Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-02-2024 01:24
Behavioral task
behavioral1
Sample
2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe
-
Size
11.9MB
-
MD5
e57bbb2ab183586ff33d8eeefad512d4
-
SHA1
2f6161e0a440592e626886dc6844468cb0c533bb
-
SHA256
a97eab720061c4131c3fa1b850968895ec210fb24f4d9192b9700a6aad3bbcb0
-
SHA512
3004e3d18aa312c8272258662fd829ee7d70c600d1ae585f6a63fd4b4ccbac06859869b1fcff532b063a73cade5df2dd09c2beff19e59654cd8d9f07096490a2
-
SSDEEP
196608:ewpf4Dz52nt/tv1MfHrODpFC4g0AVIGve8ZJ9BIBxIFO48RmU/3ZlsPvmucM8C1Y:vl4Dgt/xcKLgtIGJYXIotN3ZWLb2
Malware Config
Extracted
C:\Users\Admin\Pictures\README.txt
demonware
https://keys.zeznzo.nl
Signatures
-
DemonWare
Ransomware first seen in mid-2020.
-
Loads dropped DLL 36 IoCs
Processes:
2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exepid Process 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 3620 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exedescription pid Process procid_target PID 1248 wrote to memory of 3620 1248 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 84 PID 1248 wrote to memory of 3620 1248 2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-19_e57bbb2ab183586ff33d8eeefad512d4_ponmocup_ryuk.exe"2⤵
- Loads dropped DLL
PID:3620
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD59fb7daedd82bdde61d467b7a568bf577
SHA18772a438d9735498be7ed4d566bb0439361aaa56
SHA256cf235e8f929568ee0c24c676be7fb15e6a8820cb8437cd06bee1e038b80deb2b
SHA512456db61224d9f3ee5786173be2998ecd54d05bc29919ec8e1a7a917eb5f42fbb3edb1aee374d9b97b4db94591be440f58ddbd0f32aab1a2977db28573223e806
-
Filesize
13KB
MD503c703a8f4c2a1443cccc8316af8940c
SHA1046d8c846d9393e472064aa1250826994a785577
SHA256ca09e03d93f3a330a467afd7fb998ad81dfd75fa7a1c2e202d6898f229c269d4
SHA512a65bf31452e984de1f951a3bca97c9dc27ac113e5fd4e0d29fa2b67e6c1b24d48ba6513d1e2ceaa7617e92305171e9675379a0e97980a3ceec209c49cd687329
-
Filesize
13KB
MD56f1d3ed33d7dfeae5642406d76ff2084
SHA1014cfee7d754564928ed2df2fef933aeda915918
SHA256f5918822781473d44f69030a9b32bcaeffa8671f1328c48085c9671f140d1273
SHA512e55f57ef9411979ab164d5c3faca609856ddaa273ee817225ba77a12ddad02da464378ca0cbd98ddec708aeac96845ab8c718d35edc88b0ab06bb14ed53647ca
-
Filesize
14KB
MD5c04554cf7f89e2d360ebcc39f85a2970
SHA142ac403bd2a854d7f6ac60a299594a9c4a793f35
SHA256264ed03313efc36ef0794e3c716319e0aa4774c3d0a26c522dcfa7be1f46349f
SHA512668928abb8510d36dcc2e9ff7cd10353c3cbc10af199ca4c909770921fdcbe4aeedc5dfb106c91cf480c86a2ab78e2da6278d859aae93cb72bc50de432411ed9
-
Filesize
11KB
MD5d4535f5b8683cd4b523d1f97232d3772
SHA11a6ce4eeb5acd1762f629478db14dfe8e361967f
SHA256a8bd1b23f25393b26570a23f3083227dca1e2a6c4422581ff3e46cea3c4ac4ad
SHA512447c9b1772f4a4f91961268e1b87c3576415f5257197db16336a3be8601dcfc8cd01dd1bb0676403633c58b8593aa9f558bbd53ccd994f5702df38c265358730
-
Filesize
12KB
MD5b537c5216bd68311d50b10d62d02b9bb
SHA1eb613bdabc18ee0f43afa4a13e684d0f8bc57817
SHA2562b4fefd3688f5e92b1c3ef745d3463d44d9c071b9e2e190a7179191cd3b1e3a5
SHA5121a3a8e9454646d7ac87f0acc34092da9c3873e4912ea8cb7c335d58a1bf7336d370dda9da13fdc6148ebfe93e3b75ceebc0684a5ee7b4ae24e8e2b5d053afe38
-
Filesize
15KB
MD52101eb8948ad5b50feeceb0865169d48
SHA1fd55a3553d0c0416cd733ae732361685c0d23c59
SHA256962a6e4baf1fe8579b815c059abd924563835fc2139fa16d4ba191c291d033ec
SHA512122c8ba5df3d3c2b6ddb6de8415634c02c296285e629f780e1f9d9a4afaf1ef3bef0863f83748f2ad5847385e349b4d39c4c54ed7d4246f502603080c5b973e4
-
Filesize
16KB
MD57b4db40a5af596c7b685b1bff8c85a63
SHA1bdc1ca3a817731ab89fcc0ff8f9ed540b8fe016d
SHA256938aa6f71988f899c605dfe09a0882403af0564eb1937316bf50bda5b63659af
SHA5128d995a342eecbb4278ea02ca84b0c5d3446b06952c1ce29e3d3eb1aa95c7b31cbd88976bd6bdb2c92c4e5e25103d392aa911a5f718cca3cb6e9e0c2d9e8695fb
-
Filesize
19KB
MD5abc7d549b8974a93e441b45b118a3f8e
SHA11b78c6022f03550ca48a67aa2b2edc0add3a5fd7
SHA256059e3b26c6816c5f2e3a3d6fdfcc0298077221cd8ae8a17fc9fe6d67ef2bfc3a
SHA5128ac63714eebbe6c4ff7da73ebe1e03be1aaee194d635df068108956bf009b872bad1357a5c41e5780d053903784c10797d417f90f941e362f3d3774e91bbb98e
-
Filesize
21KB
MD54c16bb062911f8d38d881022dba921dc
SHA1fed09bcb06fa5bb604bfb81d4aecbd012548f5f9
SHA256d72174d81ef9e6c8c9c2b2c9a0392e85195a1fde81757a8fa61e7561b8689f84
SHA5122ca19b324011f1957f2182b6d57a687cff1805e94c27118452d7b579ea4dc9bdf2f409c03cb97b71e312593c41312bd278c25d52cac1cf0eecc72ce79ba0d08d
-
Filesize
13KB
MD54f67959d1db218c381d538fdaab3b3d9
SHA18da9ec911aed0bdaf8a00b8e6c91190d5e69e41a
SHA256c14e36a4682395717ef02c17d779410c2b802d56c079c2c3a9289be1863caad6
SHA51250f7343adf5806a7f14db919a3281973f0f0118a5f2619ae765074e9802d2b9183ce81b2ef2096ad8c78d30e4c843402b777909c2aa375472946ccfeec4ab526
-
Filesize
13KB
MD5fdd4207ea3c8938d4c1150a9a15b5987
SHA12f4b87a20474a825c5b4c45d0bec15b1911f54ce
SHA256f7ce5ed7d00bed3c9c9f41a75d616930bc06973a86f721aaebe1529719c48a0f
SHA5124b6d8b76edbd4a4bb0b6e704c8ef58474975f4b2c09e7ca0364d40f154ba1e1d2511b5d4757071fbcb0b98f0a39dd182bc05ee1118deb7fd8ce9f47428bd6fcb
-
Filesize
13KB
MD52c9b60c7800d640ddbfa6f2aad83c41e
SHA14778df5386fa9e676cec84f6a144212323eb5817
SHA256a6c6e4735cc74b83bb97a94452bcbdd46e825ba485d9ab5cf2f134e7addaa48f
SHA51238e3993a4e63abb47fbfd266925ca8c588f553cd46799910ea337d00b29240a412bf33fc5486760c3e4d87577d836bdf1b45395cdba8fecc3bec4da92b2bf8b6
-
Filesize
11KB
MD57178bf889c059dd34240c73a87d7e2c8
SHA13c8a3bcd0c60c33b74719536b42323cb183bb05f
SHA25604d50a58068b32790015186c55cc83d204dbfb94e245eae131806576f2d4da24
SHA51215539b3ef516eca7823884ffbca61cb0cac9143d9ff39778985d1e980da0184f85c38ebd627935aa332c7f55e87216ff9040b21b61664f454dce630621dd9e35
-
Filesize
11KB
MD5c718722a0c7e48a91b492b604ca15125
SHA16fa5b7da8366bfd7ae575452d389d01bfa25e6b4
SHA256248962dbfabfd47f79df23f22754e6644404ccd10f152420a639de12215a615f
SHA512953aa4827746ad544e799976724f657a56337407bebcc0c721b926caa74fae6bfc42acbd194c4220f3e0e4edc5e325674be3f0773859f9ed40ad943a359058dd
-
Filesize
2.5MB
MD5c66d257279177dee61c361915692cc7c
SHA16c1e096368e486fb135eed1f4b8a3aca5bd641ef
SHA256a12143791b0afdd56cf213eafe826119932a52bd41569def6d9fe001f0379dbc
SHA5121aea89ec2cb5b2757c06f0e9225ebdf88f05beb5e5c1f73363058f5c0925637a17c463f8e8dead470aba38ac4906ed777182907a4bc8c188c2c54870a0e9d0a1
-
Filesize
98KB
MD56ba0dbcd2db8f44243799c891dbd2a59
SHA130a2719d4b8667fd237bcfb781660901c993d9fc
SHA256263988a0868053b6b01835cd2959c8f71e3f943610421b269da646f2d9e3b333
SHA51294dea85ef50d55cec0d1bbae4671386ce8ca02e870ce417abfef0a8499fdf0bd0eb5ba38debd07c213f7da39cbea63a18143484b05e9c7ca36b2f68e4520bb4d
-
Filesize
84KB
MD56909da62abc73216883a89a60b66e73b
SHA1015eb36344e5f3fe2df467bd47a04bded616b052
SHA2564c22e0d2786dd7e93f55e1f4a1c27d2e141a55682ed2c09b90320817fcf011f9
SHA512eddabb51b6092b3c3e3b6968ea831a262f8f5f8a26b1c95badc616ca236d0928aa789334835130ec40137ffc623b5d2031a585e890162b489a26fd990845b63a
-
Filesize
123KB
MD5ffde1baacbe6729ad5246068870915a4
SHA12d42751140fc244f19dece6b1948b2b67d36bab4
SHA256cc839990fb1020520731c35a183c83c9dc927aa78fa6b149a92a39e9d156c8b8
SHA5121ac3ec986c55af37eb93d35a15e8a64726e5154240c0c5aac8286f7e347c678482ec65c62b454cf237023253642335ce6b3f6c0cc084e1527e61d48aaf7752f1
-
Filesize
173KB
MD5c64e8667059fa4ab1af38c1a44e80885
SHA1b9cb168df1666c85aa57748d01f11e5d2cbe6910
SHA256e3e2da51ef672ba57212b4395a85427f3a9ba6e42b62c90a2e402e4cb2ed2e71
SHA512b735378d98e76a8baec67a557053464579c9965f95b00569b5e0328c5eec6adda82214711403916282b31d9c89fcfba610b3931c14233e406438ac41535075a7
-
Filesize
45KB
MD5178b3a8bddd3bc0e832efe59c8045e4c
SHA1cc3a48a2945f251c5f9ddc7011011b8563352978
SHA2561e12f3528c9a33111fd6589b323b5e022d020b461ee65b0a97bd628d53217f2a
SHA512e7ce152f3c0afdf00651cdb1173a32da837a00f988a285a71c16289a7acaeb80048e7650a30fe5d5604dfcb4c8199edce8d5eb9f9ff974779a542498a1bdd7ee
-
Filesize
247KB
MD5af8385e0cb374ae6caee59190175dd12
SHA1a16d7d021ec3fa31fb1b2ce5929c2d3d4c96d6b8
SHA256e414ee3efa6a4e1edf610dd780335ab9372cbe7919a73596bbb267b55ad23999
SHA5123e4e26bbcf14ebcb4faedb8982c46b3f5318c88dd395c668c50e4f5ddbfe6c1836eb49e49e855cc95934e8247e63df0f7543f66e4fe13335558fc21c0c566b5b
-
Filesize
77KB
MD5fc47a3b4dc7353591970a20678b90a81
SHA15ca5436e0c66f468bb48b5ea16c69125fcc34bea
SHA2564e7ee0ecf839c42d96c53309384737e8f84bb5e90ecd20d511cc3fc6ec135f44
SHA5128f52f33ce49bc38a9356d46c63aef4f8f05d491377f4969f52fd84f83712faed3d9637044d27583bf06fc52687667b630ba8d2eb8ee27f4a810520df5499b725
-
Filesize
62KB
MD5f0f0c841e42ff2448b008c4c460b6d0c
SHA18ac6c2c6dfa257ad78a3a731d276f1332c6588b1
SHA25621932701ea35dae0091373d44be683027728c5489bbb39294e225438f29a2341
SHA512a8c2556c4e5f509c04030a3cdb3945b837577e31baf6864b84f8471ccd83feb301ff5dba3976f1b41289c4269abf5a9dca1b9db1c3f5f102e7db06433834b3a2
-
Filesize
767KB
MD56ec67f19ac47ed59b5bb0b8ba970009e
SHA1c1f50b2e99211b9fa460acf8000f374063ee4e6a
SHA256713928e2b00652e44b37f18bd8cf3a983b50bd47bac6cf4dbff2cd94b31487d4
SHA5126f38fd0731f827a94fc57f18cdf4809c7b61748b532d848afdb44d9dd696206c830be2571e00a83316e30193c6768257cc4e850c627bf96fdffc4daaf101f777
-
Filesize
3.3MB
MD54929f390f3b9132af172d38b22bd2a2b
SHA119d27dc93c402801b8cb582b3aa27b17d24403d3
SHA2564c1cbe61f562459baf382d3153b4bfc8a651bfc4ab41c99b3c8c29e19de7fde0
SHA5122c7f3dfaba9e2844bcfddd3b05897f97ef043cc1cd5576ec0442eb26c9740c4df69a707e28bf5c6a0796e27e8de77ea430626ec822d74e054d081d32aaae7d93
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
184KB
MD59db090f0ec76c0c5c198396104a5b983
SHA1db5adfbbadef6d06383a7f031beb2784a0093d0a
SHA256b3e7eeb1f863ebf2a0debe1f8cb5a830370647f5728b90fdb7c03d9f62500cd0
SHA512059edf754d0dc0282205192483df2ed7a562e04f5bd0cd9695389fe8d79b9780ff325641a77eef4413bd897d804b3f4ab29ef0004db9e8d0ecf50badaa1dbe06
-
Filesize
4.0MB
MD5c0ed63bf515d04803906e1b703e9cb86
SHA161f9a465d7a782aedfd5e2b1a9dc8bff6c103b5a
SHA25624bfc999a733d4759ca40425610555f597b1d015f87ef5f84e15c665297247a4
SHA51278384c34cefc40cb86913dffdc6a360668467731a8a3678d5f8377d8ae63d244b45506b0b6e2498825b53abe8fd84d2b75b3e9fef3703fead90183ace433e70a
-
Filesize
26KB
MD5f4887f1d906dc336fe0c3f7dbb720ca3
SHA167def676ad3569029d2a357a40a138fc7570bdcc
SHA25636552bc64127d4866c657c9b74c0399baad70957a5380896fd8202e3a6bb7b4f
SHA51251006d164c2512adfab92d22be5fed7c093cb647821045a6cdfd2ed7a30d94e620a446b8434b3e91d5544ef737e1492f3dc6c29cadbfdfa5e41df7fb5106a301
-
Filesize
1.6MB
MD5c0b23815701dbae2a359cb8adb9ae730
SHA15be6736b645ed12e97b9462b77e5a43482673d90
SHA256f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768
SHA512ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725
-
Filesize
1KB
MD55900f51fd8b5ff75e65594eb7dd50533
SHA12e21300e0bc8a847d0423671b08d3c65761ee172
SHA25614df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc
-
Filesize
1.4MB
MD5fdc8a5d96f9576bd70aa1cadc2f21748
SHA1bae145525a18ce7e5bc69c5f43c6044de7b6e004
SHA2561a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5
SHA512816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c
-
Filesize
575B
MD5efd54055b28e173ea64831fc59a0aca8
SHA1cdf18b0692a53cbeed66ee14fa0f54666cf04013
SHA256e3cf65e96fcf774320e0ae4a42d6544f1aef476cd67184432465b2c595180a99
SHA5125ecf69dbdf824a6e0221e7f953ed58889bbd76ee563e9fc7e5d95b68245d0f4af0e0ec5f13f002975b65bacf0cd29027964b9f8c4174134ed08358e41b58f4d5