demonware | 9353cf6347377bf1194349bff4001485fac99a5cd3ee03781e81c157452dae68

Analysis

Target

Trustwallet.exe
Size

11.9MB
MD5

96a57994dac844201da03003ee2183ae
SHA1

e7cd1448b9b33c928b25451a9f72de71b2dbc7bf
SHA256

9353cf6347377bf1194349bff4001485fac99a5cd3ee03781e81c157452dae68
SHA512

5f82aa92a1f15287884bc7fcb26f7b0bcf2db0444417c678e613c46f0c9da0833845ca1fefc10ea35ec58ad6d7c9c627081bdf94915e41f136b6abdf3e6cf6de

Score

10^/10

Path

C:\Users\Admin\Downloads\README.txt

Ransom Note

Locked Out? Ouch! we accept Bitcoins & all cryptocurrency [email protected] be rest assured,you get your files and your system back after payment.

Emails

Loads dropped DLL 54 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 2044	1096	Trustwallet.exe	26
PID 1096 wrote to memory of 2044	1096	Trustwallet.exe	26
PID 1096 wrote to memory of 2044	1096	Trustwallet.exe	26
PID 1096 wrote to memory of 2044	1096	Trustwallet.exe	26

C:\Users\Admin\AppData\Local\Temp\Trustwallet.exe
"C:\Users\Admin\AppData\Local\Temp\Trustwallet.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\Trustwallet.exe
  "C:\Users\Admin\AppData\Local\Temp\Trustwallet.exe"
  2⤵
  - Loads dropped DLL
  PID:2044

memory/2044-125-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download