Analysis
-
max time kernel
357s -
max time network
365s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08-01-2022 05:22
General
-
Target
CacheTask.exe
-
Size
10.0MB
-
MD5
c004d38310f828f384f4360591b2c090
-
SHA1
65c38148bbba7114556aab0d1aeb05d419fa590f
-
SHA256
a2768bd2301f387a40cd9cbfea05af2f5a68791dce758e5ba9db29ff29e74f57
-
SHA512
fdac8e831957d34095d034e3a9cf62f8e92c1bee781a87babb1eb30e046cb7646f717fe87311beeffccaba614a28d9b1099b6fcee2038faa17c087ade2d1f87b
Malware Config
Extracted
C:\Users\Public\Desktop\How to restore your files.txt
addressesupcr@protonmail.com
https
Signatures
-
Executes dropped EXE 1 IoCs
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\CacheTask.exe"C:\Users\Admin\AppData\Local\Temp\CacheTask.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\cobra.exeC:\Users\Public\Documents\cobra.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\cobra.exeMD5
96abad6cc44497291f8398a78389f064
SHA17297914534b2c1f07ef1c29a4476cd1c3fa6aa3c
SHA2563f6b8214ecf761a419ca664c022c68d10aa3d6e905aa539796821a0083c0a52e
SHA5129a098b6fa47f80435f4d66eeeeb34a717a0993f859b6e4cef2497e16fc01513693f6fb91f53f83096093cd17f051329584933269af5210c39720ed0d328d316d
-
C:\Users\Public\Documents\desktop.kewMD5
15d99631b520d4919e935381597c3b97
SHA18b837107f3248c1a5739a3f0dbf0b4c55cf3a782
SHA256481299e2f3d6d08e652cc85f471200b5fdda00a71186d734953f93ffdce6883d
SHA5127536e0b835ccf7244e7dbb635a4475c9009718bb28519e591d5c0cc2e72552c9885c410dabc75630dfec47c66db012697770a8891dcb61c85fc5bcfd45ba764f
-
C:\Users\Public\Documents\pukey.kewMD5
4f89fddea85c6b426b7a2f09990cc44e
SHA136bde319718941777732b7b95cb35158259ff07d
SHA256b000437b1118009a578b0c59b1e2561f384cd322717e979c67d9cb58f8a582e5
SHA512cfddf945c6244dd32d6eac5ec2a68496e080a582413ce44657f1f8779da26bdf03ffe44b993f896572f19e8603402f5745afbe0f530cc964c909e1d80f82f021
-
\Users\Public\Documents\cobra.exeMD5
96abad6cc44497291f8398a78389f064
SHA17297914534b2c1f07ef1c29a4476cd1c3fa6aa3c
SHA2563f6b8214ecf761a419ca664c022c68d10aa3d6e905aa539796821a0083c0a52e
SHA5129a098b6fa47f80435f4d66eeeeb34a717a0993f859b6e4cef2497e16fc01513693f6fb91f53f83096093cd17f051329584933269af5210c39720ed0d328d316d
-
\Users\Public\Documents\cobra.exeMD5
96abad6cc44497291f8398a78389f064
SHA17297914534b2c1f07ef1c29a4476cd1c3fa6aa3c
SHA2563f6b8214ecf761a419ca664c022c68d10aa3d6e905aa539796821a0083c0a52e
SHA5129a098b6fa47f80435f4d66eeeeb34a717a0993f859b6e4cef2497e16fc01513693f6fb91f53f83096093cd17f051329584933269af5210c39720ed0d328d316d
-
memory/1308-56-0x0000000000000000-mapping.dmp
-
memory/1432-60-0x000007FEFC2B1000-0x000007FEFC2B3000-memory.dmpFilesize
8KB
-
memory/1576-53-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB