Overview

overview

10

Static

static

3

2025-03-21...uk.exe

windows7-x64

10

2025-03-21...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21/03/2025, 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe

  • Size

    29.8MB

  • MD5

    3baa33b585db6fa01362e10102ff6e80

  • SHA1

    8a10705e0ffe8080b8f34bd13b133ecec2a0fd59

  • SHA256

    e78b79db5da6e943f667fc6fb01b917676d1688f4084feb2880b9331ae9a6d35

  • SHA512

    9b3df0489a7317c8d225dc2ef949dc62aaae0ba6b251f4df8719a174cd4ab92b561c63a169efc260a080c81764cbdb090df01aff83d621e52f802d88e719a71f

  • SSDEEP

    98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMx:9nwngnwnBRRRVRm

Score
10/10
discoverypersistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.exe
    Filesize

    29.8MB

    MD5

    520370b0b16894ae2c47e1306aba5944

    SHA1

    b24d3e2e7c0fb50c3e8dd46b775b7b5bd6d110a2

    SHA256

    4c8c5891cb966ce5581492fa28c24df5cc1da369bf0c12d6640deb1e1f51dba5

    SHA512

    37873ee847703fea8351d003a38189fd4c79db4c74981aa3f0b46fe40a51d0bc5196571e4b0ead0742b124ab27018071af44b77a9dcf0a526ffb178b3c61c5cf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    d86aa6ccdfc5894411a0eb9bfa025507

    SHA1

    f3c7ddc3fb2dd096433551a43a96e345586d1e44

    SHA256

    03a2b4bd679a29b911e9b0129e02eed1f66887072449160252176bcc19aa41ca

    SHA512

    18f89756794891691209b497a32eeafa75677c18a876840bed302ea50b4c07b287cf7ce46c51c4f544d9c4c0316d6bd791e9d681e0b9f23ba042e9fc7b2f400c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    b319464faa6a693f4c1cfa5f638165f0

    SHA1

    126c0e7170cc112c2622a52017f9f45ca4ebfaef

    SHA256

    a9f97aa73709d2186bf92ec02dab403a22d5bb51c855a29e897b05bb18fd51e6

    SHA512

    a2bf1626ebc1b2f932a3cddf79d3165595eff2a88dfa874e68e5dc98f1cd8daaa46c0271e42b3a54302a1b571d9f0b3c75ef8041c386ad261ef89987e419584a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    fb121def4ca4838122a62d7a5e152766

    SHA1

    f8209b179e325342272bc1e75d28a620128916f3

    SHA256

    2f5f1457d71911cbd0ddffb55ef79f62414e60358bf48c2846456f42437e68ec

    SHA512

    f9db83cae2e3ec611a63ed555345ea0df99b2657d996be7c8010ddfcdc9357544b5a48e50921a894d8136f584e884a0b00c4c2af309864c65c158e01e4cee729

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    29.8MB

    MD5

    3baa33b585db6fa01362e10102ff6e80

    SHA1

    8a10705e0ffe8080b8f34bd13b133ecec2a0fd59

    SHA256

    e78b79db5da6e943f667fc6fb01b917676d1688f4084feb2880b9331ae9a6d35

    SHA512

    9b3df0489a7317c8d225dc2ef949dc62aaae0ba6b251f4df8719a174cd4ab92b561c63a169efc260a080c81764cbdb090df01aff83d621e52f802d88e719a71f

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    29.1MB

    MD5

    9b03721e6e174af6833eac71e587e97f

    SHA1

    13ef639527cf979371ccaa47d39ef3bbcf1d8bb7

    SHA256

    ec0ceb2e039f68a43d808efcbe0d9105f6b2a9f703df9f4e3178695e043abf6d

    SHA512

    d9154495936b0b09905036855b8469d7e7b32f9daa2167508d181361dd67696e4e446a4dde7a16ebd22cd3e56128e83e3dcac218919008f2735f10767c301619

    Download Submit

  • memory/2776-18-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2776-19-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2776-12-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2876-17-0x00000000006E0000-0x000000000075B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2876-16-0x00000000006E0000-0x000000000075B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2876-0-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2876-14-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2876-13-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2876-9-0x00000000006E0000-0x000000000075B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2876-10-0x00000000006E0000-0x000000000075B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2876-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

    Download