General

  • Target

    2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

  • Size

    152KB

  • Sample

    240403-npwzgsda78

  • MD5

    6d632f83ec89a2fc92ad238f512e63c7

  • SHA1

    5fc0bc98206c47ae37ef9e508dd731cffc856570

  • SHA256

    fd5c5b32fc598588d980a1d4b54f4739bd376da59457f16efb3e8ba0076272b7

  • SHA512

    20967d1cf11aed1bb66ec8bb3e9ce2628ae9e9eb1acd6d22a9c4bf52a738bdc11fe962e502507d5e4927c029c52b669010f181073e9b182eafd84d13958dbca6

  • SSDEEP

    3072:ZY4RZr5Cwo16UrsE1MER2SHRXklwSRfoTBdHRZm0DxgRvw:ZY8qwa6c1MniZkXoXHjDxgRv

Malware Config

Targets

    • Target

      2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

    • Size

      152KB

    • MD5

      6d632f83ec89a2fc92ad238f512e63c7

    • SHA1

      5fc0bc98206c47ae37ef9e508dd731cffc856570

    • SHA256

      fd5c5b32fc598588d980a1d4b54f4739bd376da59457f16efb3e8ba0076272b7

    • SHA512

      20967d1cf11aed1bb66ec8bb3e9ce2628ae9e9eb1acd6d22a9c4bf52a738bdc11fe962e502507d5e4927c029c52b669010f181073e9b182eafd84d13958dbca6

    • SSDEEP

      3072:ZY4RZr5Cwo16UrsE1MER2SHRXklwSRfoTBdHRZm0DxgRvw:ZY8qwa6c1MniZkXoXHjDxgRv

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (72) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • UPX dump on OEP (original entry point)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks