Analysis
-
max time kernel
66s -
max time network
15s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
15/09/2020, 12:18
General
-
Target
Python Ransom BlackKingdom.exe
-
Size
9.8MB
-
MD5
98c14f48c1ae5cbbf6ff5403336e07c3
-
SHA1
d4b101f66a40114d3d1075d7c3a59cbbd47c707d
-
SHA256
8dc94d486fd546ffbf8f21252aba65efe18432a6cae815e02b8be4ce4449291a
-
SHA512
e9e88e5843fea3f0fcb2e446674b3414e2e2a6be478fb9325a2d623b50f9de009cbc0a768a2572b51de637bedf1f83f3dccf5996b1396f8a736215bfccbb310e
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Downloads\README.txt
Family
demonware
Ransom Note
Tango Down!
Seems like you got hit by DemonWare ransomware!
Don't Panic, you get have your files back!
DemonWare uses a basic encryption script to lock your files.
This type of ransomware is known as CRYPTO.
You'll need a decryption key in order to unlock your files.
Your files will be deleted when the timer runs out, so you better hurry.
You have 10 hours to find your key
C'mon, be glad I don't ask for payment like other ransomware.
Please visit: https:xyz.io and search for your IP/hostname to get your key.
Kind regards,
arman
Signatures
-
DemonWare
Ransomware first seen in mid-2020.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL 18 IoCs
-
JavaScript code in executable 13 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Python Ransom BlackKingdom.exe"C:\Users\Admin\AppData\Local\Temp\Python Ransom BlackKingdom.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Python Ransom BlackKingdom.exe"C:\Users\Admin\AppData\Local\Temp\Python Ransom BlackKingdom.exe"2⤵
- Modifies extensions of user files
- Loads dropped DLL
-