General

  • Target

    2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

  • Size

    710KB

  • Sample

    240403-xe4e9ahg69

  • MD5

    9a09071140d404e8fad58688d42d888a

  • SHA1

    5db1e9d1c031a9c33d0e5d7d6037140cc6b9b71b

  • SHA256

    019ba77eb3cfe5913c47625dcc9618b4c04f085fc1a0f9e2c68cdc5ef1a569f6

  • SHA512

    7b2a92df4cb67bb17a82484f7fe267860cec886b8a2f7b70e55093a3460b8a9a2476413aca47aa2cd94738bebc967356ec67296187a7526f60ccb9a36403b31e

  • SSDEEP

    12288:UOeIegN8HI9Omlo0YhCR/cZ1oVD8SwssbLVkZPBEU1soH1Oc15e+bXeHmA0cq:UrIn0I9OMZR/uqqZvSVBEK1T1UT0B

Malware Config

Targets

    • Target

      2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

    • Size

      710KB

    • MD5

      9a09071140d404e8fad58688d42d888a

    • SHA1

      5db1e9d1c031a9c33d0e5d7d6037140cc6b9b71b

    • SHA256

      019ba77eb3cfe5913c47625dcc9618b4c04f085fc1a0f9e2c68cdc5ef1a569f6

    • SHA512

      7b2a92df4cb67bb17a82484f7fe267860cec886b8a2f7b70e55093a3460b8a9a2476413aca47aa2cd94738bebc967356ec67296187a7526f60ccb9a36403b31e

    • SSDEEP

      12288:UOeIegN8HI9Omlo0YhCR/cZ1oVD8SwssbLVkZPBEU1soH1Oc15e+bXeHmA0cq:UrIn0I9OMZR/uqqZvSVBEK1T1UT0B

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (77) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks