demonware

General

Target

wiperpayload.exe
Size

22.7MB
Sample

231222-fbxpvsebbm
MD5

61118d3cf190d53b95f36272b7512f65
SHA1

5b166d9e5027668ab1f707fe142320292a815523
SHA256

0b53edab42806eef4da3e3a0276ee9c296fc67cc4797ff806ce371e78270c401
SHA512

ecf60cf6aad81cae27427f67019f795c467e2f9dd152a3424f5b98a179e29f089c7a7032b2742454e6ab52a0031a4732a48e667890e090b3e30dc9dc155aa55c
SSDEEP

393216:VvUWv/HL2Vmo2WtYjUaNRDHvcrwhvr+bUn2KekLTH6mp/WViHW0Gzajaq3+d9Xg:RUYyVmVfjrRj0r6+bUno0fcElOd9XgWU

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\README.txt

Family

demonware

Ransom Note

Tango Down! Seems like you got hit by DemonWare ransomware! Don't Panic, you get have your files back! DemonWare uses a basic encryption script to lock your files. This type of ransomware is known as CRYPTO. You'll need a decryption key in order to unlock your files. Your files will be deleted when the timer runs out, so you better hurry. You have 10 hours to find your key C'mon, be glad I don't ask for payment like other ransomware. Please visit: https://keys.zeznzo.nl and search for your IP/hostname to get your key. Kind regards, Zeznzo

URLs

https://keys.zeznzo.nl

Targets

- Target
  
  wiperpayload.exe
- Size
  
  22.7MB
- MD5
  
  61118d3cf190d53b95f36272b7512f65
- SHA1
  
  5b166d9e5027668ab1f707fe142320292a815523
- SHA256
  
  0b53edab42806eef4da3e3a0276ee9c296fc67cc4797ff806ce371e78270c401
- SHA512
  
  ecf60cf6aad81cae27427f67019f795c467e2f9dd152a3424f5b98a179e29f089c7a7032b2742454e6ab52a0031a4732a48e667890e090b3e30dc9dc155aa55c
- SSDEEP
  
  393216:VvUWv/HL2Vmo2WtYjUaNRDHvcrwhvr+bUn2KekLTH6mp/WViHW0Gzajaq3+d9Xg:RUYyVmVfjrRj0r6+bUno0fcElOd9XgWU
Score

10^/10

demonware ransomware
- DemonWare
  Ransomware first seen in mid-2020.
  ransomware demonware
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Loads dropped DLL

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2