dearcry | d3722c88f41e2a0a88ee0a6e696df83524662ea0ff5d30f441e05cdc4dbcf9cf

Analysis

max time kernel
141s
max time network
128s
platform
windows7_x64
resource
win7-en-20211208
submitted
19/01/2022, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e55ead3b8fd305d9a54f78c7b56741a.exe
Size

1.3MB
MD5

0e55ead3b8fd305d9a54f78c7b56741a
SHA1

f7b084e581a8dcea450c2652f8058d93797413c3
SHA256

2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
SHA512

5c3d58d1001dce6f2d23f33861e9c7fef766b7fe0a86972e9f1eeb70bfad970b02561da6b6d193cf24bc3c1aaf2a42a950fa6e5dff36386653b8aa725c9abaaa

Score

10^/10

dearcry persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Public\Desktop\readme.txt

Family

dearcry

Ransom Note

Your file has been encrypted! If you want to decrypt, please contact us. [email protected] or [email protected] And please send me the following hash! 638428e5021d4ae247b21acf9c0bf6f6

Emails

[email protected]

Signatures

DearCry
DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.
ransomware dearcry
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\SearchMove.png.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Users\Admin\Pictures\UndoNew.tif.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Users\Admin\Pictures\CheckpointOpen.png.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini	Explorer.EXE
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\K819CMRP\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Explorer.EXE
File opened for modification	C:\Program Files\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\S3IV548V\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\imjplm.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OFFREL.DLL	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_sl.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libidummy_plugin.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\settings.js	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_kn.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\VSTAProject.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\THMBNAIL.PNG.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msador15.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME09.CSS.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\calendar.css	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Java\jre7\bin\sunec.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_rest.png	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MAIN.XML.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_rest.png	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CONTACT.JPG.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGHEADING.XML	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\OutlookMUI.XML.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_nl.dll.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue.css.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Resources.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLMAPI32.DLL	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe.config	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_mr.dll.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Text.zip	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\Java\jre7\bin\server\Xusage.txt.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRLEX.DLL	0e55ead3b8fd305d9a54f78c7b56741a.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	Explorer.EXE
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	Explorer.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
436	1376	WerFault.exe	16

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_Classes\Local Settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Explorer.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1116	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
436	WerFault.exe
436	WerFault.exe
436	WerFault.exe
436	WerFault.exe
436	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1624	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	WerFault.exe
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 1624	436	WerFault.exe	32
PID 436 wrote to memory of 1624	436	WerFault.exe	32
PID 436 wrote to memory of 1624	436	WerFault.exe	32
PID 1624 wrote to memory of 1116	1624	Explorer.EXE	34
PID 1624 wrote to memory of 1116	1624	Explorer.EXE	34
PID 1624 wrote to memory of 1116	1624	Explorer.EXE	34

C:\Users\Admin\AppData\Local\Temp\0e55ead3b8fd305d9a54f78c7b56741a.exe
"C:\Users\Admin\AppData\Local\Temp\0e55ead3b8fd305d9a54f78c7b56741a.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:1460

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1376 -s 1108
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\Explorer.EXE
  "C:\Windows\Explorer.EXE"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/436-56-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/436-53-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download
memory/1624-57-0x000007FEFAFC1000-0x000007FEFAFC3000-memory.dmp

Filesize
8KB

Download