demonware | 8dc94d486fd546ffbf8f21252aba65efe18432a6cae815e02b8be4ce4449291a

Analysis

max time kernel
89s
max time network
126s
platform
windows10_x64
resource
win10
submitted
15-09-2020 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Python Ransom BlackKingdom.exe
Size

9.8MB
MD5

98c14f48c1ae5cbbf6ff5403336e07c3
SHA1

d4b101f66a40114d3d1075d7c3a59cbbd47c707d
SHA256

8dc94d486fd546ffbf8f21252aba65efe18432a6cae815e02b8be4ce4449291a
SHA512

e9e88e5843fea3f0fcb2e446674b3414e2e2a6be478fb9325a2d623b50f9de009cbc0a768a2572b51de637bedf1f83f3dccf5996b1396f8a736215bfccbb310e

Score

10^/10

ransomware demonware

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\README.txt

Family

demonware

Ransom Note

Tango Down! Seems like you got hit by DemonWare ransomware! Don't Panic, you get have your files back! DemonWare uses a basic encryption script to lock your files. This type of ransomware is known as CRYPTO. You'll need a decryption key in order to unlock your files. Your files will be deleted when the timer runs out, so you better hurry. You have 10 hours to find your key C'mon, be glad I don't ask for payment like other ransomware. Please visit: https:xyz.io and search for your IP/hostname to get your key. Kind regards, arman

Signatures

DemonWare
Ransomware first seen in mid-2020.
ransomware demonware

Loads dropped DLL 18 IoCs

Processes:

Python Ransom BlackKingdom.exe

pid	Process
204	Python Ransom BlackKingdom.exe
204	Python Ransom BlackKingdom.exe
204	Python Ransom BlackKingdom.exe
204	Python Ransom BlackKingdom.exe
204	Python Ransom BlackKingdom.exe
204	Python Ransom BlackKingdom.exe
204	Python Ransom BlackKingdom.exe
204	Python Ransom BlackKingdom.exe
204	Python Ransom BlackKingdom.exe
204	Python Ransom BlackKingdom.exe
204	Python Ransom BlackKingdom.exe
204	Python Ransom BlackKingdom.exe
204	Python Ransom BlackKingdom.exe
204	Python Ransom BlackKingdom.exe
204	Python Ransom BlackKingdom.exe
204	Python Ransom BlackKingdom.exe
204	Python Ransom BlackKingdom.exe
204	Python Ransom BlackKingdom.exe

JavaScript code in executable 13 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000100000001ada3-1.dat	js
behavioral2/files/0x000100000001ada3-2.dat	js
behavioral2/files/0x000100000001adaa-5.dat	js
behavioral2/files/0x000100000001ad9e-16.dat	js
behavioral2/files/0x000100000001ad9e-17.dat	js
behavioral2/files/0x000100000001ada5-30.dat	js
behavioral2/files/0x000100000001ada5-33.dat	js
behavioral2/files/0x000100000001ae09-35.dat	js
behavioral2/files/0x000100000001ae91-39.dat	js
behavioral2/files/0x000100000001ae8d-40.dat	js
behavioral2/files/0x000100000001b10a-45.dat	js
behavioral2/files/0x000100000001b145-53.dat	js
behavioral2/files/0x000100000001b110-46.dat	js

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Python Ransom BlackKingdom.exe

description	pid	Process	procid_target
PID 2920 wrote to memory of 204	2920	Python Ransom BlackKingdom.exe	73
PID 2920 wrote to memory of 204	2920	Python Ransom BlackKingdom.exe	73
PID 2920 wrote to memory of 204	2920	Python Ransom BlackKingdom.exe	73

C:\Users\Admin\AppData\Local\Temp\Python Ransom BlackKingdom.exe
"C:\Users\Admin\AppData\Local\Temp\Python Ransom BlackKingdom.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\Python Ransom BlackKingdom.exe
  "C:\Users\Admin\AppData\Local\Temp\Python Ransom BlackKingdom.exe"
  2⤵
  - Loads dropped DLL
  PID:204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI29202\PIL\_imaging.cp38-win32.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\PIL\_imagingtk.cp38-win32.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\VCRUNTIME140.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\_bz2.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\_ctypes.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\_decimal.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\_elementtree.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\_hashlib.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\_lzma.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\_socket.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\_tkinter.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\base_library.zip

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\libcrypto-1_1.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\libffi-7.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\pyexpat.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\python38.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\select.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tcl86t.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tcl\auto.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tcl\encoding\cp1252.enc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tcl\http1.0\pkgIndex.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tcl\init.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tcl\opt0.4\pkgIndex.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tcl\package.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tcl\tclIndex

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tcl\tm.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk86t.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\button.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\entry.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\icons.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\listbox.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\menu.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\panedwindow.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\pkgIndex.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\scale.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\scrlbar.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\spinbox.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\tclIndex

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\text.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\tk.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\altTheme.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\button.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\clamTheme.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\classicTheme.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\combobox.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\cursors.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\defaults.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\entry.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\fonts.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\menubutton.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\notebook.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\panedwindow.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\progress.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\scale.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\scrollbar.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\sizegrip.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\spinbox.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\treeview.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\ttk.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\utils.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\vistaTheme.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\winTheme.tcl

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tk\ttk\xpTheme.tcl

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\PIL\_imaging.cp38-win32.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\PIL\_imagingtk.cp38-win32.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\VCRUNTIME140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\_bz2.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\_ctypes.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\_decimal.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\_elementtree.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\_hashlib.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\_lzma.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\_socket.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\_tkinter.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\libcrypto-1_1.dll

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\libffi-7.dll

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\pyexpat.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\python38.dll

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\select.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\tcl86t.dll

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\tk86t.dll

Download Submit
memory/204-0-0x0000000000000000-mapping.dmp

Download