Overview

overview

10

Static

static

fdec933ca1...le.exe

windows7_x64

10

fdec933ca1...le.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    121s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-07-2021 12:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe

  • Size

    1.3MB

  • MD5

    6be28a4523984698e7154671f73361bf

  • SHA1

    b974375ef0f6dcb6ce30558df2ed8570bf1ad642

  • SHA256

    fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65

  • SHA512

    c3a44431e8cbb76d75ea2a1caca6fe77dfbd2a9565da918620433d415d396c08394ecb1c6454fc69661d61683711e53b60a69435e25518a04e81c20136f62f20

Score
10/10
dearcrypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\PROGRAMDATA\DESKTOP\readme.txt

Family

dearcry

Ransom Note
Your file has been encrypted! If you want to decrypt, please contact us. [email protected] or [email protected] And please send me the following hash! d37fc1eabc6783a418d23a8d2ba5db5a

Signatures

  • DearCry

    DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.

    ransomwaredearcry
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 56 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 33 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:660
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3020 -s 2376
    1⤵
    • Program crash
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:204
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1444
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3988
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3032

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db
    MD5

    4534f12102d235344cf8dda748f0cabf

    SHA1

    7db67baceeecb3a420bf37a7beca4a45185f8f3c

    SHA256

    1bd4db450abc8914c2fac721cace2704ff4c16028e6d07293154dad289835694

    SHA512

    7b4dacdbc6a2fccdd3818eb41b7fa23eeec51f333af0e842d9185c7ae45eba1623369b1caa27b824cba10c4cd6a2cdbf7f127ab2c6f7656eedce5fe25a0b84a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db
    MD5

    4534f12102d235344cf8dda748f0cabf

    SHA1

    7db67baceeecb3a420bf37a7beca4a45185f8f3c

    SHA256

    1bd4db450abc8914c2fac721cace2704ff4c16028e6d07293154dad289835694

    SHA512

    7b4dacdbc6a2fccdd3818eb41b7fa23eeec51f333af0e842d9185c7ae45eba1623369b1caa27b824cba10c4cd6a2cdbf7f127ab2c6f7656eedce5fe25a0b84a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db
    MD5

    001ed257544479fa1d1d84aacbd780a7

    SHA1

    4e95b0b5a1933198ce75f73a422c3b91aac7b27c

    SHA256

    b472e5d0984e03cde3b9fceda14a15fabbdc0bf9a30e90cddadf0d34bb8a54d8

    SHA512

    6b7cbc42f3e2578668453cfef198ccdbf23e6cb90872999345e7865e386c1c24c40e60713f159c27e1f0f21c63b53b1b4b4de12c469efa4733b50f0c839c0b66

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db.CRYPT
    MD5

    7254be21759092c555dde3a51a5862dc

    SHA1

    fa009a14c5b02b6f784b55b2b3be810211127281

    SHA256

    617bf2fca9da48245351ec53a4fe8df24055b1bdbaad702b657185a56c1e7a57

    SHA512

    7b9ffdc40bdf1ebd593b707367a54554a8748edaa896152768f76b16e53540751b0cb00931a88c2b3192723bb13ea1a98431bea6156943581c0be142ed4b702d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
    MD5

    e6065c4aa2ab1603008fc18410f579d4

    SHA1

    9a7dcfd9029de86dc088ee6ebbef48df90e7c6cd

    SHA256

    4e29ad18ab9f42d7c233500771a39d7c852b200baf328fd00fbbe3fecea1eb56

    SHA512

    1339d6533a0b875db3f1f607290f8de0e8f79172390faa03fe1ae15cb738b9c64828b08ed11721acc2909cc9394cc9cc115c9d7c9895cefa76f5146614961277

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
    MD5

    d62de45260290993ab8f379c928263eb

    SHA1

    1a885ddfea2427607247084565bf7b547005b7cc

    SHA256

    5443a81a010bc1ff7da14947d3737287a2045bac55e5a7057ce5d17171989c58

    SHA512

    66228c968e4691940ec8e3265de44ca328e7787dcd04fd4a6a0142a63164f70aaada515221e2a9654d7790e90ed1b73cf63024f65c72b3313b05c82c3ee67ec3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
    MD5

    e6065c4aa2ab1603008fc18410f579d4

    SHA1

    9a7dcfd9029de86dc088ee6ebbef48df90e7c6cd

    SHA256

    4e29ad18ab9f42d7c233500771a39d7c852b200baf328fd00fbbe3fecea1eb56

    SHA512

    1339d6533a0b875db3f1f607290f8de0e8f79172390faa03fe1ae15cb738b9c64828b08ed11721acc2909cc9394cc9cc115c9d7c9895cefa76f5146614961277

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
    MD5

    c7c6abfa9cb508f7fc178d4045313a94

    SHA1

    4f130f23896bd6d0e95f2a42b2cb83d17ac8f1a2

    SHA256

    1bda9f0aed80857d43c9329457f28b1ca29f736a0c539901e1ba16a909eb07b4

    SHA512

    9f1c1e438b8cceda02663a61a64c1c5fc6fb6238aa92d30e6d8d1a7b0cb29a8a6f26b63b9964ad876617f71ee7dc3c05205158c4ed4be327149652b1c6900825

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
    MD5

    d6caa2bafaa1f789df8d5a17dbbd0911

    SHA1

    4ac629c0830d03a257652676b3fc44fafbb72930

    SHA256

    c157eaf93469665e2a674f2f637b9e22c7721d8d9b42ad0e73a832568871da8c

    SHA512

    55d9757e1bb0dc24b58513d53cd014d15604042887daa544801ccd44e1cf016aa1b4d3ebb6eea5d811fdf361be246c3ac1c5c93b8b76caa819c2e0fc67659d04

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\counters2.dat
    MD5

    af35b0d348e5162036e183339d385b0c

    SHA1

    2927490ade868795ecdd8febe05214cbd243ef35

    SHA256

    b6ac3cc10386331c765f04f041c147d0f278f2aed8eaa021e2d0057fc6f6ff9e

    SHA512

    6486a74d95f54812a76071f6c6344ab6d34df3da685ec70dc78d9c5804b4ee3c449d9e68a6b52491f8275b838c2cd9102c3c223a620bbee2671edbff2611594e

    Download Submit

  • memory/1444-122-0x0000000001600000-0x0000000001601000-memory.dmp

    Filesize

    4KB

    Download