Analysis

  • max time kernel
    129s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    05/03/2022, 18:31

General

  • Target

    eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe

  • Size

    10.4MB

  • MD5

    42469bbd43954d8ed09b27899b25ffb0

  • SHA1

    55fee15384316826fa1e5f8317ceda1adf1695d5

  • SHA256

    eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936

  • SHA512

    e4f1b7cb3c27bb99ab1e53c4466a1be9ce3a506af060416e08c917c33a5a75803a7329b2e085b8db5039567237c427ba006d3c8d80e795e5805e749504aa008c

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README.txt

Ransom Note
hey Down! Seems like you got hit by CoderWare ransomware! warning: take a screenshot of this place. If you lose the information here, you'll never get to us. and it would be impossible to get your dosys Don't Panic, you get have your files back! CoderWare uses a basic encryption script to lock your files.This type of ransomware is known as CRYPTO. You'll need a decryption key in order to unlock your files. Your files will be deleted when the timer runs out, so you better hurry.You have 10 hours to find your key When you pay >>> 1000$ <<< to the Bitcoin address below, you will need to send a single as proof to our e-mail address, and if the receipt is correct, your code to decrypt our files to your e-mail address. It will be sent back to you via e-mail. But you have to be quick for that. Because you have 10 hours. If you do not pay within 10 hours, your files will be permanently deleted. And it would be out of reach again. If you don't know how to get bitcoin. https://buy.moonpay.io can quickly get your credit or debit card online from the website. Please type the bitcoin address shown on the screen in the wallet field on the website. If you try to shut it down by force, you'll lose your dosys. because if you lose your bitcoin address, you won't be able to pay. and you'll never get your files back. email: [email protected] bitcion Adress : 336Fvf8fRrpySwq8gsaWdf7gfuGm5FQi8K telegram : @Codersan whatsap: +63 997 401 3126
Wallets

336Fvf8fRrpySwq8gsaWdf7gfuGm5FQi8K

Signatures

  • DemonWare

    Ransomware first seen in mid-2020.

  • Drops file in Drivers directory 1 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Loads dropped DLL 32 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe
    "C:\Users\Admin\AppData\Local\Temp\eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Users\Admin\AppData\Local\Temp\eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe
      "C:\Users\Admin\AppData\Local\Temp\eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe"
      2⤵
      • Drops file in Drivers directory
      • Modifies extensions of user files
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1884

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads