Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 12:20

General

  • Target

    ͨCFCAؼ v3.4.0.4/CryptoKit.AmericanExpress.x86.exe

  • Size

    659KB

  • MD5

    31e233774693e408618efa573375f722

  • SHA1

    228438cb02fc0a6c0464db8fc5f6c0fdbeb24b42

  • SHA256

    29a921eea49093f44f3d62bf3b68db66cbd462e6314778e70fd13ac4208e42f5

  • SHA512

    f30b84a1d3e44e1ba7f93e26b9e50171226bee361c2ccc3f7f955f9d76289d7ac2f82f9b98bee78661844d320139ddd7682dab37923d1756259ad0e1be3d3213

  • SSDEEP

    12288:7zZ4UjD57pKI9II18Mw21GxuH7jC2w31jTWL5y4GNnDu8i84:7zZDp5HXwxuH7tw31jKL5DGNi8i84

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 46 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ͨCFCAؼ v3.4.0.4\CryptoKit.AmericanExpress.x86.exe
    "C:\Users\Admin\AppData\Local\Temp\ͨCFCAؼ v3.4.0.4\CryptoKit.AmericanExpress.x86.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3260
    • C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32.exe" "C:\Windows\system32\CryptoKit.AmericanExpress.x86.dll" /s
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:1612

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nswCB93.tmp\System.dll

    Filesize

    11KB

    MD5

    959ea64598b9a3e494c00e8fa793be7e

    SHA1

    40f284a3b92c2f04b1038def79579d4b3d066ee0

    SHA256

    03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

    SHA512

    5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

  • C:\Windows\SysWOW64\CryptoKit.AmericanExpress.x86.dll

    Filesize

    1.1MB

    MD5

    24531402473ba2fd136579ac4c9b68f4

    SHA1

    6e13fb5513d286507a2d4c0473e1dc257fd768c8

    SHA256

    7b2df3b7a2f4b747a32ca48bcb9b442231740caaf96ed79af46d74c340edc291

    SHA512

    a0d372b78d6b2bb04810e561b63043e416697329d7cfd79b81856451d2da7b42f0e7aa409af8687108fab4b2cd266e7e2ba2dfd50ad91637b70691ddb1a73169

  • C:\Windows\SysWOW64\CryptoKit.AmericanExpress.x86.dll

    Filesize

    1.1MB

    MD5

    24531402473ba2fd136579ac4c9b68f4

    SHA1

    6e13fb5513d286507a2d4c0473e1dc257fd768c8

    SHA256

    7b2df3b7a2f4b747a32ca48bcb9b442231740caaf96ed79af46d74c340edc291

    SHA512

    a0d372b78d6b2bb04810e561b63043e416697329d7cfd79b81856451d2da7b42f0e7aa409af8687108fab4b2cd266e7e2ba2dfd50ad91637b70691ddb1a73169