demonware

General

Target

wiperpayload.exe
Size

22.5MB
Sample

231107-d9mlfaah8t
MD5

54d2582dd6f71c433134614d052754bf
SHA1

5497e3ee4b8251c2683c0e2ed1edc2bff4bffb8c
SHA256

8868de4d661e6cb6f2500d51b204b05ab827f29fc2599b9c523e5436b6849aaf
SHA512

3ccc9ce4eda22a3c6c88da1d55a1bbb0df7fa8c9b7d22cd7c191844c9a4f74041547a598e70539c2136c0192249668e383c8ffbe262fcc69632b354254aead57
SSDEEP

393216:vRvUWvMx8InEroXo2WtYjUaNRDHvcrwhvr+bUn2KekLTG/WViHjfEqirRRo5tN3r:lUpxXErUVfjrRj0r6+bUnonDwvstN3zX

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\README.txt

Family

demonware

Ransom Note

Tango Down! Seems like you got hit by DemonWare ransomware! Don't Panic, you get have your files back! DemonWare uses a basic encryption script to lock your files. This type of ransomware is known as CRYPTO. You'll need a decryption key in order to unlock your files. Your files will be deleted when the timer runs out, so you better hurry. You have 10 hours to find your key C'mon, be glad I don't ask for payment like other ransomware. Please visit: https://keys.zeznzo.nl and search for your IP/hostname to get your key. Kind regards, Zeznzo

URLs

https://keys.zeznzo.nl

Targets

- Target
  
  wiperpayload.exe
- Size
  
  22.5MB
- MD5
  
  54d2582dd6f71c433134614d052754bf
- SHA1
  
  5497e3ee4b8251c2683c0e2ed1edc2bff4bffb8c
- SHA256
  
  8868de4d661e6cb6f2500d51b204b05ab827f29fc2599b9c523e5436b6849aaf
- SHA512
  
  3ccc9ce4eda22a3c6c88da1d55a1bbb0df7fa8c9b7d22cd7c191844c9a4f74041547a598e70539c2136c0192249668e383c8ffbe262fcc69632b354254aead57
- SSDEEP
  
  393216:vRvUWvMx8InEroXo2WtYjUaNRDHvcrwhvr+bUn2KekLTG/WViHjfEqirRRo5tN3r:lUpxXErUVfjrRj0r6+bUnonDwvstN3zX
Score

10^/10

demonware ransomware
- DemonWare
  Ransomware first seen in mid-2020.
  ransomware demonware
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Loads dropped DLL

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2