dearcry | fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65

General

Target

fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
Size

1.3MB
MD5

6be28a4523984698e7154671f73361bf
SHA1

b974375ef0f6dcb6ce30558df2ed8570bf1ad642
SHA256

fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65
SHA512

c3a44431e8cbb76d75ea2a1caca6fe77dfbd2a9565da918620433d415d396c08394ecb1c6454fc69661d61683711e53b60a69435e25518a04e81c20136f62f20

Score

10^/10

dearcry ransomware spyware stealer

Malware Config

Extracted

Path

C:\PROGRAM FILES\WINDOWS SIDEBAR\GADGETS\SLIDESHOW.GADGET\IMAGES\ON_DESKTOP\readme.txt

Family

dearcry

Ransom Note

Your file has been encrypted! If you want to decrypt, please contact us. [email protected] or [email protected] And please send me the following hash! d37fc1eabc6783a418d23a8d2ba5db5a

Emails

[email protected]

Signatures

DearCry
DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.
ransomware dearcry

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ExpandCopy.tiff	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Users\Admin\Pictures\ExpandCopy.tiff.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Pictures\StopMeasure.tiff	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Users\Admin\Pictures\StopMeasure.tiff.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 62 IoCs

Processes:

fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NU1L7O13\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNHPAZTY\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8HHGB03\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VFDYFLB4\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X8SF34HL\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\settings.js	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\localizedStrings.js	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\cpu.js	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\main.css	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\THANKS.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\settings.js	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\settings.css	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\License.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Mozilla Firefox\update-settings.ini.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\ui.js.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.log	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\clock.css	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1296 1180 WerFault.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1296 WerFault.exe
1296 WerFault.exe
1296 WerFault.exe
1296 WerFault.exe
1296 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1296 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1296 WerFault.exe

pid	pid_target	process	target process
1296	1180	WerFault.exe

pid	process
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe

pid	process
1296	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1296	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
"C:\Users\Admin\AppData\Local\Temp\fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:1696

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1180 -s 2144
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1296-60-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download
memory/1296-61-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads