General

  • Target

    2024-11-06_6c98625e0177a514725cb84c321d739a_darkgate_ryuk

  • Size

    26.7MB

  • Sample

    241106-czgrrstenn

  • MD5

    6c98625e0177a514725cb84c321d739a

  • SHA1

    f36b1a3e44cb0c33458a5115a2e06a69333c37c0

  • SHA256

    0676b98af787d262a4b430456596a2a5495ac19ceac5c96a8b527c8c2c2f5f3d

  • SHA512

    221739b2a3da23f493a18b7cc5a9300592fef70f44a4732e5b49fc6ccd901e36e5f066df966d8d3f6896ab0a96c30fb438cf559ff61a58293cfa71350040e506

  • SSDEEP

    98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMa:9nwngnwnBRRRVRd

Malware Config

Targets

    • Target

      2024-11-06_6c98625e0177a514725cb84c321d739a_darkgate_ryuk

    • Size

      26.7MB

    • MD5

      6c98625e0177a514725cb84c321d739a

    • SHA1

      f36b1a3e44cb0c33458a5115a2e06a69333c37c0

    • SHA256

      0676b98af787d262a4b430456596a2a5495ac19ceac5c96a8b527c8c2c2f5f3d

    • SHA512

      221739b2a3da23f493a18b7cc5a9300592fef70f44a4732e5b49fc6ccd901e36e5f066df966d8d3f6896ab0a96c30fb438cf559ff61a58293cfa71350040e506

    • SSDEEP

      98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMa:9nwngnwnBRRRVRd

    • Modifies WinLogon for persistence

    • Renames multiple (91) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks