55453f794fbc569bf4afdf593aa27ff863bf1e1c67c7ccb5eb7bf48f29ff0de4

Analysis

max time kernel
519s
max time network
526s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30/05/2024, 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$SYSDIR/CryptoKit.HSBC.x64.dll
Size

1.3MB
MD5

510f6561ce51936a460d7ccc2c04010c
SHA1

a1078a52039a14dbe476f67dfcae77c09f9339b4
SHA256

e00eba22c4ca5e9fadcd2ddd561b0cf9f9eb8ae7bac619777fc527354b10e016
SHA512

e700651aa50a9b00ef38ad2c5f74e220aa39f91708163844f94a109d0d4a7194ef7c093da416412c1b54fa7d22a3cf0cb97dd41f0002ca29005945a55d5d0bfc
SSDEEP

24576:IcdjuFD3DgfGCNSi4Q/HFFlCzqpD2iUl6ZBXi:Ic1uFbDgfGCN5V5VUl6Di

Score

7^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\CryptoKit.HSBC.x64.dll"	regsvr32.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\TypeLib\ = "{C144068A-2406-4068-8C2B-3B5E69F7AB38}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\TypeLib\ = "{C144068A-2406-4068-8C2B-3B5E69F7AB38}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C144068A-2406-4068-8C2B-3B5E69F7AB38}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C144068A-2406-4068-8C2B-3B5E69F7AB38}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C144068A-2406-4068-8C2B-3B5E69F7AB38}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\VersionIndependentProgID\ = "CryptoKit.CryptoAgent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C144068A-2406-4068-8C2B-3B5E69F7AB38}\1.0\ = "CryptoKit.HSBC.x64 3.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C144068A-2406-4068-8C2B-3B5E69F7AB38}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\TypeLib\ = "{C144068A-2406-4068-8C2B-3B5E69F7AB38}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\ = "CryptoAgent Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CurVer\ = "CryptoKit.CryptoAgent.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C144068A-2406-4068-8C2B-3B5E69F7AB38}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C144068A-2406-4068-8C2B-3B5E69F7AB38}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\CryptoKit.HSBC.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\ = "CryptoAgent Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\ = "CryptoAgent Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\CLSID\ = "{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C144068A-2406-4068-8C2B-3B5E69F7AB38}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CLSID\ = "{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\CryptoKit.HSBC.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C144068A-2406-4068-8C2B-3B5E69F7AB38}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\ = "ICryptoAgent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}\ = "ICryptoAgent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F60495E5-04BE-44EE-9F5E-A14712D9B4BF}\ProgID\ = "CryptoKit.CryptoAgent.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C144068A-2406-4068-8C2B-3B5E69F7AB38}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{652D26AC-31D6-4A60-8646-4A5FD5B59DBD}	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$SYSDIR\CryptoKit.HSBC.x64.dll
1⤵
- Registers COM server for autorun
- Modifies registry class
PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads