General

  • Target

    2024-06-01_bd13093a9901a56dea72f1a41304fa9b_darkgate_ransomlock

  • Size

    1.3MB

  • Sample

    240601-f4cv6aca28

  • MD5

    bd13093a9901a56dea72f1a41304fa9b

  • SHA1

    ccb6d157e85d699c7676f5d5378cb881ea3a34ca

  • SHA256

    656653aa97f4ced7a38878231aeec5121c6a128602e4b47bb68ff1c42606cce8

  • SHA512

    50aa9c594b1cd4e2c55582ba72bf0244db10631675e57168de0166101856387a680bdb8281e4f99fa0904a6721bfddf113d43644dfa9e9e1160dfb5739f03d10

  • SSDEEP

    24576:XwxPanDWDAxfy+t4g6cBLi2iYQOlbQTAIU3:gxPpWTjPJplUTjU3

Malware Config

Targets

    • Target

      2024-06-01_bd13093a9901a56dea72f1a41304fa9b_darkgate_ransomlock

    • Size

      1.3MB

    • MD5

      bd13093a9901a56dea72f1a41304fa9b

    • SHA1

      ccb6d157e85d699c7676f5d5378cb881ea3a34ca

    • SHA256

      656653aa97f4ced7a38878231aeec5121c6a128602e4b47bb68ff1c42606cce8

    • SHA512

      50aa9c594b1cd4e2c55582ba72bf0244db10631675e57168de0166101856387a680bdb8281e4f99fa0904a6721bfddf113d43644dfa9e9e1160dfb5739f03d10

    • SSDEEP

      24576:XwxPanDWDAxfy+t4g6cBLi2iYQOlbQTAIU3:gxPpWTjPJplUTjU3

    • UAC bypass

    • Windows security bypass

    • Detects executables containing artifacts associated with disabling Widnows Defender

    • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks