General

  • Target

    2024-11-06_c48c3d16cea9ce4f30d0b591c3ad67c4_darkgate_ryuk

  • Size

    26.7MB

  • Sample

    241106-dzw25atfjb

  • MD5

    c48c3d16cea9ce4f30d0b591c3ad67c4

  • SHA1

    793d2ee5adc27cd1b643b078210929b9e78cbae8

  • SHA256

    25506b4a78c9a76e806881477c7c09c404491c8dbb15a902d1aaa8e2dd5c9b8a

  • SHA512

    1763126b4f818897c714019b0e2ec498b134c50829aa2f101c8e9e41b559702d19afdaced0c4feebc9fcfbad6dde3d8f706c2e4a5d6dd456e9453aef460eebf7

  • SSDEEP

    98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMH:9nwngnwnBRRRVRO

Malware Config

Targets

    • Target

      2024-11-06_c48c3d16cea9ce4f30d0b591c3ad67c4_darkgate_ryuk

    • Size

      26.7MB

    • MD5

      c48c3d16cea9ce4f30d0b591c3ad67c4

    • SHA1

      793d2ee5adc27cd1b643b078210929b9e78cbae8

    • SHA256

      25506b4a78c9a76e806881477c7c09c404491c8dbb15a902d1aaa8e2dd5c9b8a

    • SHA512

      1763126b4f818897c714019b0e2ec498b134c50829aa2f101c8e9e41b559702d19afdaced0c4feebc9fcfbad6dde3d8f706c2e4a5d6dd456e9453aef460eebf7

    • SSDEEP

      98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMH:9nwngnwnBRRRVRO

    • Modifies WinLogon for persistence

    • Renames multiple (91) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks