{"id":1211,"date":"2024-08-31T09:47:08","date_gmt":"2024-08-31T09:47:08","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1211"},"modified":"2025-07-28T13:56:02","modified_gmt":"2025-07-28T13:56:02","slug":"tears-for-fears-dcry-ransomware-makes-you-want-to-shout-shout-let-it-all-out","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/tears-for-fears-dcry-ransomware-makes-you-want-to-shout-shout-let-it-all-out\/","title":{"rendered":"Tears for fears: Dcry ransomware makes you want to shout, shout, let it all out"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Ransomware has been hitting the headlines lately and the latest variant to make the rounds has been dubbed \u2018Dcry\u2019. This strain is interesting as it encrypts data with .qwqd extensions  and propagates through fake software updates which exploit software vulnerabilities to infect the target system. 

Let\u2019s take a closer look:

File details<\/strong><\/p>\n\n\n\n

\n
 <\/td>Dcry.exe<\/td><\/tr>
File type<\/strong><\/td>PE (portable executable) file<\/td><\/tr>
Md5 hash<\/strong><\/td>4067933609a560b044fd43800f37c627<\/td><\/tr>
SHA1 hash<\/strong><\/td>b06e25ff233ecbefe5266e97651d63a507578932<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Static Analysis<\/strong><\/p>\n\n\n\n

The first thing static analysis showed us was that Dcry has a suspicious entry point:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

A number of Import Address Table alerts then scan the system for computer name, startup information, %TEMP% directory, debuggers and the presence of a virtual machine, etc.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Having completed this process, the malware then drops a \u201cmessage.vbs\u201d file:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

 Below, we can see this contains the \u2018ransom letter\u2019:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

 Now the encryptions begins via .qwqd extensions and the execution of a .vbs file:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

After performing the encryption, Dcry attempts to delete the volume shadow copies present in the victim\u2019s machine:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

And then it initiates a ping request:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Dynamic Analysis<\/strong><\/p>\n\n\n\n

Executing the sample gives us a prompt with a key and a value number:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

When we press \u2018ok\u2019 it executes and, as seen below, it doesn\u2019t have a valid signature:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

A .vbs file is dropped into the user\u2019s system after which the encryption process starts:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Next, the ransomware message is displayed:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

As a result, the following files were dropped onto the user\u2019s system, all files were encrypted with .qwqd extensions:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

The following registry entries were also created by Dcry:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Network activities<\/strong><\/p>\n\n\n\n

No IP\/Domains involved<\/p>\n\n\n\n

Conclusion<\/strong><\/p>\n\n\n\n

Once Dcry successfully gains a foothold on a victim machine, it drops a \u201cmessage.vbs\u201d on execution, after which it performs a full system encryption with .qwqd extensions.<\/p>\n\n\n\n

If the current tide of ransomware is any indication, we\u2019re nowhere near the high-water mark. One of the best measures you can take to protect yourself from these attacks is to backup critical files at regular intervals. If you do happen to fall victim, then you can always restore your files from the most recent back up.<\/p>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"

Ransomware has been hitting the headlines lately and the latest variant to make the rounds has been dubbed \u2018Dcry\u2019. This strain is interesting as it encrypts data with .qwqd extensions \u00a0and propagates through fake software updates which exploit software vulnerabilities to infect the target system.\u00a0<\/p>\n","protected":false},"author":1,"featured_media":1228,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-1211","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1211","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1211"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1211\/revisions"}],"predecessor-version":[{"id":4441,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1211\/revisions\/4441"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1228"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1211"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}