General

  • Target

    2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

  • Size

    163KB

  • Sample

    240403-ntvxzsdb32

  • MD5

    c1aeba6369a3615061f44778021f6b42

  • SHA1

    d5e40b2f91be6e95891a6f3e111f6a00f448de27

  • SHA256

    357908d9f3abf01fcc8d4d3527483d5b9993cd1f70d7af2897ed313f05a39d97

  • SHA512

    9e4bb49a5230ad624b9224b1f17e4da18345a9c7fece9299035986fc453b7f61c83d2a72486a8f7b674a14575107cf6d661f28709f9aef0450199c2cc3b8edd3

  • SSDEEP

    3072:YHgTPOOwUJRymLMT+2eVyY1+ly6MkCSU2jgPqS01LpTLAwqsonnqBKLtYMlDJ+:YHgCfn7js6Zjg+Qfe0

Malware Config

Targets

    • Target

      2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

    • Size

      163KB

    • MD5

      c1aeba6369a3615061f44778021f6b42

    • SHA1

      d5e40b2f91be6e95891a6f3e111f6a00f448de27

    • SHA256

      357908d9f3abf01fcc8d4d3527483d5b9993cd1f70d7af2897ed313f05a39d97

    • SHA512

      9e4bb49a5230ad624b9224b1f17e4da18345a9c7fece9299035986fc453b7f61c83d2a72486a8f7b674a14575107cf6d661f28709f9aef0450199c2cc3b8edd3

    • SSDEEP

      3072:YHgTPOOwUJRymLMT+2eVyY1+ly6MkCSU2jgPqS01LpTLAwqsonnqBKLtYMlDJ+:YHgCfn7js6Zjg+Qfe0

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (71) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • UPX dump on OEP (original entry point)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks