General

  • Target

    2024-01-25_bdf019ffcdfb81431f1de090fbb129b2_virlock

  • Size

    254KB

  • Sample

    240125-v66ctabgg8

  • MD5

    bdf019ffcdfb81431f1de090fbb129b2

  • SHA1

    f0cf9945a14c5639ccda952a70ed1951d1c7a802

  • SHA256

    fee99bef28dadf631c33fd973e31e4b0860a14aa3301d1b42169e87f4b93db44

  • SHA512

    806fd77414e129aebe2e90e888ec8d570f60d3eaada1ad8bc5b7ca1493b9f17126cc96bb7490e8f30bf4fd78ca6dac10acf3119eff8881fee12437f2e3e87216

  • SSDEEP

    3072:b6JNKoLXusuaFAwbxy9AxJTWT1CHFpGWcZprs/xjPKX58AgyQvBS:WJNesuanw9UpWBCzGWkFiPM7gy5

Malware Config

Targets

    • Target

      2024-01-25_bdf019ffcdfb81431f1de090fbb129b2_virlock

    • Size

      254KB

    • MD5

      bdf019ffcdfb81431f1de090fbb129b2

    • SHA1

      f0cf9945a14c5639ccda952a70ed1951d1c7a802

    • SHA256

      fee99bef28dadf631c33fd973e31e4b0860a14aa3301d1b42169e87f4b93db44

    • SHA512

      806fd77414e129aebe2e90e888ec8d570f60d3eaada1ad8bc5b7ca1493b9f17126cc96bb7490e8f30bf4fd78ca6dac10acf3119eff8881fee12437f2e3e87216

    • SSDEEP

      3072:b6JNKoLXusuaFAwbxy9AxJTWT1CHFpGWcZprs/xjPKX58AgyQvBS:WJNesuanw9UpWBCzGWkFiPM7gy5

    • Kinsing

      Kinsing is a loader written in Golang.

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (85) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks