Overview

overview

10

Static

static

3

2b9838da7e...ff.exe

windows7-x64

10

2b9838da7e...ff.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    617a0ef26dacf4c492487684212684360431f39c8e69748ba74dab77109b4a1e

  • Size

    577KB

  • Sample

    240724-vchpnawhmj

  • MD5

    7cc07197515a7d3a56ebea4c6239d216

  • SHA1

    1cd02ab0bd86fe78f5c2765020861e46bdf0593b

  • SHA256

    617a0ef26dacf4c492487684212684360431f39c8e69748ba74dab77109b4a1e

  • SHA512

    1639c403dee829039c997835776fcabb3fb76f9a8f3f825600ec3a6493729b8fe4a7bc7bdeebae0bfbf401bd62c356c2b5a84777bf8ca45ff2d6751401ac65e8

  • SSDEEP

    12288:2zhcvYAV9wRl962IKl40FfZGsmLmAt0HqsFOTDuIAXSIMn0CWbnAxc/e:2zhg9w0S40KsmLhqj6gHK0CW7Er

Score
10/10
dearcrydiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\DesktopSharingHub\readme.txt

Family

dearcry

Ransom Note
Your file has been encrypted! If you want to decrypt, please contact us. [email protected] or [email protected] And please send me the following hash! 638428e5021d4ae247b21acf9c0bf6f6

Targets

    • Target

      2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe

    • Size

      1.3MB

    • MD5

      0e55ead3b8fd305d9a54f78c7b56741a

    • SHA1

      f7b084e581a8dcea450c2652f8058d93797413c3

    • SHA256

      2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff

    • SHA512

      5c3d58d1001dce6f2d23f33861e9c7fef766b7fe0a86972e9f1eeb70bfad970b02561da6b6d193cf24bc3c1aaf2a42a950fa6e5dff36386653b8aa725c9abaaa

    • SSDEEP

      24576:LU5NX2yJOiUXmEICxu2WAP0NIzkQM+KpPRQ9StIUDpl1fpxkHVZgMCS+:L7XP7P9o5QzUtl1fpxkHVZgMC3

    Score
    10/10
    dearcrydiscoveryransomwarespywarestealerpersistence

    • DearCry

      DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.

      ransomwaredearcry

    • Renames multiple (3381) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks