Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
24-07-2024 16:50
Static task
static1
Behavioral task
behavioral1
Sample
2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
Resource
win10v2004-20240709-en
General
-
Target
2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
-
Size
1.3MB
-
MD5
0e55ead3b8fd305d9a54f78c7b56741a
-
SHA1
f7b084e581a8dcea450c2652f8058d93797413c3
-
SHA256
2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
-
SHA512
5c3d58d1001dce6f2d23f33861e9c7fef766b7fe0a86972e9f1eeb70bfad970b02561da6b6d193cf24bc3c1aaf2a42a950fa6e5dff36386653b8aa725c9abaaa
-
SSDEEP
24576:LU5NX2yJOiUXmEICxu2WAP0NIzkQM+KpPRQ9StIUDpl1fpxkHVZgMCS+:L7XP7P9o5QzUtl1fpxkHVZgMC3
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\DesktopSharingHub\readme.txt
dearcry
Signatures
-
DearCry
DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.
-
Renames multiple (3381) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
Processes:
2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exedescription ioc process File opened for modification C:\Users\Public\Music\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Public\Documents\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2660163958-4080398480-1122754539-1000\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NZI5WZ4I\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MZGHW204\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\Music\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2660163958-4080398480-1122754539-1000\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AFPGXSZI\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K9RFKP48\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\Links\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\U0AIBA2P\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Public\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JAHTY535\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4TWWWYKL\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L0CT0ZLQ\desktop.ini 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exedescription ioc process File created C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jdwp.dll.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextService.dll 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\46.png 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files\Microsoft Office\Office14\1033\BHOINTL.DLL.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OPTINPS.DLL 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177806.JPG 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libedgedetection_plugin.dll.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\STSLISTI.DLL.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_de.dll 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Earthy.css.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfreeze_plugin.dll.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_s.png 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\currency.css 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files\7-Zip\Lang\ky.txt.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALENDAR.XML.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1655.dll 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libh26x_plugin.dll 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_disabled.png 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\42.png 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.SharePoint.BusinessData.Administration.Client.xml 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files (x86)\Microsoft Office\Office14\MSRTEDIT.DLL.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libvdummy_plugin.dll 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXSEC32.DLL 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack.dll.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImage.jpg.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files\VideoLAN\VLC\plugins\control\libntservice_plugin.dll.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradfun_plugin.dll 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BULLETS.DLL 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_zh-TW.dll.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana.css 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfo.zip 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files\Windows NT\Accessories\WordpadFilter.dll 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CoolType.dll 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.DLL 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GreenTea.css.CRYPT 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe"C:\Users\Admin\AppData\Local\Temp\2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD50f96cefe93c14e6adece5ea787d35fb5
SHA13dfb1f74beab2ed12f2de06c0410e569058cb693
SHA256748f3778ee8e6d99b6e2ad300c320383c83bc004e6b6cde2b89e522cf7143630
SHA5126daba5b8440d657fb6fbf26d7c1fc276ae6511557f376c1b60f10b93e5978f5d3b2e610dd39ad298d7f78d78c31f048e818b6c3b2f195e5be903b65b9424fc29
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML
Filesize819B
MD5fb7745147a1e73eb393f50685ed0307e
SHA10bbcb4de1fd8f558dca370e149af99388ca6021d
SHA25636c960255b56d99527c46d829df70f2df299344a6c91ea0df037502310275ccf
SHA51295cee37c3492fef7d3e531f6bd265ee675f426f2ae756b10936e4f9c47ab2208bdc05fc7ec8d33c94aa17f585eab71c23f1e0e86fa46085eca7247a77f87eeef
-
Filesize
964B
MD57e1c1eb317e359233365bd065bb5f9dc
SHA1c887b29d543207b7677f53b9fb605750223456c1
SHA2568d3f2dab5a480547e1f49f8ce3d9d876da1428527a472b58caba6f6b76962305
SHA512d37b150d1e97a0ad62163af5082567900cc24a62d4e425e4ed44787d9fb195168666534df17a602d8214bc05c78ae58fb76cc9a255cfcbb544db51978ea882b7
-
Filesize
961B
MD5516e13b880044e4e84825e930da9e6ae
SHA1680014911828b15dab0684b553dd0fbb0975f79c
SHA256f59de0da569599483a5aae0f0c4f2d2c10d97576c261f15235fb3b880a12463b
SHA5121e49c1e00206b85e61ac038aedadf43084a7406796e09f5d31130bf9be8f25fb68e96fff049cb81e3d593833d38b9b7409efe7e7550760c12ceb7ac6ea41ee65
-
Filesize
962B
MD5372e32c507fb0c4050e561d31f013b85
SHA12d9a6839875d126b9ae008f91b6c8031da6fddba
SHA256bc10dcc05f8cf25e4bd058724739fcd1d43270c26be23642d9d3b159990d7cc2
SHA51235664e1ac284308f7a826a2b230a9603595011f74e3440424344e4bcaaf1a4ae3726b4c378bcfadc5a6e85aeb6802948517f29d7375771666a3a1a38726e6dca
-
Filesize
960B
MD509ddfc512856bcb18938b61214b6983a
SHA1e61c11bfb814f6d49bcd42df0713e54df25215fb
SHA25643de088d9626ed9eab5827f7149283986e6ca82ac1aac350c7e51764e256f696
SHA5129f445aac5388548f329d2cfb96d3f29b282599d34722502f1774e1fff7758981622847653b14330a642a4458710e69e706ab83972567f9436cb40eb449137ec0
-
Filesize
2KB
MD5cb3156c7903e0763a5d5f7b2298e833a
SHA10e8de3ba01ea0d2a10f6e706232b509901ce8506
SHA25627ea5deef122c356c6cf0758cedfb350c0f5a645afeb2e171dedcf7c46de3af2
SHA512df4467362eff7a1aff1e4074e2e3076365c3d1cdc211c06d40a6af2ad012a899cede7cb79a4f1d541040df4adc285b1419ea756ed082502bd0190e0e421a4cc8
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp
Filesize1KB
MD5bbf2d0e9eea1bc1e7c868ed7b1283958
SHA1c2ab0419d8e59e56f5d36d66e10adbe8c7f79039
SHA256ae40e84593ac3e961c0db15d5aee23ee54210d646a7786651f052371ffc38c87
SHA5120f6ab7f9e7a0efec1c798072d979a98492ed8cd9f0d71637ecd42f138bb1de218f5d5f6c6fc94c2ca641375738f2a191c6c6486ab57d375d0a861472757a2d80
-
Filesize
810B
MD5535616fac638a62e4a36c2bf2fcefd47
SHA1cedbf3d4ef317151fcd9eb89ff106ca3699396d9
SHA256dd40897f3c1ea3dc6e06f9507f151ef59879b730e8cad0cd58438fbeaad6d00e
SHA5127e3019a87460f15b557a6c1cb0c11ea158d247ff21480d7a7db993d821e0a7ca2cbb425cbba0fe3d719be98b9c9a6e72dd273c5f4e8f53031e92d9ae0f462f4a
-
Filesize
812B
MD5d2f28dba18db15da8638c93a43c92078
SHA1fdad7a7af03bb3419a24b09eb2826c3e75ada2fc
SHA256673884634ba6c369d193c811e2ceb7f1a4d67a42d75fa3849de4438de990d5b9
SHA51235c8e1b80401ace5611ce89a989ee25eca38901d7901c2a2b5a337abbca7ebf528fff9fcb6d2dab97820830e911961c15055ddc4b5b6482a55a445fccc46941a
-
Filesize
806B
MD5c889899deeed19310e5ac540f1596697
SHA1198156431932d2bf8b79ed0c808f30d02ae4b3c2
SHA2560dc572c2e972cd84a0c905026431c80004a0cced51a45ee1d2b48e25cbd627ab
SHA512e901a26e68f675d19b7a607bd6b14b279cab391ad0c752b5c69581ad9b0f5817d3529b438dbeb5773a8b5ab0278bde90a4e7c37cf27e8accfe9c8de662e14ff6
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png
Filesize138B
MD59a530c475ef73c5896d7c7f3543b1d97
SHA1bc80f3430254af79f06be0d37d71cca604fccae9
SHA256318cebc3c59b5327cfb7a69507f1dcbe92a15fc1abe429bf2359e0f9664d0b2d
SHA512dc2da4492cbb7358ebddfacc246ff4bfc3a8b2fb3e76f47519a7e6ae47fce293607ab6980e64c0a5d4bd2687b2584fe6f4d85bb4888a11760aeb0d94e8246a1b
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml
Filesize431B
MD50dbdc71d198cd2da4d8c5c38f44e66a2
SHA1dab7e173502d5f80bc3177b0a480561b208eb1d0
SHA2565ad2dac3e0044649be6532c957950483092115cf2992d170a98a123cc0af2818
SHA51228506aced7d9235e3ed73e2afacc54834295818b571a7633ce8a72e8dbdd0debd225dfc307e10d82a082dac0da757a8ab6eaf5cea6b671fde4d03ead14d86b29
-
Filesize
411B
MD5794eb220b9c3fc6775b08dd9425c24b0
SHA199daf8158bd4914c06fc33302eec1d7f5897aa93
SHA25640aa257d744c7d904e8f62392c91389cff523bae86eac46f075f79f6b67534b0
SHA512c8d1f7bb4ddcd2c5c212eea495d776cda2fd1cc1d22e81c885bc45dfaca878b02810a0998c40ff861a8c78d52e7718444e046562c1e792590d881a1bb336ba86
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml
Filesize400B
MD5484651b39b9f0fc3ed8153db82b39eed
SHA1859b44bdf204a55d21755358180adc62ede0e93f
SHA25687bc15638540621224fcbd0f2fd0a73267465418b9b2897ea2fe5b977b990c35
SHA512aac187baafb492a6930cebd87c41e67434bc40b724a844f3684f28b18846d01efc7f85e5fd0a017f1aceae341b616d2d925ec740039b17f01a9db1223972306a
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml
Filesize429B
MD5241e2f8d1c6df84c7de7debff798313c
SHA18d2f93801f8b0116fe159123faaf09d607eb1d19
SHA25600fca714016de5a5b3207fb94fc30211cf745fd4b03c120862ffd88b5f024192
SHA51211b376dc95d904b38bc541c26078b13843d632016e3b3bce3ff8d6315bf90d97b993d56fd76802e96bb87a3dbe1de3ebe92836d48aa35b2974785e9f69957e20
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml
Filesize437B
MD5b8e825d92d653fcf8f7dfb029406156b
SHA1521f90b3653ee90e5b7b21a4732c7a8e2b2d9a92
SHA256e9466955f535446cc4999e58805089c19bdd2cfc347519c912758cfc09e2564e
SHA512059141bdc1e074bbbf7d43718ed5cb5ed2e4d663315f8433eb204ab083e6f9b43c4e84aec556cc190d59cd2dc1daa38343750cc18e45767de435230ecb1eaf28
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml
Filesize463B
MD5626282b09a4ad2e3debc34b0f723eab4
SHA12d6030babe784d001777aab4153415d991534689
SHA25617a950101ceb4026932f7ff1902aabe83d835584d89081db151d72709333aeaa
SHA512779e64f8a33388b0fe4c0627e9dc2b706b9d13ba3d54594bbe062d22f6ed1f04128ae3f0dbb32649052f1dd1e0aabf1c70b4db5a73816706753508a791dec428
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml
Filesize414B
MD54e7c2b21080a655a39e47bd0e9949c43
SHA19b0e102fa821e1f48cdc31c533bccc5eebd4a54e
SHA256b366b83f2732e1e45a454bcb03aaa49ba21b9b05e122a8adc88858fe540aef21
SHA5121e5f51a49c3b56c22d8191dfccf8d53f24247870155c5e2864617d25d0bb4e3837a3927e7d1a056230b0eca0488e1c257c88f72da7c8ac962ae7482eb5d973a9
-
C:\ProgramData\Microsoft\Windows\Caches\{3D90F3F4-19F5-45AB-8F0E-F4486BBA539A}.2.ver0x0000000000000002.db
Filesize1KB
MD53c6fcf1c23b09bf91e99d9080c6021b6
SHA1c74b22dcdc9cd100c10742c439d0bb7c8588f056
SHA2566f35a61fe7eb497dee36491fdb3f0e307a03e45efb762c9db852e466b9f55efa
SHA512b54d40df82381c7e12e20391deabf1088716c38ec46b590c4c4fc77f79f6bbd49ec485c7981b38765a74d5ea25f6a49e6f1e9df5398ef3c72a458636a97463ff
-
C:\ProgramData\Microsoft\Windows\Caches\{87491CA4-F47A-461A-96A8-6AF8824DF102}.2.ver0x0000000000000002.db
Filesize1KB
MD5d846dfbc02378d2abc6f1bfe15fcbb41
SHA17c2258eeef30b2332f8078443aaad2dd03330450
SHA2563982088d0f4ad78ba7e0c2d55a171c42a95541e18fa8caddba0a43931aace384
SHA512ba96848d686625b8045312390a164bca810383f5018221fd05892e5905f624d4ce2b0f98283fc7ca74c0b2f6ab65071efce31e96a54a552fc14dd9ec69284a9e
-
C:\ProgramData\Microsoft\Windows\Caches\{FE876DEF-FB4D-4CB0-8BDD-C1365A69115B}.2.ver0x0000000000000001.db
Filesize2KB
MD5c20fc0a5bf22801a1e22a7433c66de17
SHA12f70426afa08748f631a0d1013cb5b3f88879e09
SHA256116388fbca2c75260a350e2a7e23b972601a2efaa7db7d65d9859a9387ab5250
SHA512bb3e4fe86f2c904b5834d5b265056dc4fe5c6c43ecbcb5c09cf74ee64b31558b3545c97996f4f69cc478f7aee5cdb53e730b6af3929bf1e0e964d925ce74051d
-
Filesize
223B
MD5dbac9649c4bd702f55fbd1afafe87c44
SHA10d914f4a809cfe400ca111ebfbd0ad552d500785
SHA256b9dfa3b30224bd5eef298531c945d5f2f6bb978b7ef42e5ef09715a535172127
SHA51286d7786b400303b1fb722689aba7e8ef6a01ad7e2776194c5d545a7d7357dd91e7079296790587210683db7f4385f98f281272fd3d1ad6770dabf401709a6415
-
Filesize
67B
MD5cb856e8bdfb00c240d43441aa7c62e9f
SHA1d0c9def032806d32bc485ea5493e34217d5091c9
SHA256f495547fca5a5a2c40dccebefe40160efb8bc2888e8afef712b096b5f2585b44
SHA512770a9aa6e15da08da30c88a594ecdb1354cb5342b3b9da31abe6f312e3e31575b9e7748ac7227d6a1414c6bd7b66552d857bb1df302c848648557317852081ef
-
Filesize
393B
MD576fd968461edb535e6acfdf926cd1669
SHA177a81320a9c1b6a1a170118b1cf4ab80add44908
SHA256d70aa8e79cfca04ee991d33a37352d66df118c720a3b80c58b8c3a54f2608aee
SHA512fdf213bd15fbfce5365f73901781734942a711be8f3f590bff1091601dbc6c715c905f108b8c3f568e0d6c83028fbea077044a7cec054b675b63823847de8b91
-
Filesize
174B
MD5ace3165e852adb8aedbeda2aa3be570b
SHA14577ff7e92850e2723008f6c269129bd06d017ea
SHA256237f73d46d3501de63eae1f85fdf37e65ddced70f013b7f178d1ee52b08f051f
SHA512cf77563b9295b191ce2f309e03618d1ab4d317f65b87dbecc4904ee2d058db06d23c20c199571b0fafb67ae5ec5166b76af0b7d8bfe3996b0dde9751e28f8c03