Overview

overview

10

Static

static

3

1dbbd2ae29...cf.exe

windows7_x64

7

1dbbd2ae29...cf.exe

windows10_x64

10

Analysis

  • max time kernel
    12s
  • max time network
    104s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    24-03-2021 06:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1dbbd2ae295dae3cfff1769cc919aacb3b0c9d0ecf550f37f3901e2244a165cf.exe

  • Size

    12.8MB

  • MD5

    d57b26a5738e3116c39122c091374c4a

  • SHA1

    cc25f6a5d73ca7385a2b5beb697d51a6706d73e9

  • SHA256

    1dbbd2ae295dae3cfff1769cc919aacb3b0c9d0ecf550f37f3901e2244a165cf

  • SHA512

    92a50b8205580295274c688ace588b2a2448396ee0b7ec874c95a938a7cbb525e6cea33871c88037d2b67d4ad60e4f76566fa599d82c50faa043d1dbe029aa2f

Score
10/10
demonwareransomware

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\README.txt

Ransom Note
Seems like you got hit by Skullware! Don't Panic, you can have your files back! SkullWare uses a basic encryption script to lock your files. This type of ransomware is known as CRYPTO. You'll need a decryption key in order to unlock your files. Your files will be deleted when the timer runs out, so you better hurry. You have 10 hours to find your key In order to decrypt you're files you will need to pay 0.002 bitcoin to this address bc1qpf5884eeausmv8rtf93kplu573t477tquskeuz you will also have to email [email protected] in with a photo of you're transaction please note you can buy bitcoin on coinbase.com Kind regards, Crypt
Wallets

bc1qpf5884eeausmv8rtf93kplu573t477tquskeuz

Signatures

  • DemonWare

    Ransomware first seen in mid-2020.

    ransomwaredemonware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 35 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1dbbd2ae295dae3cfff1769cc919aacb3b0c9d0ecf550f37f3901e2244a165cf.exe
    "C:\Users\Admin\AppData\Local\Temp\1dbbd2ae295dae3cfff1769cc919aacb3b0c9d0ecf550f37f3901e2244a165cf.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\1dbbd2ae295dae3cfff1769cc919aacb3b0c9d0ecf550f37f3901e2244a165cf.exe
      "C:\Users\Admin\AppData\Local\Temp\1dbbd2ae295dae3cfff1769cc919aacb3b0c9d0ecf550f37f3901e2244a165cf.exe"
      2⤵
      • Modifies extensions of user files
      • Loads dropped DLL
      PID:3968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads