General

  • Target

    2024-11-06_84f140df4d83ba2ed489ddb1984e3e0b_darkgate_ryuk

  • Size

    26.7MB

  • Sample

    241106-drcnhssqgz

  • MD5

    84f140df4d83ba2ed489ddb1984e3e0b

  • SHA1

    70219674b3c80eba6fa3ea692798c3fae46c9721

  • SHA256

    007471ad1d9a3179b37fede9ed3df3c6213e113730f7815402001ce59793a0c7

  • SHA512

    c8a950c91f4217532fb950c5be9eb414058f40dd9b901f38bd5e51da54fb00d151fa3e7f0a67b5a52fa437fd9d1fc6d8bf102284f210edaf896fb240d0f26c07

  • SSDEEP

    98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMr:9nwngnwnBRRRVRo

Malware Config

Targets

    • Target

      2024-11-06_84f140df4d83ba2ed489ddb1984e3e0b_darkgate_ryuk

    • Size

      26.7MB

    • MD5

      84f140df4d83ba2ed489ddb1984e3e0b

    • SHA1

      70219674b3c80eba6fa3ea692798c3fae46c9721

    • SHA256

      007471ad1d9a3179b37fede9ed3df3c6213e113730f7815402001ce59793a0c7

    • SHA512

      c8a950c91f4217532fb950c5be9eb414058f40dd9b901f38bd5e51da54fb00d151fa3e7f0a67b5a52fa437fd9d1fc6d8bf102284f210edaf896fb240d0f26c07

    • SSDEEP

      98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMr:9nwngnwnBRRRVRo

    • Modifies WinLogon for persistence

    • Renames multiple (91) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks