Resubmissions

03-03-2023 18:06

230303-wprc1aac5z 10

03-03-2023 18:04

230303-wnnkqaag85 10

03-03-2023 18:02

230303-wmss2sag77 10

03-03-2023 14:25

230303-rrhreshg85 10

General

  • Target

    pycryptopayload.exe

  • Size

    23.9MB

  • Sample

    230303-rrhreshg85

  • MD5

    ec74dbce58746b38fd7b4c893e6a0055

  • SHA1

    52f9654a1c15d8bf22a45db456792fc9ee3f1195

  • SHA256

    e3e691a9c78c57df9fd04725cc230502f0c1c9c60f8cdfad677c65458409a7f2

  • SHA512

    5ecb1ba09f838838dbfceed00a9324b8f85d0f4dc9e8c51e3a77ae55031417ad453c5462c3947990801583aab4e018d8ad56b8cee4a4651e131a6945d058dde6

  • SSDEEP

    393216:V+vUWv/HL2Vmo2WtYjUaNRDHvcrwhvr+bUn2KekLTH6mp/WViHW0Gzajaq3+d9Xn:V4UYyVmVfjrRj0r6+bUno0fcElOd9Xg2

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\README.txt

Family

demonware

Ransom Note
Tango Down! Seems like you got hit by DemonWare ransomware! Don't Panic, you get have your files back! DemonWare uses a basic encryption script to lock your files. This type of ransomware is known as CRYPTO. You'll need a decryption key in order to unlock your files. Your files will be deleted when the timer runs out, so you better hurry. You have 10 hours to find your key C'mon, be glad I don't ask for payment like other ransomware. Please visit: https://keys.zeznzo.nl and search for your IP/hostname to get your key. Kind regards, Zeznzo
URLs

https://keys.zeznzo.nl

Targets

    • Target

      pycryptopayload.exe

    • Size

      23.9MB

    • MD5

      ec74dbce58746b38fd7b4c893e6a0055

    • SHA1

      52f9654a1c15d8bf22a45db456792fc9ee3f1195

    • SHA256

      e3e691a9c78c57df9fd04725cc230502f0c1c9c60f8cdfad677c65458409a7f2

    • SHA512

      5ecb1ba09f838838dbfceed00a9324b8f85d0f4dc9e8c51e3a77ae55031417ad453c5462c3947990801583aab4e018d8ad56b8cee4a4651e131a6945d058dde6

    • SSDEEP

      393216:V+vUWv/HL2Vmo2WtYjUaNRDHvcrwhvr+bUn2KekLTH6mp/WViHW0Gzajaq3+d9Xn:V4UYyVmVfjrRj0r6+bUno0fcElOd9Xg2

    Score
    10/10
    • DemonWare

      Ransomware first seen in mid-2020.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Loads dropped DLL

MITRE ATT&CK Matrix

Tasks