General

  • Target

    2024-11-06_bf3bccc65a8ef5ceeb2d34c418f91041_darkgate_ryuk

  • Size

    26.7MB

  • Sample

    241106-dxwctawndn

  • MD5

    bf3bccc65a8ef5ceeb2d34c418f91041

  • SHA1

    dd09b4dee1115f9de7856cc064c0c07390fc1d9c

  • SHA256

    241d6e1f093812a24461a7a19348f301ca08320bdf3a4f5753b720e569a4d4a7

  • SHA512

    9d0341bd1d44d7d6ee917bc5a64edbb8c27399fe50677feb565de2fe6256919d88f63053d2ad3725f91cff2648f69fe86b9a1ac0ef84adfe38b53ec537143243

  • SSDEEP

    98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMW:9nwngnwnBRRRVRD

Malware Config

Targets

    • Target

      2024-11-06_bf3bccc65a8ef5ceeb2d34c418f91041_darkgate_ryuk

    • Size

      26.7MB

    • MD5

      bf3bccc65a8ef5ceeb2d34c418f91041

    • SHA1

      dd09b4dee1115f9de7856cc064c0c07390fc1d9c

    • SHA256

      241d6e1f093812a24461a7a19348f301ca08320bdf3a4f5753b720e569a4d4a7

    • SHA512

      9d0341bd1d44d7d6ee917bc5a64edbb8c27399fe50677feb565de2fe6256919d88f63053d2ad3725f91cff2648f69fe86b9a1ac0ef84adfe38b53ec537143243

    • SSDEEP

      98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMW:9nwngnwnBRRRVRD

    • Modifies WinLogon for persistence

    • Renames multiple (91) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks