Overview

overview

10

Static

static

CacheTask.exe

windows7_x64

10

CacheTask.exe

windows10_x64

10

Resubmissions

08/01/2022, 05:42

220108-gd2x2adbhp 10

08/01/2022, 05:22

220108-f2qn8scge3 10

Analysis

  • max time kernel
    357s
  • max time network
    365s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    08/01/2022, 05:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CacheTask.exe

  • Size

    10.0MB

  • MD5

    c004d38310f828f384f4360591b2c090

  • SHA1

    65c38148bbba7114556aab0d1aeb05d419fa590f

  • SHA256

    a2768bd2301f387a40cd9cbfea05af2f5a68791dce758e5ba9db29ff29e74f57

  • SHA512

    fdac8e831957d34095d034e3a9cf62f8e92c1bee781a87babb1eb30e046cb7646f717fe87311beeffccaba614a28d9b1099b6fcee2038faa17c087ade2d1f87b

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\Desktop\How to restore your files.txt

Ransom Note
All of your files have been encrypted. Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help. What can I do to get my files back? You can buy our special decryption software,this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is 0.5 BTC. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country,you are best advised to do a quick google search yourself to find how to buy Bitcoin? Many of our customers have reported these sites to be fast and reliable : Coinmama - https ://www.coinmama.com Bitpanda - https ://www.bitpanda.com Contacts - [email protected] BTC Address: bc1qnwdt2068q2asdxa9etz4epu44pf4z98m7e28l2
URLs

https

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CacheTask.exe
    "C:\Users\Admin\AppData\Local\Temp\CacheTask.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Users\Public\Documents\cobra.exe
      C:\Users\Public\Documents\cobra.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Sets desktop wallpaper using registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1308
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1432

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1432-60-0x000007FEFC2B1000-0x000007FEFC2B3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1576-53-0x0000000076451000-0x0000000076453000-memory.dmp

      Filesize

      8KB

      Download