demonware | d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94

General

Target

d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
Size

9.8MB
MD5

1916caf047d83174cb7ce28d07f54f25
SHA1

02ca0f3ad95e5dbf3dfd1272db8cb77e5e6e3f49
SHA256

d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94
SHA512

99159edf3e297826a1c355e8fcac4d381ec66ad28df8c39fb0ca29119e718d2cb9cb45a3cf6943704916abc4c4c1891b158a99faf15d27bf6257bdaffca18012

Score

10^/10

demonware ransomware

Malware Config

Signatures

DemonWare
Ransomware first seen in mid-2020.
ransomware demonware

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\GrantSave.png => C:\Users\Admin\Pictures\GrantSave.png.DEMON	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
File renamed	C:\Users\Admin\Pictures\JoinEdit.png => C:\Users\Admin\Pictures\JoinEdit.png.DEMON	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
File renamed	C:\Users\Admin\Pictures\TestUnprotect.png => C:\Users\Admin\Pictures\TestUnprotect.png.DEMON	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe

Loads dropped DLL 33 IoCs

pid	Process
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	1980	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1980	1684	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe	26
PID 1684 wrote to memory of 1980	1684	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe	26
PID 1684 wrote to memory of 1980	1684	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe	26
PID 1684 wrote to memory of 1980	1684	d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe	26

C:\Users\Admin\AppData\Local\Temp\d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
"C:\Users\Admin\AppData\Local\Temp\d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe
  "C:\Users\Admin\AppData\Local\Temp\d46eaf1ca21fe46e0cde0f28a7db2ee7c34e710d11083472861522f8ccc20a94.exe_.exe"
  2⤵
  - Modifies extensions of user files
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1980

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads