Overview

overview

10

Static

static

559440f61d...fd.exe

windows7_x64

10

559440f61d...fd.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    4294231s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    25-03-2022 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe

  • Size

    10.0MB

  • MD5

    c8f1a1134ac0ccacb849b819e0435e11

  • SHA1

    ca4941cba333018c484418a42d7e2e3a6d2a380e

  • SHA256

    559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd

  • SHA512

    db570e14148c36db6eb8de41c48f65472ef83e18fa0804e39fd1e9b484f3d55240a447451c6d9b7149e58c4d714d91ddb4696c196e8008d8e3d4e31375a4504f

Score
10/10
demonwarepyinstallerransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README.txt

Ransom Note
hey Down! Seems like you got hit by CoderWare ransomware! warning: take a screenshot of this place. If you lose the information here, you'll never get to us. and it would be impossible to get your dosys Don't Panic, you get have your files back! CoderWare uses a basic encryption script to lock your files.This type of ransomware is known as CRYPTO. You'll need a decryption key in order to unlock your files. Your files will be deleted when the timer runs out, so you better hurry.You have 10 hours to find your key When you pay >>> 1000$ <<< to the Bitcoin address below, you will need to send a single as proof to our e-mail address, and if the receipt is correct, your code to decrypt our files to your e-mail address. It will be sent back to you via e-mail. But you have to be quick for that. Because you have 10 hours. If you do not pay within 10 hours, your files will be permanently deleted. And it would be out of reach again. If you don't know how to get bitcoin. https://buy.moonpay.io can quickly get your credit or debit card online from the website. Please type the bitcoin address shown on the screen in the wallet field on the website. If you try to shut it down by force, you'll lose your dosys. because if you lose your bitcoin address, you won't be able to pay. and you'll never get your files back. email: [email protected] bitcion Adress : 336Fvf8fRrpySwq8gsaWdf7gfuGm5FQi8K telegram : @Codersan whatsap: +63 997 401 3126
Wallets

336Fvf8fRrpySwq8gsaWdf7gfuGm5FQi8K

Signatures

  • DemonWare

    Ransomware first seen in mid-2020.

    ransomwaredemonware
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 37 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Detects Pyinstaller 7 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe
    "C:\Users\Admin\AppData\Local\Temp\559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\server.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Users\Admin\AppData\Local\Temp\CyberPunk2077.sfx.exe
        CyberPunk2077.sfx.exe -p1234 -dC:\Users\Admin\AppData\Local\Temp
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:512
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1468
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe"
            5⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: RenamesItself
            • Suspicious use of AdjustPrivilegeToken
            PID:1208

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/756-54-0x0000000075C41000-0x0000000075C43000-memory.dmp

    Filesize

    8KB

    Download