General

  • Target

    2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

  • Size

    164KB

  • Sample

    240403-nvp35acf61

  • MD5

    d6e0ac2dad377548df7a1bc100552f83

  • SHA1

    abf37bb9d34e27907c1caf2f32a4fa74a839fb75

  • SHA256

    4b55af0b4dc465f8602b815562f7ee3373eae6a4d8e840ffa3f3d5ebdc4cd57e

  • SHA512

    07cfb1ec1784ff21498aa3144139236d9afac2c6f1ae3443bf2a329d194e5b9dcd0dd840247a0425c7c2f3553cad58173c436013f5b4fcb383702fd4cc3516d5

  • SSDEEP

    3072:/WjS5wmhTYXuQ+jsWQvhZ4aSqziwPhR2TdUyhY/H4sjDf8oyQZiLeBcxuyQ2pu0n:/u78YXuQ+UfdjsY/YsjDf8TQPSK2k0e4

Malware Config

Targets

    • Target

      2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

    • Size

      164KB

    • MD5

      d6e0ac2dad377548df7a1bc100552f83

    • SHA1

      abf37bb9d34e27907c1caf2f32a4fa74a839fb75

    • SHA256

      4b55af0b4dc465f8602b815562f7ee3373eae6a4d8e840ffa3f3d5ebdc4cd57e

    • SHA512

      07cfb1ec1784ff21498aa3144139236d9afac2c6f1ae3443bf2a329d194e5b9dcd0dd840247a0425c7c2f3553cad58173c436013f5b4fcb383702fd4cc3516d5

    • SSDEEP

      3072:/WjS5wmhTYXuQ+jsWQvhZ4aSqziwPhR2TdUyhY/H4sjDf8oyQZiLeBcxuyQ2pu0n:/u78YXuQ+UfdjsY/YsjDf8TQPSK2k0e4

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (79) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • UPX dump on OEP (original entry point)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks