Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2024 16:50

General

  • Target

    2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe

  • Size

    1.3MB

  • MD5

    0e55ead3b8fd305d9a54f78c7b56741a

  • SHA1

    f7b084e581a8dcea450c2652f8058d93797413c3

  • SHA256

    2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff

  • SHA512

    5c3d58d1001dce6f2d23f33861e9c7fef766b7fe0a86972e9f1eeb70bfad970b02561da6b6d193cf24bc3c1aaf2a42a950fa6e5dff36386653b8aa725c9abaaa

  • SSDEEP

    24576:LU5NX2yJOiUXmEICxu2WAP0NIzkQM+KpPRQ9StIUDpl1fpxkHVZgMCS+:L7XP7P9o5QzUtl1fpxkHVZgMC3

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\DesktopSharingHub\readme.txt

Family

dearcry

Ransom Note
Your file has been encrypted! If you want to decrypt, please contact us. [email protected] or [email protected] And please send me the following hash! 638428e5021d4ae247b21acf9c0bf6f6

Signatures

  • DearCry

    DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.

  • Renames multiple (3381) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
    "C:\Users\Admin\AppData\Local\Temp\2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:2160

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml

    Filesize

    16KB

    MD5

    0f96cefe93c14e6adece5ea787d35fb5

    SHA1

    3dfb1f74beab2ed12f2de06c0410e569058cb693

    SHA256

    748f3778ee8e6d99b6e2ad300c320383c83bc004e6b6cde2b89e522cf7143630

    SHA512

    6daba5b8440d657fb6fbf26d7c1fc276ae6511557f376c1b60f10b93e5978f5d3b2e610dd39ad298d7f78d78c31f048e818b6c3b2f195e5be903b65b9424fc29

  • C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML

    Filesize

    819B

    MD5

    fb7745147a1e73eb393f50685ed0307e

    SHA1

    0bbcb4de1fd8f558dca370e149af99388ca6021d

    SHA256

    36c960255b56d99527c46d829df70f2df299344a6c91ea0df037502310275ccf

    SHA512

    95cee37c3492fef7d3e531f6bd265ee675f426f2ae756b10936e4f9c47ab2208bdc05fc7ec8d33c94aa17f585eab71c23f1e0e86fa46085eca7247a77f87eeef

  • C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml

    Filesize

    964B

    MD5

    7e1c1eb317e359233365bd065bb5f9dc

    SHA1

    c887b29d543207b7677f53b9fb605750223456c1

    SHA256

    8d3f2dab5a480547e1f49f8ce3d9d876da1428527a472b58caba6f6b76962305

    SHA512

    d37b150d1e97a0ad62163af5082567900cc24a62d4e425e4ed44787d9fb195168666534df17a602d8214bc05c78ae58fb76cc9a255cfcbb544db51978ea882b7

  • C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml

    Filesize

    961B

    MD5

    516e13b880044e4e84825e930da9e6ae

    SHA1

    680014911828b15dab0684b553dd0fbb0975f79c

    SHA256

    f59de0da569599483a5aae0f0c4f2d2c10d97576c261f15235fb3b880a12463b

    SHA512

    1e49c1e00206b85e61ac038aedadf43084a7406796e09f5d31130bf9be8f25fb68e96fff049cb81e3d593833d38b9b7409efe7e7550760c12ceb7ac6ea41ee65

  • C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml

    Filesize

    962B

    MD5

    372e32c507fb0c4050e561d31f013b85

    SHA1

    2d9a6839875d126b9ae008f91b6c8031da6fddba

    SHA256

    bc10dcc05f8cf25e4bd058724739fcd1d43270c26be23642d9d3b159990d7cc2

    SHA512

    35664e1ac284308f7a826a2b230a9603595011f74e3440424344e4bcaaf1a4ae3726b4c378bcfadc5a6e85aeb6802948517f29d7375771666a3a1a38726e6dca

  • C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml

    Filesize

    960B

    MD5

    09ddfc512856bcb18938b61214b6983a

    SHA1

    e61c11bfb814f6d49bcd42df0713e54df25215fb

    SHA256

    43de088d9626ed9eab5827f7149283986e6ca82ac1aac350c7e51764e256f696

    SHA512

    9f445aac5388548f329d2cfb96d3f29b282599d34722502f1774e1fff7758981622847653b14330a642a4458710e69e706ab83972567f9436cb40eb449137ec0

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp

    Filesize

    2KB

    MD5

    cb3156c7903e0763a5d5f7b2298e833a

    SHA1

    0e8de3ba01ea0d2a10f6e706232b509901ce8506

    SHA256

    27ea5deef122c356c6cf0758cedfb350c0f5a645afeb2e171dedcf7c46de3af2

    SHA512

    df4467362eff7a1aff1e4074e2e3076365c3d1cdc211c06d40a6af2ad012a899cede7cb79a4f1d541040df4adc285b1419ea756ed082502bd0190e0e421a4cc8

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp

    Filesize

    1KB

    MD5

    bbf2d0e9eea1bc1e7c868ed7b1283958

    SHA1

    c2ab0419d8e59e56f5d36d66e10adbe8c7f79039

    SHA256

    ae40e84593ac3e961c0db15d5aee23ee54210d646a7786651f052371ffc38c87

    SHA512

    0f6ab7f9e7a0efec1c798072d979a98492ed8cd9f0d71637ecd42f138bb1de218f5d5f6c6fc94c2ca641375738f2a191c6c6486ab57d375d0a861472757a2d80

  • C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.TH.XML

    Filesize

    810B

    MD5

    535616fac638a62e4a36c2bf2fcefd47

    SHA1

    cedbf3d4ef317151fcd9eb89ff106ca3699396d9

    SHA256

    dd40897f3c1ea3dc6e06f9507f151ef59879b730e8cad0cd58438fbeaad6d00e

    SHA512

    7e3019a87460f15b557a6c1cb0c11ea158d247ff21480d7a7db993d821e0a7ca2cbb425cbba0fe3d719be98b9c9a6e72dd273c5f4e8f53031e92d9ae0f462f4a

  • C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.AU.XML

    Filesize

    812B

    MD5

    d2f28dba18db15da8638c93a43c92078

    SHA1

    fdad7a7af03bb3419a24b09eb2826c3e75ada2fc

    SHA256

    673884634ba6c369d193c811e2ceb7f1a4d67a42d75fa3849de4438de990d5b9

    SHA512

    35c8e1b80401ace5611ce89a989ee25eca38901d7901c2a2b5a337abbca7ebf528fff9fcb6d2dab97820830e911961c15055ddc4b5b6482a55a445fccc46941a

  • C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

    Filesize

    806B

    MD5

    c889899deeed19310e5ac540f1596697

    SHA1

    198156431932d2bf8b79ed0c808f30d02ae4b3c2

    SHA256

    0dc572c2e972cd84a0c905026431c80004a0cced51a45ee1d2b48e25cbd627ab

    SHA512

    e901a26e68f675d19b7a607bd6b14b279cab391ad0c752b5c69581ad9b0f5817d3529b438dbeb5773a8b5ab0278bde90a4e7c37cf27e8accfe9c8de662e14ff6

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png

    Filesize

    138B

    MD5

    9a530c475ef73c5896d7c7f3543b1d97

    SHA1

    bc80f3430254af79f06be0d37d71cca604fccae9

    SHA256

    318cebc3c59b5327cfb7a69507f1dcbe92a15fc1abe429bf2359e0f9664d0b2d

    SHA512

    dc2da4492cbb7358ebddfacc246ff4bfc3a8b2fb3e76f47519a7e6ae47fce293607ab6980e64c0a5d4bd2687b2584fe6f4d85bb4888a11760aeb0d94e8246a1b

  • C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml

    Filesize

    431B

    MD5

    0dbdc71d198cd2da4d8c5c38f44e66a2

    SHA1

    dab7e173502d5f80bc3177b0a480561b208eb1d0

    SHA256

    5ad2dac3e0044649be6532c957950483092115cf2992d170a98a123cc0af2818

    SHA512

    28506aced7d9235e3ed73e2afacc54834295818b571a7633ce8a72e8dbdd0debd225dfc307e10d82a082dac0da757a8ab6eaf5cea6b671fde4d03ead14d86b29

  • C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml

    Filesize

    411B

    MD5

    794eb220b9c3fc6775b08dd9425c24b0

    SHA1

    99daf8158bd4914c06fc33302eec1d7f5897aa93

    SHA256

    40aa257d744c7d904e8f62392c91389cff523bae86eac46f075f79f6b67534b0

    SHA512

    c8d1f7bb4ddcd2c5c212eea495d776cda2fd1cc1d22e81c885bc45dfaca878b02810a0998c40ff861a8c78d52e7718444e046562c1e792590d881a1bb336ba86

  • C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml

    Filesize

    400B

    MD5

    484651b39b9f0fc3ed8153db82b39eed

    SHA1

    859b44bdf204a55d21755358180adc62ede0e93f

    SHA256

    87bc15638540621224fcbd0f2fd0a73267465418b9b2897ea2fe5b977b990c35

    SHA512

    aac187baafb492a6930cebd87c41e67434bc40b724a844f3684f28b18846d01efc7f85e5fd0a017f1aceae341b616d2d925ec740039b17f01a9db1223972306a

  • C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml

    Filesize

    429B

    MD5

    241e2f8d1c6df84c7de7debff798313c

    SHA1

    8d2f93801f8b0116fe159123faaf09d607eb1d19

    SHA256

    00fca714016de5a5b3207fb94fc30211cf745fd4b03c120862ffd88b5f024192

    SHA512

    11b376dc95d904b38bc541c26078b13843d632016e3b3bce3ff8d6315bf90d97b993d56fd76802e96bb87a3dbe1de3ebe92836d48aa35b2974785e9f69957e20

  • C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml

    Filesize

    437B

    MD5

    b8e825d92d653fcf8f7dfb029406156b

    SHA1

    521f90b3653ee90e5b7b21a4732c7a8e2b2d9a92

    SHA256

    e9466955f535446cc4999e58805089c19bdd2cfc347519c912758cfc09e2564e

    SHA512

    059141bdc1e074bbbf7d43718ed5cb5ed2e4d663315f8433eb204ab083e6f9b43c4e84aec556cc190d59cd2dc1daa38343750cc18e45767de435230ecb1eaf28

  • C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml

    Filesize

    463B

    MD5

    626282b09a4ad2e3debc34b0f723eab4

    SHA1

    2d6030babe784d001777aab4153415d991534689

    SHA256

    17a950101ceb4026932f7ff1902aabe83d835584d89081db151d72709333aeaa

    SHA512

    779e64f8a33388b0fe4c0627e9dc2b706b9d13ba3d54594bbe062d22f6ed1f04128ae3f0dbb32649052f1dd1e0aabf1c70b4db5a73816706753508a791dec428

  • C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml

    Filesize

    414B

    MD5

    4e7c2b21080a655a39e47bd0e9949c43

    SHA1

    9b0e102fa821e1f48cdc31c533bccc5eebd4a54e

    SHA256

    b366b83f2732e1e45a454bcb03aaa49ba21b9b05e122a8adc88858fe540aef21

    SHA512

    1e5f51a49c3b56c22d8191dfccf8d53f24247870155c5e2864617d25d0bb4e3837a3927e7d1a056230b0eca0488e1c257c88f72da7c8ac962ae7482eb5d973a9

  • C:\ProgramData\Microsoft\Windows\Caches\{3D90F3F4-19F5-45AB-8F0E-F4486BBA539A}.2.ver0x0000000000000002.db

    Filesize

    1KB

    MD5

    3c6fcf1c23b09bf91e99d9080c6021b6

    SHA1

    c74b22dcdc9cd100c10742c439d0bb7c8588f056

    SHA256

    6f35a61fe7eb497dee36491fdb3f0e307a03e45efb762c9db852e466b9f55efa

    SHA512

    b54d40df82381c7e12e20391deabf1088716c38ec46b590c4c4fc77f79f6bbd49ec485c7981b38765a74d5ea25f6a49e6f1e9df5398ef3c72a458636a97463ff

  • C:\ProgramData\Microsoft\Windows\Caches\{87491CA4-F47A-461A-96A8-6AF8824DF102}.2.ver0x0000000000000002.db

    Filesize

    1KB

    MD5

    d846dfbc02378d2abc6f1bfe15fcbb41

    SHA1

    7c2258eeef30b2332f8078443aaad2dd03330450

    SHA256

    3982088d0f4ad78ba7e0c2d55a171c42a95541e18fa8caddba0a43931aace384

    SHA512

    ba96848d686625b8045312390a164bca810383f5018221fd05892e5905f624d4ce2b0f98283fc7ca74c0b2f6ab65071efce31e96a54a552fc14dd9ec69284a9e

  • C:\ProgramData\Microsoft\Windows\Caches\{FE876DEF-FB4D-4CB0-8BDD-C1365A69115B}.2.ver0x0000000000000001.db

    Filesize

    2KB

    MD5

    c20fc0a5bf22801a1e22a7433c66de17

    SHA1

    2f70426afa08748f631a0d1013cb5b3f88879e09

    SHA256

    116388fbca2c75260a350e2a7e23b972601a2efaa7db7d65d9859a9387ab5250

    SHA512

    bb3e4fe86f2c904b5834d5b265056dc4fe5c6c43ecbcb5c09cf74ee64b31558b3545c97996f4f69cc478f7aee5cdb53e730b6af3929bf1e0e964d925ce74051d

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\DesktopSharingHub\readme.txt

    Filesize

    223B

    MD5

    dbac9649c4bd702f55fbd1afafe87c44

    SHA1

    0d914f4a809cfe400ca111ebfbd0ad552d500785

    SHA256

    b9dfa3b30224bd5eef298531c945d5f2f6bb978b7ef42e5ef09715a535172127

    SHA512

    86d7786b400303b1fb722689aba7e8ef6a01ad7e2776194c5d545a7d7357dd91e7079296790587210683db7f4385f98f281272fd3d1ad6770dabf401709a6415

  • C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\U0AIBA2P\desktop.ini

    Filesize

    67B

    MD5

    cb856e8bdfb00c240d43441aa7c62e9f

    SHA1

    d0c9def032806d32bc485ea5493e34217d5091c9

    SHA256

    f495547fca5a5a2c40dccebefe40160efb8bc2888e8afef712b096b5f2585b44

    SHA512

    770a9aa6e15da08da30c88a594ecdb1354cb5342b3b9da31abe6f312e3e31575b9e7748ac7227d6a1414c6bd7b66552d857bb1df302c848648557317852081ef

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin9728060290\msapplication.xml

    Filesize

    393B

    MD5

    76fd968461edb535e6acfdf926cd1669

    SHA1

    77a81320a9c1b6a1a170118b1cf4ab80add44908

    SHA256

    d70aa8e79cfca04ee991d33a37352d66df118c720a3b80c58b8c3a54f2608aee

    SHA512

    fdf213bd15fbfce5365f73901781734942a711be8f3f590bff1091601dbc6c715c905f108b8c3f568e0d6c83028fbea077044a7cec054b675b63823847de8b91

  • C:\Users\desktop.ini

    Filesize

    174B

    MD5

    ace3165e852adb8aedbeda2aa3be570b

    SHA1

    4577ff7e92850e2723008f6c269129bd06d017ea

    SHA256

    237f73d46d3501de63eae1f85fdf37e65ddced70f013b7f178d1ee52b08f051f

    SHA512

    cf77563b9295b191ce2f309e03618d1ab4d317f65b87dbecc4904ee2d058db06d23c20c199571b0fafb67ae5ec5166b76af0b7d8bfe3996b0dde9751e28f8c03