General

  • Target

    2024-11-06_cd76415a680cf7cb75ce9956151d8f2c_darkgate_ryuk

  • Size

    26.7MB

  • Sample

    241106-d26pcatjcx

  • MD5

    cd76415a680cf7cb75ce9956151d8f2c

  • SHA1

    d77072712ac05e80342c98e5152420e07f14eb87

  • SHA256

    22740a292276906422e5ce341642a68183d08e2c90c8f6a7d39b5b10f7f7a816

  • SHA512

    f47209edcafe0b54de8d69248cbe128e6a150c93c8b9f3f1c3ac963d98e665cc429dd86fba1e4d31a614d52fdc4ce4818c81b68dd29d0d7509cfdfde5d9787f4

  • SSDEEP

    98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMJ:9nwngnwnBRRRVRw

Malware Config

Targets

    • Target

      2024-11-06_cd76415a680cf7cb75ce9956151d8f2c_darkgate_ryuk

    • Size

      26.7MB

    • MD5

      cd76415a680cf7cb75ce9956151d8f2c

    • SHA1

      d77072712ac05e80342c98e5152420e07f14eb87

    • SHA256

      22740a292276906422e5ce341642a68183d08e2c90c8f6a7d39b5b10f7f7a816

    • SHA512

      f47209edcafe0b54de8d69248cbe128e6a150c93c8b9f3f1c3ac963d98e665cc429dd86fba1e4d31a614d52fdc4ce4818c81b68dd29d0d7509cfdfde5d9787f4

    • SSDEEP

      98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMJ:9nwngnwnBRRRVRw

    • Modifies WinLogon for persistence

    • Renames multiple (91) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks