c64b827784a668b77b1b7b967820f3a5b1542b1f71e484ea9b8aab9f25c5f75a

Analysis

max time kernel
59s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2023, 16:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Cobra Crypter/Cobra Crypter.exe
Size

1.2MB
MD5

6aaafa89e12283c5461d13707aa8bc9a
SHA1

a9872ffa0e58dc26279733c0a4de6870040ffa88
SHA256

dcc3a1294c2706c1a945ee606bb6ea3c8c9894a5ce6120a4221a04439ceed0ef
SHA512

4d5296b6705eb5c77165adf6ea64478cc76b5307309914ea00d59bae640af02f85ef008e617343cb528944cadfb305a7632e527172615c6801c707847edaf2a6
SSDEEP

12288:65eDfgyvG/6bzdITY6Pfs6FzJTFHkNwKFSRFrd0dd8dLi2mIN5rIav0WfPyIo:KeDYNL86X5x2yRkdse6N5rPaIo

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Cobra Crypter.exe

Executes dropped EXE 2 IoCs

pid	Process
4544	320Cobra Crypter.exe
4012	Cobra Crypter.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3192 set thread context of 4012	3192	Cobra Crypter.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2704	4012	WerFault.exe	93

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	Cobra Crypter.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 1948	3192	Cobra Crypter.exe	89
PID 3192 wrote to memory of 1948	3192	Cobra Crypter.exe	89
PID 3192 wrote to memory of 1948	3192	Cobra Crypter.exe	89
PID 3192 wrote to memory of 4544	3192	Cobra Crypter.exe	91
PID 3192 wrote to memory of 4544	3192	Cobra Crypter.exe	91
PID 3192 wrote to memory of 4544	3192	Cobra Crypter.exe	91
PID 1948 wrote to memory of 1476	1948	csc.exe	92
PID 1948 wrote to memory of 1476	1948	csc.exe	92
PID 1948 wrote to memory of 1476	1948	csc.exe	92
PID 3192 wrote to memory of 4012	3192	Cobra Crypter.exe	93
PID 3192 wrote to memory of 4012	3192	Cobra Crypter.exe	93
PID 3192 wrote to memory of 4012	3192	Cobra Crypter.exe	93
PID 3192 wrote to memory of 4012	3192	Cobra Crypter.exe	93

C:\Users\Admin\AppData\Local\Temp\Cobra Crypter\Cobra Crypter.exe
"C:\Users\Admin\AppData\Local\Temp\Cobra Crypter\Cobra Crypter.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ixlkk7jx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6CE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD6CD.tmp"
    3⤵
    PID:1476
- C:\Users\Admin\AppData\Local\Temp\320Cobra Crypter.exe
  "C:\Users\Admin\AppData\Local\Temp\320Cobra Crypter.exe"
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Users\Admin\AppData\Roaming\Cobra Crypter.exe
  "C:\Users\Admin\AppData\Roaming\Cobra Crypter.exe"
  2⤵
  - Executes dropped EXE
  PID:4012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 12
    3⤵
    - Program crash
    PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4012 -ip 4012
1⤵
PID:3348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\320Cobra Crypter.exe

Filesize
615KB

MD5
cb20556ddcf634b42a16e283fcf7658c

SHA1
ea250c3defa3a35d69dabba4325d4c1f6c47d7ea

SHA256
d80fe5ffa4eba841d5960684501b6dc9e25c72928b8957672a56962af6bb5b41

SHA512
f2c5dfdfc580ed3f81388bdfde5d4ae45fda0e277d95dcba2d59e5ce507508adc74fc4154fc45c8be9098436d6e6cf120905c612033cde94dcb7e7373a61e287

Download Submit
C:\Users\Admin\AppData\Local\Temp\320Cobra Crypter.exe

Filesize
615KB

MD5
cb20556ddcf634b42a16e283fcf7658c

SHA1
ea250c3defa3a35d69dabba4325d4c1f6c47d7ea

SHA256
d80fe5ffa4eba841d5960684501b6dc9e25c72928b8957672a56962af6bb5b41

SHA512
f2c5dfdfc580ed3f81388bdfde5d4ae45fda0e277d95dcba2d59e5ce507508adc74fc4154fc45c8be9098436d6e6cf120905c612033cde94dcb7e7373a61e287

Download Submit
C:\Users\Admin\AppData\Local\Temp\320Cobra Crypter.exe

Filesize
615KB

MD5
cb20556ddcf634b42a16e283fcf7658c

SHA1
ea250c3defa3a35d69dabba4325d4c1f6c47d7ea

SHA256
d80fe5ffa4eba841d5960684501b6dc9e25c72928b8957672a56962af6bb5b41

SHA512
f2c5dfdfc580ed3f81388bdfde5d4ae45fda0e277d95dcba2d59e5ce507508adc74fc4154fc45c8be9098436d6e6cf120905c612033cde94dcb7e7373a61e287

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD6CE.tmp

Filesize
1KB

MD5
90707b85dd4545f0a1b71975d26028ae

SHA1
5650497477931b3b9630ddab9e13d24364b01cee

SHA256
af103a26e56f494519a0dcddf2a84695ecbb17098a6b480ab8c677be89323acb

SHA512
b9006cf82e3715de935964df2bed633ecb4b1ba917b98182b6a96b7ef83d696e36d534b9ab7fa38db848f8139f77b36db0962f0f589a31f2e65c0b1c3c877fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixlkk7jx.dll

Filesize
5KB

MD5
9dd38d47b3687a670391784889c58087

SHA1
efb07f794b2d0868932d93f874aa1e698c13482f

SHA256
e55e893e578bef97bffa3bd7609b1a7924c323ef4c48e56c9cdb1310bb0c374f

SHA512
b619e9bd2d7a906ec546951c548c8f7b2cf9d746d68dcb730bb7e3dd0a2f37fe0c910612442b77baf125d9d700bfa66d0a7c97d872779a766ca9b395eafc0b55

Download Submit
C:\Users\Admin\AppData\Roaming\Cobra Crypter.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD6CD.tmp

Filesize
652B

MD5
b2a15ef86d4eeac4462b6cc12063189f

SHA1
7a395f8c06694877910d1bca2ac6aa7f44d6a91e

SHA256
b492c57d0b8d2d414e6d8bf5f458b3da60edef4564871d5d1d514e636aa08002

SHA512
e36f3e3ed3edeca3d216a8f3f9ab95467cb866876c08a9bfb5b30cf32ccfafb487517c1d05ce37960f14ce8d602a2623dd1b4f7953c17a3c03790a1175430727

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ixlkk7jx.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ixlkk7jx.cmdline

Filesize
206B

MD5
67c64379510cb82e23851286c47e0ab7

SHA1
6c5653c93f893e55cec01947bab3a1bacf30d7db

SHA256
2366d8a16c2c828367d2ba00ae35da0488f2efaf1ebd61dd80db7253564fe365

SHA512
c78c649ed1cdd79bc27765fd9d0fcac6af10ea6937dff128a9ed3d2817ab093194eaac1182b8a1a8df2fd11c351af808ae78908a2ffb28fcac0b5e5aac06c8bc

Download Submit
memory/1948-150-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/3192-133-0x0000000001870000-0x0000000001880000-memory.dmp

Filesize
64KB

Download
memory/4544-164-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/4544-165-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/4544-163-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/4544-167-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/4544-171-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/4544-170-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/4544-174-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/4544-175-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download