8faa72093f10d253f67ffc2b4589bb5b2baade75729e5887a52ccc75aae50619

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ͨCFCAؼ v3.4.0.4/CryptoKit.AmericanExpress.x86.exe
Size

659KB
MD5

31e233774693e408618efa573375f722
SHA1

228438cb02fc0a6c0464db8fc5f6c0fdbeb24b42
SHA256

29a921eea49093f44f3d62bf3b68db66cbd462e6314778e70fd13ac4208e42f5
SHA512

f30b84a1d3e44e1ba7f93e26b9e50171226bee361c2ccc3f7f955f9d76289d7ac2f82f9b98bee78661844d320139ddd7682dab37923d1756259ad0e1be3d3213
SSDEEP

12288:7zZ4UjD57pKI9II18Mw21GxuH7jC2w31jTWL5y4GNnDu8i84:7zZDp5HXwxuH7tw31jKL5DGNi8i84

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3260	CryptoKit.AmericanExpress.x86.exe
1612	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CryptoKit.AmericanExpress.x86.dll	CryptoKit.AmericanExpress.x86.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CFCA\CryptoKit.AmericanExpress.x86\uninst.exe	CryptoKit.AmericanExpress.x86.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{920D8644-AEB7-475B-BE11-3DB99CF29CFC}\ = "ICryptoAgent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{920D8644-AEB7-475B-BE11-3DB99CF29CFC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{920D8644-AEB7-475B-BE11-3DB99CF29CFC}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CurVer\ = "CryptoKit.CryptoAgent.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C35C5CCF-37C1-4926-9444-CC2C14695745}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C35C5CCF-37C1-4926-9444-CC2C14695745}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6957B567-40E5-4129-B6EB-F044C084AAAD}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{920D8644-AEB7-475B-BE11-3DB99CF29CFC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{920D8644-AEB7-475B-BE11-3DB99CF29CFC}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C35C5CCF-37C1-4926-9444-CC2C14695745}\TypeLib\ = "{6957B567-40E5-4129-B6EB-F044C084AAAD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6957B567-40E5-4129-B6EB-F044C084AAAD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6957B567-40E5-4129-B6EB-F044C084AAAD}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6957B567-40E5-4129-B6EB-F044C084AAAD}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\ = "CryptoAgent Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C35C5CCF-37C1-4926-9444-CC2C14695745}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C35C5CCF-37C1-4926-9444-CC2C14695745}\VersionIndependentProgID\ = "CryptoKit.CryptoAgent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6957B567-40E5-4129-B6EB-F044C084AAAD}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\CryptoKit.AmericanExpress.x86.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6957B567-40E5-4129-B6EB-F044C084AAAD}\1.0\HELPDIR\ = "C:\\Windows\\system32"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{920D8644-AEB7-475B-BE11-3DB99CF29CFC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{920D8644-AEB7-475B-BE11-3DB99CF29CFC}\TypeLib\ = "{6957B567-40E5-4129-B6EB-F044C084AAAD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\CLSID\ = "{C35C5CCF-37C1-4926-9444-CC2C14695745}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6957B567-40E5-4129-B6EB-F044C084AAAD}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C35C5CCF-37C1-4926-9444-CC2C14695745}\ = "CryptoAgent Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C35C5CCF-37C1-4926-9444-CC2C14695745}\ProgID\ = "CryptoKit.CryptoAgent.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C35C5CCF-37C1-4926-9444-CC2C14695745}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6957B567-40E5-4129-B6EB-F044C084AAAD}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{920D8644-AEB7-475B-BE11-3DB99CF29CFC}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{920D8644-AEB7-475B-BE11-3DB99CF29CFC}\TypeLib\ = "{6957B567-40E5-4129-B6EB-F044C084AAAD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CLSID\ = "{C35C5CCF-37C1-4926-9444-CC2C14695745}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6957B567-40E5-4129-B6EB-F044C084AAAD}\1.0\ = "CryptoKit.AmericanExpress.x86 3.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{920D8644-AEB7-475B-BE11-3DB99CF29CFC}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{920D8644-AEB7-475B-BE11-3DB99CF29CFC}\ = "ICryptoAgent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{920D8644-AEB7-475B-BE11-3DB99CF29CFC}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{920D8644-AEB7-475B-BE11-3DB99CF29CFC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\ = "CryptoAgent Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C35C5CCF-37C1-4926-9444-CC2C14695745}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C35C5CCF-37C1-4926-9444-CC2C14695745}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C35C5CCF-37C1-4926-9444-CC2C14695745}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C35C5CCF-37C1-4926-9444-CC2C14695745}\InprocServer32\ = "C:\\Windows\\SysWow64\\CryptoKit.AmericanExpress.x86.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6957B567-40E5-4129-B6EB-F044C084AAAD}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{920D8644-AEB7-475B-BE11-3DB99CF29CFC}\TypeLib	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 1612	3260	CryptoKit.AmericanExpress.x86.exe	83
PID 3260 wrote to memory of 1612	3260	CryptoKit.AmericanExpress.x86.exe	83
PID 3260 wrote to memory of 1612	3260	CryptoKit.AmericanExpress.x86.exe	83

C:\Users\Admin\AppData\Local\Temp\ͨCFCAؼ v3.4.0.4\CryptoKit.AmericanExpress.x86.exe
"C:\Users\Admin\AppData\Local\Temp\ͨCFCAؼ v3.4.0.4\CryptoKit.AmericanExpress.x86.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\SysWOW64\regsvr32.exe
  "regsvr32.exe" "C:\Windows\system32\CryptoKit.AmericanExpress.x86.dll" /s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nswCB93.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Windows\SysWOW64\CryptoKit.AmericanExpress.x86.dll

Filesize
1.1MB

MD5
24531402473ba2fd136579ac4c9b68f4

SHA1
6e13fb5513d286507a2d4c0473e1dc257fd768c8

SHA256
7b2df3b7a2f4b747a32ca48bcb9b442231740caaf96ed79af46d74c340edc291

SHA512
a0d372b78d6b2bb04810e561b63043e416697329d7cfd79b81856451d2da7b42f0e7aa409af8687108fab4b2cd266e7e2ba2dfd50ad91637b70691ddb1a73169

Download Submit
C:\Windows\SysWOW64\CryptoKit.AmericanExpress.x86.dll

Filesize
1.1MB

MD5
24531402473ba2fd136579ac4c9b68f4

SHA1
6e13fb5513d286507a2d4c0473e1dc257fd768c8

SHA256
7b2df3b7a2f4b747a32ca48bcb9b442231740caaf96ed79af46d74c340edc291

SHA512
a0d372b78d6b2bb04810e561b63043e416697329d7cfd79b81856451d2da7b42f0e7aa409af8687108fab4b2cd266e7e2ba2dfd50ad91637b70691ddb1a73169

Download Submit