Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-02-2024 01:24

General

  • Target

    2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe

  • Size

    11.9MB

  • MD5

    e57bbb2ab183586ff33d8eeefad512d4

  • SHA1

    2f6161e0a440592e626886dc6844468cb0c533bb

  • SHA256

    a97eab720061c4131c3fa1b850968895ec210fb24f4d9192b9700a6aad3bbcb0

  • SHA512

    3004e3d18aa312c8272258662fd829ee7d70c600d1ae585f6a63fd4b4ccbac06859869b1fcff532b063a73cade5df2dd09c2beff19e59654cd8d9f07096490a2

  • SSDEEP

    196608:ewpf4Dz52nt/tv1MfHrODpFC4g0AVIGve8ZJ9BIBxIFO48RmU/3ZlsPvmucM8C1Y:vl4Dgt/xcKLgtIGJYXIotN3ZWLb2

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\README.txt

Family

demonware

Ransom Note
Tango Down! Seems like you got hit by DemonWare ransomware! Don't Panic, you get have your files back! DemonWare uses a basic encryption script to lock your files. This type of ransomware is known as CRYPTO. You'll need a decryption key in order to unlock your files. Your files will be deleted when the timer runs out, so you better hurry. You have 10 hours to find your key C'mon, be glad I don't ask for payment like other ransomware. Please visit: https://keys.zeznzo.nl and search for your IP/hostname to get your key. Kind regards, Zeznzo
URLs

https://keys.zeznzo.nl

Signatures

  • DemonWare

    Ransomware first seen in mid-2020.

  • Loads dropped DLL 36 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Users\Admin\AppData\Local\Temp\2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe"
      2⤵
      • Loads dropped DLL
      PID:3620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\Crypto\Cipher\_Salsa20.cp38-win_amd64.pyd

    Filesize

    15KB

    MD5

    9fb7daedd82bdde61d467b7a568bf577

    SHA1

    8772a438d9735498be7ed4d566bb0439361aaa56

    SHA256

    cf235e8f929568ee0c24c676be7fb15e6a8820cb8437cd06bee1e038b80deb2b

    SHA512

    456db61224d9f3ee5786173be2998ecd54d05bc29919ec8e1a7a917eb5f42fbb3edb1aee374d9b97b4db94591be440f58ddbd0f32aab1a2977db28573223e806

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\Crypto\Cipher\_raw_cbc.cp38-win_amd64.pyd

    Filesize

    13KB

    MD5

    03c703a8f4c2a1443cccc8316af8940c

    SHA1

    046d8c846d9393e472064aa1250826994a785577

    SHA256

    ca09e03d93f3a330a467afd7fb998ad81dfd75fa7a1c2e202d6898f229c269d4

    SHA512

    a65bf31452e984de1f951a3bca97c9dc27ac113e5fd4e0d29fa2b67e6c1b24d48ba6513d1e2ceaa7617e92305171e9675379a0e97980a3ceec209c49cd687329

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\Crypto\Cipher\_raw_cfb.cp38-win_amd64.pyd

    Filesize

    13KB

    MD5

    6f1d3ed33d7dfeae5642406d76ff2084

    SHA1

    014cfee7d754564928ed2df2fef933aeda915918

    SHA256

    f5918822781473d44f69030a9b32bcaeffa8671f1328c48085c9671f140d1273

    SHA512

    e55f57ef9411979ab164d5c3faca609856ddaa273ee817225ba77a12ddad02da464378ca0cbd98ddec708aeac96845ab8c718d35edc88b0ab06bb14ed53647ca

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\Crypto\Cipher\_raw_ctr.cp38-win_amd64.pyd

    Filesize

    14KB

    MD5

    c04554cf7f89e2d360ebcc39f85a2970

    SHA1

    42ac403bd2a854d7f6ac60a299594a9c4a793f35

    SHA256

    264ed03313efc36ef0794e3c716319e0aa4774c3d0a26c522dcfa7be1f46349f

    SHA512

    668928abb8510d36dcc2e9ff7cd10353c3cbc10af199ca4c909770921fdcbe4aeedc5dfb106c91cf480c86a2ab78e2da6278d859aae93cb72bc50de432411ed9

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\Crypto\Cipher\_raw_ecb.cp38-win_amd64.pyd

    Filesize

    11KB

    MD5

    d4535f5b8683cd4b523d1f97232d3772

    SHA1

    1a6ce4eeb5acd1762f629478db14dfe8e361967f

    SHA256

    a8bd1b23f25393b26570a23f3083227dca1e2a6c4422581ff3e46cea3c4ac4ad

    SHA512

    447c9b1772f4a4f91961268e1b87c3576415f5257197db16336a3be8601dcfc8cd01dd1bb0676403633c58b8593aa9f558bbd53ccd994f5702df38c265358730

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\Crypto\Cipher\_raw_ofb.cp38-win_amd64.pyd

    Filesize

    12KB

    MD5

    b537c5216bd68311d50b10d62d02b9bb

    SHA1

    eb613bdabc18ee0f43afa4a13e684d0f8bc57817

    SHA256

    2b4fefd3688f5e92b1c3ef745d3463d44d9c071b9e2e190a7179191cd3b1e3a5

    SHA512

    1a3a8e9454646d7ac87f0acc34092da9c3873e4912ea8cb7c335d58a1bf7336d370dda9da13fdc6148ebfe93e3b75ceebc0684a5ee7b4ae24e8e2b5d053afe38

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\Crypto\Hash\_BLAKE2s.cp38-win_amd64.pyd

    Filesize

    15KB

    MD5

    2101eb8948ad5b50feeceb0865169d48

    SHA1

    fd55a3553d0c0416cd733ae732361685c0d23c59

    SHA256

    962a6e4baf1fe8579b815c059abd924563835fc2139fa16d4ba191c291d033ec

    SHA512

    122c8ba5df3d3c2b6ddb6de8415634c02c296285e629f780e1f9d9a4afaf1ef3bef0863f83748f2ad5847385e349b4d39c4c54ed7d4246f502603080c5b973e4

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\Crypto\Hash\_MD5.cp38-win_amd64.pyd

    Filesize

    16KB

    MD5

    7b4db40a5af596c7b685b1bff8c85a63

    SHA1

    bdc1ca3a817731ab89fcc0ff8f9ed540b8fe016d

    SHA256

    938aa6f71988f899c605dfe09a0882403af0564eb1937316bf50bda5b63659af

    SHA512

    8d995a342eecbb4278ea02ca84b0c5d3446b06952c1ce29e3d3eb1aa95c7b31cbd88976bd6bdb2c92c4e5e25103d392aa911a5f718cca3cb6e9e0c2d9e8695fb

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\Crypto\Hash\_SHA1.cp38-win_amd64.pyd

    Filesize

    19KB

    MD5

    abc7d549b8974a93e441b45b118a3f8e

    SHA1

    1b78c6022f03550ca48a67aa2b2edc0add3a5fd7

    SHA256

    059e3b26c6816c5f2e3a3d6fdfcc0298077221cd8ae8a17fc9fe6d67ef2bfc3a

    SHA512

    8ac63714eebbe6c4ff7da73ebe1e03be1aaee194d635df068108956bf009b872bad1357a5c41e5780d053903784c10797d417f90f941e362f3d3774e91bbb98e

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\Crypto\Hash\_SHA256.cp38-win_amd64.pyd

    Filesize

    21KB

    MD5

    4c16bb062911f8d38d881022dba921dc

    SHA1

    fed09bcb06fa5bb604bfb81d4aecbd012548f5f9

    SHA256

    d72174d81ef9e6c8c9c2b2c9a0392e85195a1fde81757a8fa61e7561b8689f84

    SHA512

    2ca19b324011f1957f2182b6d57a687cff1805e94c27118452d7b579ea4dc9bdf2f409c03cb97b71e312593c41312bd278c25d52cac1cf0eecc72ce79ba0d08d

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\Crypto\Hash\_ghash_clmul.cp38-win_amd64.pyd

    Filesize

    13KB

    MD5

    4f67959d1db218c381d538fdaab3b3d9

    SHA1

    8da9ec911aed0bdaf8a00b8e6c91190d5e69e41a

    SHA256

    c14e36a4682395717ef02c17d779410c2b802d56c079c2c3a9289be1863caad6

    SHA512

    50f7343adf5806a7f14db919a3281973f0f0118a5f2619ae765074e9802d2b9183ce81b2ef2096ad8c78d30e4c843402b777909c2aa375472946ccfeec4ab526

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\Crypto\Hash\_ghash_portable.cp38-win_amd64.pyd

    Filesize

    13KB

    MD5

    fdd4207ea3c8938d4c1150a9a15b5987

    SHA1

    2f4b87a20474a825c5b4c45d0bec15b1911f54ce

    SHA256

    f7ce5ed7d00bed3c9c9f41a75d616930bc06973a86f721aaebe1529719c48a0f

    SHA512

    4b6d8b76edbd4a4bb0b6e704c8ef58474975f4b2c09e7ca0364d40f154ba1e1d2511b5d4757071fbcb0b98f0a39dd182bc05ee1118deb7fd8ce9f47428bd6fcb

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\Crypto\Protocol\_scrypt.cp38-win_amd64.pyd

    Filesize

    13KB

    MD5

    2c9b60c7800d640ddbfa6f2aad83c41e

    SHA1

    4778df5386fa9e676cec84f6a144212323eb5817

    SHA256

    a6c6e4735cc74b83bb97a94452bcbdd46e825ba485d9ab5cf2f134e7addaa48f

    SHA512

    38e3993a4e63abb47fbfd266925ca8c588f553cd46799910ea337d00b29240a412bf33fc5486760c3e4d87577d836bdf1b45395cdba8fecc3bec4da92b2bf8b6

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\Crypto\Util\_cpuid_c.cp38-win_amd64.pyd

    Filesize

    11KB

    MD5

    7178bf889c059dd34240c73a87d7e2c8

    SHA1

    3c8a3bcd0c60c33b74719536b42323cb183bb05f

    SHA256

    04d50a58068b32790015186c55cc83d204dbfb94e245eae131806576f2d4da24

    SHA512

    15539b3ef516eca7823884ffbca61cb0cac9143d9ff39778985d1e980da0184f85c38ebd627935aa332c7f55e87216ff9040b21b61664f454dce630621dd9e35

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\Crypto\Util\_strxor.cp38-win_amd64.pyd

    Filesize

    11KB

    MD5

    c718722a0c7e48a91b492b604ca15125

    SHA1

    6fa5b7da8366bfd7ae575452d389d01bfa25e6b4

    SHA256

    248962dbfabfd47f79df23f22754e6644404ccd10f152420a639de12215a615f

    SHA512

    953aa4827746ad544e799976724f657a56337407bebcc0c721b926caa74fae6bfc42acbd194c4220f3e0e4edc5e325674be3f0773859f9ed40ad943a359058dd

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\PIL\_imaging.cp38-win_amd64.pyd

    Filesize

    2.5MB

    MD5

    c66d257279177dee61c361915692cc7c

    SHA1

    6c1e096368e486fb135eed1f4b8a3aca5bd641ef

    SHA256

    a12143791b0afdd56cf213eafe826119932a52bd41569def6d9fe001f0379dbc

    SHA512

    1aea89ec2cb5b2757c06f0e9225ebdf88f05beb5e5c1f73363058f5c0925637a17c463f8e8dead470aba38ac4906ed777182907a4bc8c188c2c54870a0e9d0a1

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\VCRUNTIME140.dll

    Filesize

    98KB

    MD5

    6ba0dbcd2db8f44243799c891dbd2a59

    SHA1

    30a2719d4b8667fd237bcfb781660901c993d9fc

    SHA256

    263988a0868053b6b01835cd2959c8f71e3f943610421b269da646f2d9e3b333

    SHA512

    94dea85ef50d55cec0d1bbae4671386ce8ca02e870ce417abfef0a8499fdf0bd0eb5ba38debd07c213f7da39cbea63a18143484b05e9c7ca36b2f68e4520bb4d

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\_bz2.pyd

    Filesize

    84KB

    MD5

    6909da62abc73216883a89a60b66e73b

    SHA1

    015eb36344e5f3fe2df467bd47a04bded616b052

    SHA256

    4c22e0d2786dd7e93f55e1f4a1c27d2e141a55682ed2c09b90320817fcf011f9

    SHA512

    eddabb51b6092b3c3e3b6968ea831a262f8f5f8a26b1c95badc616ca236d0928aa789334835130ec40137ffc623b5d2031a585e890162b489a26fd990845b63a

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\_ctypes.pyd

    Filesize

    123KB

    MD5

    ffde1baacbe6729ad5246068870915a4

    SHA1

    2d42751140fc244f19dece6b1948b2b67d36bab4

    SHA256

    cc839990fb1020520731c35a183c83c9dc927aa78fa6b149a92a39e9d156c8b8

    SHA512

    1ac3ec986c55af37eb93d35a15e8a64726e5154240c0c5aac8286f7e347c678482ec65c62b454cf237023253642335ce6b3f6c0cc084e1527e61d48aaf7752f1

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\_elementtree.pyd

    Filesize

    173KB

    MD5

    c64e8667059fa4ab1af38c1a44e80885

    SHA1

    b9cb168df1666c85aa57748d01f11e5d2cbe6910

    SHA256

    e3e2da51ef672ba57212b4395a85427f3a9ba6e42b62c90a2e402e4cb2ed2e71

    SHA512

    b735378d98e76a8baec67a557053464579c9965f95b00569b5e0328c5eec6adda82214711403916282b31d9c89fcfba610b3931c14233e406438ac41535075a7

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\_hashlib.pyd

    Filesize

    45KB

    MD5

    178b3a8bddd3bc0e832efe59c8045e4c

    SHA1

    cc3a48a2945f251c5f9ddc7011011b8563352978

    SHA256

    1e12f3528c9a33111fd6589b323b5e022d020b461ee65b0a97bd628d53217f2a

    SHA512

    e7ce152f3c0afdf00651cdb1173a32da837a00f988a285a71c16289a7acaeb80048e7650a30fe5d5604dfcb4c8199edce8d5eb9f9ff974779a542498a1bdd7ee

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\_lzma.pyd

    Filesize

    247KB

    MD5

    af8385e0cb374ae6caee59190175dd12

    SHA1

    a16d7d021ec3fa31fb1b2ce5929c2d3d4c96d6b8

    SHA256

    e414ee3efa6a4e1edf610dd780335ab9372cbe7919a73596bbb267b55ad23999

    SHA512

    3e4e26bbcf14ebcb4faedb8982c46b3f5318c88dd395c668c50e4f5ddbfe6c1836eb49e49e855cc95934e8247e63df0f7543f66e4fe13335558fc21c0c566b5b

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\_socket.pyd

    Filesize

    77KB

    MD5

    fc47a3b4dc7353591970a20678b90a81

    SHA1

    5ca5436e0c66f468bb48b5ea16c69125fcc34bea

    SHA256

    4e7ee0ecf839c42d96c53309384737e8f84bb5e90ecd20d511cc3fc6ec135f44

    SHA512

    8f52f33ce49bc38a9356d46c63aef4f8f05d491377f4969f52fd84f83712faed3d9637044d27583bf06fc52687667b630ba8d2eb8ee27f4a810520df5499b725

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\_tkinter.pyd

    Filesize

    62KB

    MD5

    f0f0c841e42ff2448b008c4c460b6d0c

    SHA1

    8ac6c2c6dfa257ad78a3a731d276f1332c6588b1

    SHA256

    21932701ea35dae0091373d44be683027728c5489bbb39294e225438f29a2341

    SHA512

    a8c2556c4e5f509c04030a3cdb3945b837577e31baf6864b84f8471ccd83feb301ff5dba3976f1b41289c4269abf5a9dca1b9db1c3f5f102e7db06433834b3a2

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\base_library.zip

    Filesize

    767KB

    MD5

    6ec67f19ac47ed59b5bb0b8ba970009e

    SHA1

    c1f50b2e99211b9fa460acf8000f374063ee4e6a

    SHA256

    713928e2b00652e44b37f18bd8cf3a983b50bd47bac6cf4dbff2cd94b31487d4

    SHA512

    6f38fd0731f827a94fc57f18cdf4809c7b61748b532d848afdb44d9dd696206c830be2571e00a83316e30193c6768257cc4e850c627bf96fdffc4daaf101f777

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\libcrypto-1_1.dll

    Filesize

    3.3MB

    MD5

    4929f390f3b9132af172d38b22bd2a2b

    SHA1

    19d27dc93c402801b8cb582b3aa27b17d24403d3

    SHA256

    4c1cbe61f562459baf382d3153b4bfc8a651bfc4ab41c99b3c8c29e19de7fde0

    SHA512

    2c7f3dfaba9e2844bcfddd3b05897f97ef043cc1cd5576ec0442eb26c9740c4df69a707e28bf5c6a0796e27e8de77ea430626ec822d74e054d081d32aaae7d93

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\libffi-7.dll

    Filesize

    32KB

    MD5

    eef7981412be8ea459064d3090f4b3aa

    SHA1

    c60da4830ce27afc234b3c3014c583f7f0a5a925

    SHA256

    f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

    SHA512

    dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\pyexpat.pyd

    Filesize

    184KB

    MD5

    9db090f0ec76c0c5c198396104a5b983

    SHA1

    db5adfbbadef6d06383a7f031beb2784a0093d0a

    SHA256

    b3e7eeb1f863ebf2a0debe1f8cb5a830370647f5728b90fdb7c03d9f62500cd0

    SHA512

    059edf754d0dc0282205192483df2ed7a562e04f5bd0cd9695389fe8d79b9780ff325641a77eef4413bd897d804b3f4ab29ef0004db9e8d0ecf50badaa1dbe06

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\python38.dll

    Filesize

    4.0MB

    MD5

    c0ed63bf515d04803906e1b703e9cb86

    SHA1

    61f9a465d7a782aedfd5e2b1a9dc8bff6c103b5a

    SHA256

    24bfc999a733d4759ca40425610555f597b1d015f87ef5f84e15c665297247a4

    SHA512

    78384c34cefc40cb86913dffdc6a360668467731a8a3678d5f8377d8ae63d244b45506b0b6e2498825b53abe8fd84d2b75b3e9fef3703fead90183ace433e70a

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\select.pyd

    Filesize

    26KB

    MD5

    f4887f1d906dc336fe0c3f7dbb720ca3

    SHA1

    67def676ad3569029d2a357a40a138fc7570bdcc

    SHA256

    36552bc64127d4866c657c9b74c0399baad70957a5380896fd8202e3a6bb7b4f

    SHA512

    51006d164c2512adfab92d22be5fed7c093cb647821045a6cdfd2ed7a30d94e620a446b8434b3e91d5544ef737e1492f3dc6c29cadbfdfa5e41df7fb5106a301

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\tcl86t.dll

    Filesize

    1.6MB

    MD5

    c0b23815701dbae2a359cb8adb9ae730

    SHA1

    5be6736b645ed12e97b9462b77e5a43482673d90

    SHA256

    f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768

    SHA512

    ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\tcl\encoding\cp1252.enc

    Filesize

    1KB

    MD5

    5900f51fd8b5ff75e65594eb7dd50533

    SHA1

    2e21300e0bc8a847d0423671b08d3c65761ee172

    SHA256

    14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0

    SHA512

    ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

  • C:\Users\Admin\AppData\Local\Temp\_MEI12482\tk86t.dll

    Filesize

    1.4MB

    MD5

    fdc8a5d96f9576bd70aa1cadc2f21748

    SHA1

    bae145525a18ce7e5bc69c5f43c6044de7b6e004

    SHA256

    1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5

    SHA512

    816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c

  • C:\Users\Admin\Pictures\README.txt

    Filesize

    575B

    MD5

    efd54055b28e173ea64831fc59a0aca8

    SHA1

    cdf18b0692a53cbeed66ee14fa0f54666cf04013

    SHA256

    e3cf65e96fcf774320e0ae4a42d6544f1aef476cd67184432465b2c595180a99

    SHA512

    5ecf69dbdf824a6e0221e7f953ed58889bbd76ee563e9fc7e5d95b68245d0f4af0e0ec5f13f002975b65bacf0cd29027964b9f8c4174134ed08358e41b58f4d5