General

  • Target

    2024-11-06_dac4c568d3ca2d87d5e6cfa1d45d1c0c_darkgate_ryuk

  • Size

    26.7MB

  • Sample

    241106-c9n9latgjr

  • MD5

    dac4c568d3ca2d87d5e6cfa1d45d1c0c

  • SHA1

    2f38ca1bbc173c92ad6e7f33efe8f24abb7918b6

  • SHA256

    1e066e2b637e66c0db11b2a8b3af4e74eb778a6a8cc31cf3d9a8d9fe403917c0

  • SHA512

    ecb399c915d39deff1d4c6e03331cde6306bfe08c3f7d9959dcdbdfc0ca5499642f3916cac59bb6dc5eb0b8cdd6fc3197256eb2adb627097f8dcb02cc82b7cfe

  • SSDEEP

    98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMO:9nwngnwnBRRRVRp

Malware Config

Targets

    • Target

      2024-11-06_dac4c568d3ca2d87d5e6cfa1d45d1c0c_darkgate_ryuk

    • Size

      26.7MB

    • MD5

      dac4c568d3ca2d87d5e6cfa1d45d1c0c

    • SHA1

      2f38ca1bbc173c92ad6e7f33efe8f24abb7918b6

    • SHA256

      1e066e2b637e66c0db11b2a8b3af4e74eb778a6a8cc31cf3d9a8d9fe403917c0

    • SHA512

      ecb399c915d39deff1d4c6e03331cde6306bfe08c3f7d9959dcdbdfc0ca5499642f3916cac59bb6dc5eb0b8cdd6fc3197256eb2adb627097f8dcb02cc82b7cfe

    • SSDEEP

      98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMO:9nwngnwnBRRRVRp

    • Modifies WinLogon for persistence

    • Renames multiple (91) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks