General

  • Target

    2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

  • Size

    709KB

  • Sample

    240403-w945lahb8s

  • MD5

    544db6d59b25248df3c9cf9b9b33b544

  • SHA1

    41fcdaa68b616b5ffaff9c4e7a4f76445372102a

  • SHA256

    6d361226ae035f3b21c1cdbc55ddd68ae2eed78b9bcaaa3ab7373d670cfd70be

  • SHA512

    e992a614ee2ea8a0bb07648e44b2f86c34bd627567a46d64481f5fded670e3e1667f5e4985a5be87ae4d754d2e7ffa68e76055e950ccca40343c3a2a8e459d36

  • SSDEEP

    12288:XbccHXQ/j5pGYUd9YTKwdYXspdN9TSR8EJQvct/zrPf5QRNdh3EW9:XbcgQdYYUvYTKapdiRZJJXoh3b

Malware Config

Targets

    • Target

      2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

    • Size

      709KB

    • MD5

      544db6d59b25248df3c9cf9b9b33b544

    • SHA1

      41fcdaa68b616b5ffaff9c4e7a4f76445372102a

    • SHA256

      6d361226ae035f3b21c1cdbc55ddd68ae2eed78b9bcaaa3ab7373d670cfd70be

    • SHA512

      e992a614ee2ea8a0bb07648e44b2f86c34bd627567a46d64481f5fded670e3e1667f5e4985a5be87ae4d754d2e7ffa68e76055e950ccca40343c3a2a8e459d36

    • SSDEEP

      12288:XbccHXQ/j5pGYUd9YTKwdYXspdN9TSR8EJQvct/zrPf5QRNdh3EW9:XbcgQdYYUvYTKapdiRZJJXoh3b

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (87) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks