Analysis
-
max time kernel
357s -
max time network
365s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08-01-2022 05:22
Static task
static1
Behavioral task
behavioral1
Sample
CacheTask.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
CacheTask.exe
Resource
win10-en-20211208
General
-
Target
CacheTask.exe
-
Size
10.0MB
-
MD5
c004d38310f828f384f4360591b2c090
-
SHA1
65c38148bbba7114556aab0d1aeb05d419fa590f
-
SHA256
a2768bd2301f387a40cd9cbfea05af2f5a68791dce758e5ba9db29ff29e74f57
-
SHA512
fdac8e831957d34095d034e3a9cf62f8e92c1bee781a87babb1eb30e046cb7646f717fe87311beeffccaba614a28d9b1099b6fcee2038faa17c087ade2d1f87b
Malware Config
Extracted
C:\Users\Public\Desktop\How to restore your files.txt
addressesupcr@protonmail.com
https
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
cobra.exepid process 1308 cobra.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
cobra.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\SyncRestore.tif.locked cobra.exe File opened for modification C:\Users\Admin\Pictures\CheckpointPush.raw.locked cobra.exe File opened for modification C:\Users\Admin\Pictures\ConnectInvoke.tiff.locked cobra.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromUse.png.locked cobra.exe File opened for modification C:\Users\Admin\Pictures\ExpandConvertTo.png.locked cobra.exe File opened for modification C:\Users\Admin\Pictures\NewSuspend.tif.locked cobra.exe File opened for modification C:\Users\Admin\Pictures\ResumeBackup.tif.locked cobra.exe -
Loads dropped DLL 2 IoCs
Processes:
CacheTask.exepid process 1576 CacheTask.exe 1576 CacheTask.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
cobra.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\Documents\\desktop.kew" cobra.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
CacheTask.execobra.exepid process 1576 CacheTask.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe 1308 cobra.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cobra.exedescription pid process Token: SeDebugPrivilege 1308 cobra.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CacheTask.exepid process 1576 CacheTask.exe 1576 CacheTask.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
CacheTask.exedescription pid process target process PID 1576 wrote to memory of 1308 1576 CacheTask.exe cobra.exe PID 1576 wrote to memory of 1308 1576 CacheTask.exe cobra.exe PID 1576 wrote to memory of 1308 1576 CacheTask.exe cobra.exe PID 1576 wrote to memory of 1308 1576 CacheTask.exe cobra.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CacheTask.exe"C:\Users\Admin\AppData\Local\Temp\CacheTask.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\cobra.exeC:\Users\Public\Documents\cobra.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\cobra.exeMD5
96abad6cc44497291f8398a78389f064
SHA17297914534b2c1f07ef1c29a4476cd1c3fa6aa3c
SHA2563f6b8214ecf761a419ca664c022c68d10aa3d6e905aa539796821a0083c0a52e
SHA5129a098b6fa47f80435f4d66eeeeb34a717a0993f859b6e4cef2497e16fc01513693f6fb91f53f83096093cd17f051329584933269af5210c39720ed0d328d316d
-
C:\Users\Public\Documents\desktop.kewMD5
15d99631b520d4919e935381597c3b97
SHA18b837107f3248c1a5739a3f0dbf0b4c55cf3a782
SHA256481299e2f3d6d08e652cc85f471200b5fdda00a71186d734953f93ffdce6883d
SHA5127536e0b835ccf7244e7dbb635a4475c9009718bb28519e591d5c0cc2e72552c9885c410dabc75630dfec47c66db012697770a8891dcb61c85fc5bcfd45ba764f
-
C:\Users\Public\Documents\pukey.kewMD5
4f89fddea85c6b426b7a2f09990cc44e
SHA136bde319718941777732b7b95cb35158259ff07d
SHA256b000437b1118009a578b0c59b1e2561f384cd322717e979c67d9cb58f8a582e5
SHA512cfddf945c6244dd32d6eac5ec2a68496e080a582413ce44657f1f8779da26bdf03ffe44b993f896572f19e8603402f5745afbe0f530cc964c909e1d80f82f021
-
\Users\Public\Documents\cobra.exeMD5
96abad6cc44497291f8398a78389f064
SHA17297914534b2c1f07ef1c29a4476cd1c3fa6aa3c
SHA2563f6b8214ecf761a419ca664c022c68d10aa3d6e905aa539796821a0083c0a52e
SHA5129a098b6fa47f80435f4d66eeeeb34a717a0993f859b6e4cef2497e16fc01513693f6fb91f53f83096093cd17f051329584933269af5210c39720ed0d328d316d
-
\Users\Public\Documents\cobra.exeMD5
96abad6cc44497291f8398a78389f064
SHA17297914534b2c1f07ef1c29a4476cd1c3fa6aa3c
SHA2563f6b8214ecf761a419ca664c022c68d10aa3d6e905aa539796821a0083c0a52e
SHA5129a098b6fa47f80435f4d66eeeeb34a717a0993f859b6e4cef2497e16fc01513693f6fb91f53f83096093cd17f051329584933269af5210c39720ed0d328d316d
-
memory/1308-56-0x0000000000000000-mapping.dmp
-
memory/1432-60-0x000007FEFC2B1000-0x000007FEFC2B3000-memory.dmpFilesize
8KB
-
memory/1576-53-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB