf4720ad5ac63e906b41582b28aee3f24ec6218b633dc0de840127b59c32

    Download Submit

  • C:\Windows\system32\CryptoKit.AmericanExpress.x64.dll
    Filesize

    1.4MB

    MD5

    c8b24d96f964062635de3b322fddf246

    SHA1

    d9f984a22273d4a7c4b2a8d5f14210683b44a9be

    SHA256

    a25b6c064dda554064f6217aca87083fd27d8f54e40dd27dfeaa7b251cc93665

    SHA512

    d5febcdcece0501f7ccdf882a31196c1915c813e5b0175a123b69aa2ceb4d73706abdf4720ad5ac63e906b41582b28aee3f24ec6218b633dc0de840127b59c32

    Download Submit