dearcry | 027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27

General

Target

027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
Size

1.3MB
MD5

a7e571312e05d547936aab18f0b30fbf
SHA1

e0d643e759b2adf736b451aff9afa92811ab8a99
SHA256

027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27
SHA512

20e8af2770aa1be935f7d1b74d6db6f9aeb5aebab016ac6c2e58e60b1b5c9029726fda7b75ed003bf4a1a5a480024231c6a90f5a3d812bf2438dc2c540a49f88

Score

10^/10

dearcry ransomware spyware stealer

Malware Config

Extracted

Path

C:\PROGRAM FILES\WINDOWS SIDEBAR\GADGETS\SLIDESHOW.GADGET\IMAGES\ON_DESKTOP\readme.txt

Family

dearcry

Ransom Note

Your file has been encrypted! If you want to decrypt, please contact us. [email protected] or [email protected] And please send me the following hash! d37fc1eabc6783a418d23a8d2ba5db5a

Emails

[email protected]

Signatures

DearCry
DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.
ransomware dearcry

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\InitializeConvert.tiff	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Users\Admin\Pictures\InitializeConvert.tiff.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ReadRegister.tiff	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Users\Admin\Pictures\ReadRegister.tiff.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Users\Admin\Pictures\SwitchRestart.tif.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Users\Admin\Pictures\WatchHide.tif.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 62 IoCs

Processes:

027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X8SF34HL\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8HHGB03\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NU1L7O13\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNHPAZTY\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VFDYFLB4\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\desktop.ini.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\main.css	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\AUTHORS.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\flyout.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jni.h	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Mozilla Firefox\platform.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\currency.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrome.7z.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1732 1208 WerFault.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1732 WerFault.exe
1732 WerFault.exe
1732 WerFault.exe
1732 WerFault.exe
1732 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1732 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1732 WerFault.exe

pid	pid_target	process	target process
1732	1208	WerFault.exe

pid	process
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe

pid	process
1732	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1732	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
"C:\Users\Admin\AppData\Local\Temp\027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:816

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1208 -s 3028
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1732-59-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/1732-60-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads