Analysis

  • max time kernel
    316s
  • max time network
    385s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    30/05/2024, 09:46

General

  • Target

    $SYSDIR/CryptoKit.HSBC.exe

  • Size

    4.5MB

  • MD5

    88b6ed048456d41f4f9bdcebc69fdc04

  • SHA1

    05a0347a4abc84ec871932d6e9f8c59c4e206cc3

  • SHA256

    ab6068524bed05e25cfb24987d3c29f833ebe684e3072458ea25a0c826441314

  • SHA512

    9cd9e45f73427da24297a19aa4a4d5e4b7b928868879babd1e3b9a424ce0ff4cb23201e777b142d651c5a044364bb625badd546c55973ecc7c7a4538a0cabe08

  • SSDEEP

    98304:2Kr0mQVOjfSxgHtQBFZdG/Cgem9fy2vUIBjSj3btptYSSxIaGN:2Kr0mqHgHD7eYfy2vUcE3bt0InN

Malware Config

Signatures

  • Loads dropped DLL 3 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$SYSDIR\CryptoKit.HSBC.exe
    "C:\Users\Admin\AppData\Local\Temp\$SYSDIR\CryptoKit.HSBC.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /u "C:\Windows\system32\CryptoKit.HSBC.x64.dll" /s
      2⤵
        PID:4744
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /u "C:\Windows\system32\CryptoKit.HSBC.x86.dll" /s
        2⤵
          PID:2672
        • C:\Windows\system32\regsvr32.exe
          "regsvr32.exe" "C:\Windows\system32\CryptoKit.HSBC.x64.dll" /s
          2⤵
          • Loads dropped DLL
          • Registers COM server for autorun
          • Modifies registry class
          PID:1088
        • C:\Windows\SysWOW64\regsvr32.exe
          "regsvr32.exe" "C:\Windows\system32\CryptoKit.HSBC.x86.dll" /s
          2⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:5108

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\CryptoKit.HSBC.x86.dll

        Filesize

        1.0MB

        MD5

        d6093ec468e383c616154ec1c92e3f53

        SHA1

        9dd2406105c67f86085c9a82475c1e903690dc81

        SHA256

        fa69867c017873a36f500ff84dddde62439e3960dfae7d30b4038a4b56e834b2

        SHA512

        10ab0650d7e8e294cb6d4b7a7ff3e6e2ea4f1893be32eb00bd5db4bee0b2e6b51dab50e0f66500bf5602f1eec3abc236b3492cec97afa67470928d6260676e89

      • C:\Windows\system32\CryptoKit.HSBC.x64.dll

        Filesize

        1.3MB

        MD5

        510f6561ce51936a460d7ccc2c04010c

        SHA1

        a1078a52039a14dbe476f67dfcae77c09f9339b4

        SHA256

        e00eba22c4ca5e9fadcd2ddd561b0cf9f9eb8ae7bac619777fc527354b10e016

        SHA512

        e700651aa50a9b00ef38ad2c5f74e220aa39f91708163844f94a109d0d4a7194ef7c093da416412c1b54fa7d22a3cf0cb97dd41f0002ca29005945a55d5d0bfc

      • \Users\Admin\AppData\Local\Temp\nsm6497.tmp\System.dll

        Filesize

        11KB

        MD5

        959ea64598b9a3e494c00e8fa793be7e

        SHA1

        40f284a3b92c2f04b1038def79579d4b3d066ee0

        SHA256

        03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

        SHA512

        5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64