55453f794fbc569bf4afdf593aa27ff863bf1e1c67c7ccb5eb7bf48f29ff0de4

Analysis

max time kernel
316s
max time network
385s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30/05/2024, 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$SYSDIR/CryptoKit.HSBC.exe
Size

4.5MB
MD5

88b6ed048456d41f4f9bdcebc69fdc04
SHA1

05a0347a4abc84ec871932d6e9f8c59c4e206cc3
SHA256

ab6068524bed05e25cfb24987d3c29f833ebe684e3072458ea25a0c826441314
SHA512

9cd9e45f73427da24297a19aa4a4d5e4b7b928868879babd1e3b9a424ce0ff4cb23201e777b142d651c5a044364bb625badd546c55973ecc7c7a4538a0cabe08
SSDEEP

98304:2Kr0mQVOjfSxgHtQBFZdG/Cgem9fy2vUIBjSj3btptYSSxIaGN:2Kr0mqHgHD7eYfy2vUcE3bt0InN

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4816	CryptoKit.HSBC.exe
1088	regsvr32.exe
5108	regsvr32.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\InprocServer32\ = "C:\\Windows\\system32\\CryptoKit.HSBC.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\CryptoKit.HSBC.x64.dll	CryptoKit.HSBC.exe
File created	C:\Windows\SysWOW64\CryptoKit.HSBC.x86.dll	CryptoKit.HSBC.exe
File created	C:\Windows\SysWOW64\npCryptoKit.HSBC.x86.dll	CryptoKit.HSBC.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CFCA\CryptoKit.HSBC\CryptoKitHost.HSBC.x86.exe	CryptoKit.HSBC.exe
File created	C:\Program Files (x86)\CFCA\CryptoKit.HSBC\com.cfca.CryptoKitHost.HSBC-win.json	CryptoKit.HSBC.exe
File created	C:\Program Files (x86)\CFCA\CryptoKit.HSBC\com.cfca.CryptoKitHost.HSBC-firefox.json	CryptoKit.HSBC.exe
File created	C:\Program Files (x86)\CFCA\CryptoKit.HSBC\uninst.exe	CryptoKit.HSBC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\TypeLib\ = "{C144068A-2406-4068-8C2B-3B5E69F7AB38}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\TypeLib\ = "{772C831A-5AB0-4E66-A03D-1174F8690D40}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\ = "CryptoAgent Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\InprocServer32\ = "C:\\Windows\\SysWow64\\CryptoKit.HSBC.x86.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\HELPDIR\ = "C:\\Windows\\system32"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C144068A-2406-4068-8C2B-3B5E69F7AB38}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\VersionIndependentProgID\ = "CryptoKit.CryptoAgent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\CryptoKit.HSBC.x86.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C144068A-2406-4068-8C2B-3B5E69F7AB38}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\TypeLib\ = "{C144068A-2406-4068-8C2B-3B5E69F7AB38}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\ = "ICryptoAgent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\CLSID\ = "{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\ = "CryptoAgent Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CLSID\ = "{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CLSID\ = "{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\CLSID\ = "{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\ProgID\ = "CryptoKit.CryptoAgent.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\ = "ICryptoAgent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C144068A-2406-4068-8C2B-3B5E69F7AB38}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C144068A-2406-4068-8C2B-3B5E69F7AB38}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C144068A-2406-4068-8C2B-3B5E69F7AB38}\1.0\0\win64\ = "C:\\Windows\\system32\\CryptoKit.HSBC.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C144068A-2406-4068-8C2B-3B5E69F7AB38}\1.0\HELPDIR\ = "C:\\Windows\\system32"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\ = "CryptoAgent Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CurVer\ = "CryptoKit.CryptoAgent.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\TypeLib\ = "{C144068A-2406-4068-8C2B-3B5E69F7AB38}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\ = "CryptoKit.HSBC.x86 3.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C144068A-2406-4068-8C2B-3B5E69F7AB38}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C144068A-2406-4068-8C2B-3B5E69F7AB38}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\ = "ICryptoAgent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\ = "CryptoAgent Class"	regsvr32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 4744	4816	CryptoKit.HSBC.exe	72
PID 4816 wrote to memory of 4744	4816	CryptoKit.HSBC.exe	72
PID 4816 wrote to memory of 2672	4816	CryptoKit.HSBC.exe	73
PID 4816 wrote to memory of 2672	4816	CryptoKit.HSBC.exe	73
PID 4816 wrote to memory of 2672	4816	CryptoKit.HSBC.exe	73
PID 4816 wrote to memory of 1088	4816	CryptoKit.HSBC.exe	74
PID 4816 wrote to memory of 1088	4816	CryptoKit.HSBC.exe	74
PID 4816 wrote to memory of 5108	4816	CryptoKit.HSBC.exe	75
PID 4816 wrote to memory of 5108	4816	CryptoKit.HSBC.exe	75
PID 4816 wrote to memory of 5108	4816	CryptoKit.HSBC.exe	75

C:\Users\Admin\AppData\Local\Temp\$SYSDIR\CryptoKit.HSBC.exe
"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\CryptoKit.HSBC.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\system32\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /u "C:\Windows\system32\CryptoKit.HSBC.x64.dll" /s
  2⤵
  PID:4744
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /u "C:\Windows\system32\CryptoKit.HSBC.x86.dll" /s
  2⤵
  PID:2672
- C:\Windows\system32\regsvr32.exe
  "regsvr32.exe" "C:\Windows\system32\CryptoKit.HSBC.x64.dll" /s
  2⤵
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies registry class
  PID:1088
- C:\Windows\SysWOW64\regsvr32.exe
  "regsvr32.exe" "C:\Windows\system32\CryptoKit.HSBC.x86.dll" /s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\CryptoKit.HSBC.x86.dll

Filesize
1.0MB

MD5
d6093ec468e383c616154ec1c92e3f53

SHA1
9dd2406105c67f86085c9a82475c1e903690dc81

SHA256
fa69867c017873a36f500ff84dddde62439e3960dfae7d30b4038a4b56e834b2

SHA512
10ab0650d7e8e294cb6d4b7a7ff3e6e2ea4f1893be32eb00bd5db4bee0b2e6b51dab50e0f66500bf5602f1eec3abc236b3492cec97afa67470928d6260676e89

Download Submit
C:\Windows\system32\CryptoKit.HSBC.x64.dll

Filesize
1.3MB

MD5
510f6561ce51936a460d7ccc2c04010c

SHA1
a1078a52039a14dbe476f67dfcae77c09f9339b4

SHA256
e00eba22c4ca5e9fadcd2ddd561b0cf9f9eb8ae7bac619777fc527354b10e016

SHA512
e700651aa50a9b00ef38ad2c5f74e220aa39f91708163844f94a109d0d4a7194ef7c093da416412c1b54fa7d22a3cf0cb97dd41f0002ca29005945a55d5d0bfc

Download Submit
\Users\Admin\AppData\Local\Temp\nsm6497.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads