dearcry | 027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27

General

Target

DC.exe
Size

1.3MB
MD5

a7e571312e05d547936aab18f0b30fbf
SHA1

e0d643e759b2adf736b451aff9afa92811ab8a99
SHA256

027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27
SHA512

20e8af2770aa1be935f7d1b74d6db6f9aeb5aebab016ac6c2e58e60b1b5c9029726fda7b75ed003bf4a1a5a480024231c6a90f5a3d812bf2438dc2c540a49f88

Score

10^/10

dearcry ransomware spyware stealer

Malware Config

Extracted

Path

C:\PROGRAM FILES\WINDOWS SIDEBAR\GADGETS\SLIDESHOW.GADGET\IMAGES\ON_DESKTOP\readme.txt

Family

dearcry

Ransom Note

Your file has been encrypted! If you want to decrypt, please contact us. konedieyp@airmail.cc or uenwonken@memail.com And please send me the following hash! d37fc1eabc6783a418d23a8d2ba5db5a

Emails

konedieyp@airmail.cc

uenwonken@memail.com

Signatures

DearCry
DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.
ransomware dearcry

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

DC.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\RepairReset.tif.CRYPT	DC.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectDisconnect.tiff	DC.exe
File created	C:\Users\Admin\Pictures\UnprotectDisconnect.tiff.CRYPT	DC.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 62 IoCs

Processes:

DC.exe

description	ioc	process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	DC.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	DC.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	DC.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	DC.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	DC.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	DC.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	DC.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	DC.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	DC.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\X6969WXQ\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	DC.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	DC.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	DC.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	DC.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XHJ74TZW\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GLQ59KOM\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	DC.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	DC.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	DC.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E1R8L62F\desktop.ini	DC.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	DC.exe
File opened for modification	C:\Users\Public\desktop.ini	DC.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	DC.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	DC.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	DC.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	DC.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	DC.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	DC.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	DC.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-293278959-2699126792-324916226-1000\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6O9TWDTA\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	DC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	DC.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2BO6MI1N\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SS7I88SX\desktop.ini	DC.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5JH7AFHU\desktop.ini	DC.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	DC.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	DC.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	DC.exe
File opened for modification	C:\Program Files\desktop.ini	DC.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	DC.exe

Drops file in Program Files directory 64 IoCs

Processes:

DC.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	DC.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html.CRYPT	DC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	DC.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\plugins.dat.CRYPT	DC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\localizedSettings.css	DC.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.CRYPT	DC.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.CRYPT	DC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js	DC.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.CRYPT	DC.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.CRYPT	DC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html	DC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html	DC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	DC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	DC.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat.CRYPT	DC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat	DC.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h.CRYPT	DC.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.CRYPT	DC.exe
File created	C:\Program Files\Mozilla Firefox\install.log.CRYPT	DC.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.CRYPT	DC.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.CRYPT	DC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	DC.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.CRYPT	DC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	DC.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.CRYPT	DC.exe
File created	C:\Program Files\Java\jre7\Welcome.html.CRYPT	DC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\slideShow.js	DC.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.CRYPT	DC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\v8_context_snapshot.bin	DC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\currency.css	DC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\picturePuzzle.css	DC.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm.CRYPT	DC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\calendar.js	DC.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.CRYPT	DC.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css.CRYPT	DC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html	DC.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js.CRYPT	DC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	DC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	DC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	DC.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css.CRYPT	DC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html	DC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\settings.js	DC.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.CRYPT	DC.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.CRYPT	DC.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.CRYPT	DC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html	DC.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html.CRYPT	DC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\config.ini	DC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html	DC.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.CRYPT	DC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	DC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat	DC.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt.CRYPT	DC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css	DC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\init.js	DC.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.CRYPT	DC.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\icudtl.dat.CRYPT	DC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	DC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h	DC.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h.CRYPT	DC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\settings.css	DC.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.CRYPT	DC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	DC.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1580 1224 WerFault.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1580 WerFault.exe
1580 WerFault.exe
1580 WerFault.exe
1580 WerFault.exe
1580 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1580 WerFault.exe

pid	pid_target	process	target process
1580	1224	WerFault.exe

pid	process
1580	WerFault.exe
1580	WerFault.exe
1580	WerFault.exe
1580	WerFault.exe
1580	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1580	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\DC.exe
"C:\Users\Admin\AppData\Local\Temp\DC.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:1044

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1224 -s 1156
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1580-2-0x000007FEFB851000-0x000007FEFB853000-memory.dmp

Filesize
8KB

Download
memory/1580-3-0x0000000001E70000-0x0000000001E81000-memory.dmp

Filesize
68KB

Download
memory/1580-4-0x0000000001C10000-0x0000000001C11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads