Overview

overview

10

Static

static

3

2025-03-21...uk.exe

windows7-x64

10

2025-03-21...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    21/03/2025, 08:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe

  • Size

    30.6MB

  • MD5

    6cc3475b50469100df7c24810d48b89f

  • SHA1

    968829575a378d4d91af615db5e0f7e1db692694

  • SHA256

    14356a2680d913a3e37991e9d7755d86a7c0c6203917c34b0ea422491f3b28ed

  • SHA512

    54352b933f2c8b9fa44fb395c37ac72a54298068e55c9828f03172117bb9bb084e43e01522270876ed39f5d7b166641a74e3ce3035ef4ccda8e77ead8143db98

  • SSDEEP

    98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMf:9nwngnwnBRRRVRO

Score
10/10
discoverypersistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-677481364-2238709445-1347953534-1000\desktop.ini.exe
    Filesize

    30.6MB

    MD5

    d824777583e7c57644089af8a04e0788

    SHA1

    fe185f29c2e789da7b3dcf1c844e00fae8d16b63

    SHA256

    e9463e58125efaaa02627ed6d30f5dcd91cea889f6b22ca5120eba98d3980f5f

    SHA512

    640bd4965c5ff548b24688cfa9fe6d87051967097038590beed0a4ba6d83572a9c7c2d7ea3c547a32cdf929221b191fc1d67e5b5d9fa79fd9c33c10273258e1a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    854e6978effd7288caa455bc53214f6a

    SHA1

    1a0fccb24b15107765d63a0c67a39b59889509d9

    SHA256

    1b4a1f7d261426a02760ccfac19111f22bb858862116ed8b2aa77c40f6c7e853

    SHA512

    eb95368b18603526c250dbc48e80333305384e21165100fb8e10f078b33abce8145613dea8ce89fc15ded51501dfbc17a113e9753e94ca689f6e470946cf73d7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    5132b4aea8fabeb7672be47ff626cfcc

    SHA1

    e25eb80dc6e8f3e95a52fa9be41155c96ceb9784

    SHA256

    419e3f583fd73aa0cadf1e545a1825b9447469b6e1293a05f7b87e377d2ba17d

    SHA512

    3d85359b0aef2f582da28b57f7e13865c2fd666acdbbb4991f4364c68602e8ffccc3198bd3b32ee6e18fa0d7f91fe92b1393978a8e3f5523122c0d53dd9b59a2

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    30.6MB

    MD5

    6cc3475b50469100df7c24810d48b89f

    SHA1

    968829575a378d4d91af615db5e0f7e1db692694

    SHA256

    14356a2680d913a3e37991e9d7755d86a7c0c6203917c34b0ea422491f3b28ed

    SHA512

    54352b933f2c8b9fa44fb395c37ac72a54298068e55c9828f03172117bb9bb084e43e01522270876ed39f5d7b166641a74e3ce3035ef4ccda8e77ead8143db98

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    29.8MB

    MD5

    f9972814ce7382c5e6a3ca7f291aae48

    SHA1

    50f0b705a72f56093d72687d922f61e831f79a77

    SHA256

    cfd5b179331e33274f8b901bf26eabe1c69666be589c8fa2268604dbe656792d

    SHA512

    24d5a8c59bbf7ae65ae04031866beaa894775afe32c6c22a385963846d57ddeef79a0c7969d7aa6cd4ddf5fbd4335a8cff59e3963a52f9d0fe67ac7f97f9efc7

    Download Submit

  • memory/2028-10-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2028-11-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-100-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2028-115-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-62-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2112-95-0x0000000000480000-0x00000000004FB000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2112-0-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2112-1-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download