Overview

overview

10

Static

static

s1.exe

windows7_x64

10

s1.exe

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    12-03-2021 06:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    s1.exe

  • Size

    1.3MB

  • MD5

    0e55ead3b8fd305d9a54f78c7b56741a

  • SHA1

    f7b084e581a8dcea450c2652f8058d93797413c3

  • SHA256

    2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff

  • SHA512

    5c3d58d1001dce6f2d23f33861e9c7fef766b7fe0a86972e9f1eeb70bfad970b02561da6b6d193cf24bc3c1aaf2a42a950fa6e5dff36386653b8aa725c9abaaa

Score
10/10
dearcrypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\WEBRESOURCES\RESOURCE0\STATIC\JS\PLUGINS\DESKTOP-CONNECTOR-FILES\readme.txt

Family

dearcry

Ransom Note
Your file has been encrypted! If you want to decrypt, please contact us. [email protected] or [email protected] And please send me the following hash! 638428e5021d4ae247b21acf9c0bf6f6

Signatures

  • DearCry

    DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.

    ransomwaredearcry
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 58 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 24 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 59 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 49 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\s1.exe
    "C:\Users\Admin\AppData\Local\Temp\s1.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:4716
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2896 -s 4336
    1⤵
    • Program crash
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:536
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:856
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 856 -s 7468
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4592
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3984
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2028
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2236
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4752
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4836

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$RECYCLE.BIN\S-1-5-21-3341490333-719741536-2920803124-1000\desktop.ini
    MD5

    a526b9e7c716b3489d8cc062fbce4005

    SHA1

    2df502a944ff721241be20a9e449d2acd07e0312

    SHA256

    e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

    SHA512

    d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db
    MD5

    4534f12102d235344cf8dda748f0cabf

    SHA1

    7db67baceeecb3a420bf37a7beca4a45185f8f3c

    SHA256

    1bd4db450abc8914c2fac721cace2704ff4c16028e6d07293154dad289835694

    SHA512

    7b4dacdbc6a2fccdd3818eb41b7fa23eeec51f333af0e842d9185c7ae45eba1623369b1caa27b824cba10c4cd6a2cdbf7f127ab2c6f7656eedce5fe25a0b84a2

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.CRYPT
    MD5

    e4f5927fbac975982ef1cb3325bf9ef6

    SHA1

    86d05138582656f5ab48d811ac9b59ce00c6022c

    SHA256

    9e0f82ab4a1b5c9f541dc376eaec34fcc74afd80830b01198fc9d6ac0073c9dd

    SHA512

    e369455c7921b4f0b0d18926b3ada385a7460ddcec889b8e7b75d860172ba590fbcd11fa62c00bc656927b8ce5f78e8fadb3b09d1d2e7be170e2cf0ed4e33ced

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.CRYPT
    MD5

    7d2c98c502c44040cd0394b89aae9d43

    SHA1

    08fc97ed4eb68db205021779a0f1d2d770712230

    SHA256

    81e036bf9ba4b1c73fd2b9ff7de341b94fe6cc9765379c713af98ad7fe6f240a

    SHA512

    8968a53c9a305be1559d654231d80e6812ad273cf6bcafc9966398253b85e45a2606fc3178cae826981605856c309a668024e128c901b47e1d9b2bb9b33f8995

    Download Submit

  • C:\USERS\ADMIN\DESKTOP\DEBUGSET.XLSX.CRYPT
    MD5

    fedc70027347a3292f74f02d12438320

    SHA1

    59718d8e93ae8f48f4f2f8c798a54cb87eb0c458

    SHA256

    90d3a41a2a3918ea5a745d088de4f242e32ce9cc9dd2025735703073a8207cdd

    SHA512

    17180232e61382526ede39589008b911d08acabf817b230e2d4a1e039991513f546e53089cc8da2f12e03eca33446f7d65f34007d326acfd8cca5d69401c7b97

    Download Submit

  • C:\USERS\ADMIN\DESKTOP\DESKTOP.INI.CRYPT
    MD5

    027dea6687dedefe734513b8208553cf

    SHA1

    852e4a98920b70e25d9b8f64d64e2452f9ad1b8d

    SHA256

    d7f86e62ca8eb8efeccdf3dbf80d6b8e0d9d4bfad47f31f2a50d7fb887dcde33

    SHA512

    3486ec046a9df9206efb06cc78dc0b58b22e0631ff5fbbecba86284a29839170b69146cb2ed7b1a7e092b8a36272a2b3494e3a9214adbac223a63bdfc1e08b34

    Download Submit

  • C:\USERS\ADMIN\DESKTOP\GETGRANT.XML.CRYPT
    MD5

    39d826cda03bb943b4e097684281ce43

    SHA1

    4016d68db00604a7b06a89e16286fd03a5e0bddc

    SHA256

    2992abec28b4cecb70bdb941518a4623b7b5bb6249ffaa9b8ddea593513507dc

    SHA512

    85c410012add19e68d6d73f7fae3d2c2bcc8544fce4aff51d51d4b6666e7b75d99b649741b0fb3ebb828cfdd2c8947232515f2fef14cc1af7a617084bb6e8a5d

    Download Submit

  • C:\USERS\ADMIN\DESKTOP\README.TXT
    MD5

    dbac9649c4bd702f55fbd1afafe87c44

    SHA1

    0d914f4a809cfe400ca111ebfbd0ad552d500785

    SHA256

    b9dfa3b30224bd5eef298531c945d5f2f6bb978b7ef42e5ef09715a535172127

    SHA512

    86d7786b400303b1fb722689aba7e8ef6a01ad7e2776194c5d545a7d7357dd91e7079296790587210683db7f4385f98f281272fd3d1ad6770dabf401709a6415

    Download Submit

  • C:\USERS\PUBLIC\DESKTOP\README.TXT
    MD5

    dbac9649c4bd702f55fbd1afafe87c44

    SHA1

    0d914f4a809cfe400ca111ebfbd0ad552d500785

    SHA256

    b9dfa3b30224bd5eef298531c945d5f2f6bb978b7ef42e5ef09715a535172127

    SHA512

    86d7786b400303b1fb722689aba7e8ef6a01ad7e2776194c5d545a7d7357dd91e7079296790587210683db7f4385f98f281272fd3d1ad6770dabf401709a6415

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini
    MD5

    e0fd7e6b4853592ac9ac73df9d83783f

    SHA1

    2834e77dfa1269ddad948b87d88887e84179594a

    SHA256

    feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122

    SHA512

    289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db
    MD5

    4534f12102d235344cf8dda748f0cabf

    SHA1

    7db67baceeecb3a420bf37a7beca4a45185f8f3c

    SHA256

    1bd4db450abc8914c2fac721cace2704ff4c16028e6d07293154dad289835694

    SHA512

    7b4dacdbc6a2fccdd3818eb41b7fa23eeec51f333af0e842d9185c7ae45eba1623369b1caa27b824cba10c4cd6a2cdbf7f127ab2c6f7656eedce5fe25a0b84a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001c.db
    MD5

    001ed257544479fa1d1d84aacbd780a7

    SHA1

    4e95b0b5a1933198ce75f73a422c3b91aac7b27c

    SHA256

    b472e5d0984e03cde3b9fceda14a15fabbdc0bf9a30e90cddadf0d34bb8a54d8

    SHA512

    6b7cbc42f3e2578668453cfef198ccdbf23e6cb90872999345e7865e386c1c24c40e60713f159c27e1f0f21c63b53b1b4b4de12c469efa4733b50f0c839c0b66

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001c.db.CRYPT
    MD5

    f426d69bea7001c6734e6141f4d8c509

    SHA1

    3e80506588ef749a9b9ba037da23c783b8077055

    SHA256

    21b2d2be13686629f8968820c913782e017ba1160516b670e8526f1ff0ba35e0

    SHA512

    262a14f2f770f0b1b65dbb3edf0f14797daa232df478bd7090298aed07d3aaeb236643795ac05e567cb3514ea44121949ba17be7816c7aeb3344ef2e545baca4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db
    MD5

    e6065c4aa2ab1603008fc18410f579d4

    SHA1

    9a7dcfd9029de86dc088ee6ebbef48df90e7c6cd

    SHA256

    4e29ad18ab9f42d7c233500771a39d7c852b200baf328fd00fbbe3fecea1eb56

    SHA512

    1339d6533a0b875db3f1f607290f8de0e8f79172390faa03fe1ae15cb738b9c64828b08ed11721acc2909cc9394cc9cc115c9d7c9895cefa76f5146614961277

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db
    MD5

    506a35f36201d6f79862a8e389876adf

    SHA1

    9b45b974cd3850f9605c6c82c8d3138345a74839

    SHA256

    f20743e297338fab797dfb58dd9f2f4e73a5c08fc3de9183a68f4d2338a86335

    SHA512

    aed11ed7530a4f729c86d7d294ff529f3829186a96320895cd21dd834ed1a0d8c71bc902e0de908c27012035b8ec9f04b5a1f3757586a431ac373c9da72a32a9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
    MD5

    e6065c4aa2ab1603008fc18410f579d4

    SHA1

    9a7dcfd9029de86dc088ee6ebbef48df90e7c6cd

    SHA256

    4e29ad18ab9f42d7c233500771a39d7c852b200baf328fd00fbbe3fecea1eb56

    SHA512

    1339d6533a0b875db3f1f607290f8de0e8f79172390faa03fe1ae15cb738b9c64828b08ed11721acc2909cc9394cc9cc115c9d7c9895cefa76f5146614961277

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
    MD5

    c8089308e0aa17a8c27e2ec9bddb3eaf

    SHA1

    d19f88f36167db54f9ba47d2d5ef4235a375db6b

    SHA256

    1d03774a1f648ed962c942507eff3d413e723e443944c9d32fc808eeb80faeb2

    SHA512

    0cddec91b7026e35effecff7013dc38d562f114115698dcc159bd46ee90ad059e09fd262bd522f4d0ba94f2436d3e9ae8b6ae9c43d1b1fdd81f78df418229f74

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
    MD5

    e6065c4aa2ab1603008fc18410f579d4

    SHA1

    9a7dcfd9029de86dc088ee6ebbef48df90e7c6cd

    SHA256

    4e29ad18ab9f42d7c233500771a39d7c852b200baf328fd00fbbe3fecea1eb56

    SHA512

    1339d6533a0b875db3f1f607290f8de0e8f79172390faa03fe1ae15cb738b9c64828b08ed11721acc2909cc9394cc9cc115c9d7c9895cefa76f5146614961277

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
    MD5

    685da71ca665fe1583398c2e46210d99

    SHA1

    c0c623d2c7cebf386a84b7c5ef66abca669ced6e

    SHA256

    a025d32aab5eecbc4f3628a9a783d25c2b32b153a685e47928703e9baaf022e1

    SHA512

    a469947847962494ba62ebb3b2e0039949bff06ee3f83b81f0357652d48e8f80982b1af42b4b9d4a69d238ca11d93bb54c04cdb05d21f828b0fd11d69cf47a61

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db
    MD5

    c7c6abfa9cb508f7fc178d4045313a94

    SHA1

    4f130f23896bd6d0e95f2a42b2cb83d17ac8f1a2

    SHA256

    1bda9f0aed80857d43c9329457f28b1ca29f736a0c539901e1ba16a909eb07b4

    SHA512

    9f1c1e438b8cceda02663a61a64c1c5fc6fb6238aa92d30e6d8d1a7b0cb29a8a6f26b63b9964ad876617f71ee7dc3c05205158c4ed4be327149652b1c6900825

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
    MD5

    5676966ce54e41e4392f9686773442eb

    SHA1

    704662fede611ab81213ff6a29948c192f7a6308

    SHA256

    6a528cc4d47b544e9a19ae637cc7c36f60b4c47871e922d2dcb6a8abc954d73a

    SHA512

    8fccf3bed4441270484cb303ca090b0fc3f3f9dc275a97476bcfb9fb7afaf2bddd91ba6a26a8b2d4fc0ee9715d55d8ea62d8784f56c0eb9db3a6a4684bb1a762

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
    MD5

    419a089e66b9e18ada06c459b000cb4d

    SHA1

    ed2108a58ba73ac18c3d2bf0d8c1890c2632b05a

    SHA256

    c48e42e9ab4e25b92c43a7b0416d463b9ff7c69541e4623a39513bc98085f424

    SHA512

    bbd57bea7159748e1b13b3e459e2c8691a46bdc9323afdb9dbf9d8f09511750d46a1d98c717c7adca07d79edc859e925476dd03231507f37f45775c0a79a593c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
    MD5

    f2f307173aad721fde47227b142a9888

    SHA1

    eefc1799f5552444c02ce8ed3583ce9b1efd5d0e

    SHA256

    234472b32050baa83ff1392f43685fc6aa2ab734afeae40a33c849af50b8adb7

    SHA512

    331914ef002af8c3fb6e30a953eef1346f29512911ecb7d41c50e84a86ca3b680876664217159b52a1ff5f8700737de43c8936b5534f12b6a6135e2a6ed16340

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
    MD5

    f2e8d68c9f7d5e7e633834ac9914e6e0

    SHA1

    6117a00aa9fe6f47eb46ae729ab2b0562dbc4fb2

    SHA256

    1a3acc499290a053e4e7d418fb2848eba965caf47a1817f86ffa14e9bfb3c764

    SHA512

    4ddfcfc7733361126c6460dc955d5cbe29b41a8bebbcef7e01a0b720d7cabe874fa128740e9d4c227f71180b4d0d6f59fb879decef9c7247b8bfcccbc81cd7fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
    MD5

    ae6fbded57f9f7d048b95468ddee47ca

    SHA1

    c4473ea845be2fb5d28a61efd72f19d74d5fc82e

    SHA256

    d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

    SHA512

    f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
    MD5

    cffeb3c338ab11ea84408ddcfb938129

    SHA1

    c852276ed2c6c6936c48f6ae48b313a60c68d89b

    SHA256

    35217bfdee16fa4190f9dd373555081e852718859279ce2498f1e3203fd086bd

    SHA512

    ab1bb6a508e9aefe3c5069f1d529e1c0c133a403fc23d84674801833fbfe12ee0eadd6deba36a4e90adc173285cc554d6335938fb31374f4d352230e0415d945

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\QPYVXJAR\microsoft.windows[1].xml
    MD5

    202d94dfda384e5e9e8b3148f2eb6c2b

    SHA1

    f85079296275586e4facca028514a925e13c8f3b

    SHA256

    33c2bb6c898e7e4300d4ed205e244f993966fe212e54cb20dcd1201ec1112cb9

    SHA512

    fb2bc73b6dc8c08be5554fb3563eefc70c290147789b87c2a07094c02472da67b80a10f494460bc01af5ca2e78d83202fac8a11ff6849377c01a2862cf5a9ca2

    Download Submit

  • C:\Users\All Users\Microsoft\Windows\WER\Temp\WER2C50.tmp.WERInternalMetadata.xml
    MD5

    7a178626e9cec55901d409fdabbc6a32

    SHA1

    c2169b3ba7518a741ef96a97c7b2dbf12dfe929b

    SHA256

    8c5def114221a92105043a8221a5979737482d14843294e5946826a7c4175099

    SHA512

    5cac2af4cb54e830bb0465d712eb0ca5879084b00b0c5962dfcd509c9ce16c85a37bd9925767b35cbb47e49d40e4e8aa8bdd7b00e4e918a091b559b719cd49a4

    Download Submit

  • memory/536-2-0x000001A73D7F0000-0x000001A73D7F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/536-3-0x000001A73D7F0000-0x000001A73D7F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4592-17-0x000002F132910000-0x000002F132911000-memory.dmp

    Filesize

    4KB

    Download