General

  • Target

    2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

  • Size

    149KB

  • Sample

    240403-nstnjada98

  • MD5

    abac5eabd200797739a3103b2f2d6655

  • SHA1

    4a2cd5715a93c82e71af0494d80690b51a8d1edb

  • SHA256

    0a948418020958101baed862d3f0f1d1db28567cc58a8b0b9a40d689aeb15e8f

  • SHA512

    218b9f502e315bde2806f4f1cc303652c1105669322a39a9f533426022bdf46d7b08e5102a71f1b0b1d8ed52ceb966458574d186939b378426ef14d81eff8c07

  • SSDEEP

    3072:JR2x2NfpfMeMyfWhPKnuXd/i3MJ9CLLBuWpMQQf2pcofer9mvK+:rKuo9hK8S3npT7Rfsmy

Malware Config

Targets

    • Target

      2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

    • Size

      149KB

    • MD5

      abac5eabd200797739a3103b2f2d6655

    • SHA1

      4a2cd5715a93c82e71af0494d80690b51a8d1edb

    • SHA256

      0a948418020958101baed862d3f0f1d1db28567cc58a8b0b9a40d689aeb15e8f

    • SHA512

      218b9f502e315bde2806f4f1cc303652c1105669322a39a9f533426022bdf46d7b08e5102a71f1b0b1d8ed52ceb966458574d186939b378426ef14d81eff8c07

    • SSDEEP

      3072:JR2x2NfpfMeMyfWhPKnuXd/i3MJ9CLLBuWpMQQf2pcofer9mvK+:rKuo9hK8S3npT7Rfsmy

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (87) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • UPX dump on OEP (original entry point)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks