demonware

General

Target

RNSM00463.7z
Size

75.1MB
Sample

241008-ybm5jaybqk
MD5

70762512ab2bcdfe3ba5528929042036
SHA1

3a44bc767c9fb58afee903dd2792518a2b5db9c6
SHA256

28a519359d43eabd0bd2e8b1411e2136f4b77f8c1f46bc5041f65f7d17d0d866
SHA512

86efc123c02ed3988814c3c153f6ca5d0965b3cadf33a85ccc1faae173aae5d5b8067eeb2fa2ec31238bba1673cb10d2a264d06f162c28e34813161eabbdf2ce
SSDEEP

1572864:kIbTKYr+1n5414c9QdeMTNHz7gZ9npl2Hemr3SR8rAqzPNSmkX:RKf4DQd1pTsZDMHJriSrAqzO

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\README.txt

Family

demonware

Ransom Note

Tango Down! Seems like you got hit by DemonWare ransomware! Don't Panic, you get have your files back! DemonWare uses a basic encryption script to lock your files. This type of ransomware is known as CRYPTO. You'll need a decryption key in order to unlock your files. Your files will be deleted when the timer runs out, so you better hurry. You have 10 hours to find your key C'mon, be glad I don't ask for payment like other ransomware. Please visit: https://keys.zeznzo.nl and search for your IP/hostname to get your key. Kind regards, Zeznzo

URLs

https://keys.zeznzo.nl

Targets

- Target
  
  RNSM00463.7z
- Size
  
  75.1MB
- MD5
  
  70762512ab2bcdfe3ba5528929042036
- SHA1
  
  3a44bc767c9fb58afee903dd2792518a2b5db9c6
- SHA256
  
  28a519359d43eabd0bd2e8b1411e2136f4b77f8c1f46bc5041f65f7d17d0d866
- SHA512
  
  86efc123c02ed3988814c3c153f6ca5d0965b3cadf33a85ccc1faae173aae5d5b8067eeb2fa2ec31238bba1673cb10d2a264d06f162c28e34813161eabbdf2ce
- SSDEEP
  
  1572864:kIbTKYr+1n5414c9QdeMTNHz7gZ9npl2Hemr3SR8rAqzPNSmkX:RKf4DQd1pTsZDMHJriSrAqzO
Score

10^/10

demonware raccoon agilenet aspackv2 defense_evasion discovery persistence pyinstaller ransomware spyware stealer upx
- DemonWare
  Ransomware first seen in mid-2020.
  ransomware demonware
- Modifies WinLogon for persistence
  persistence
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Renames multiple (83) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Downloads MZ/PE file
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1