General

  • Target

    2024-04-03_52ef9814c95d98b0656761b76eea14ab_virlock

  • Size

    257KB

  • Sample

    240403-ya1n8sae9t

  • MD5

    52ef9814c95d98b0656761b76eea14ab

  • SHA1

    1e7fa2c018361b90ac4fe47f400dd6d7fb6238db

  • SHA256

    3688755062e4d2c2b5f8fdd279a5bbe7bdeb7b7dba9ca21e25185906d76804a5

  • SHA512

    e225983bb494954476f447791b6bdf17778810537ee6a8c18709c2ff5781ee19fb69fd81ed84cacc92524609e90856d5652ce01351cb6dab9d65b85c235b72a6

  • SSDEEP

    3072:d/h20xW9747yNy24gMkzxXNGnnCwJDHGCSfCkCLA329eTAtV6cQV3+z+JPsLveyh:9A0k1Vwn9t9pLA329eTOr83+vj3dv

Malware Config

Targets

    • Target

      2024-04-03_52ef9814c95d98b0656761b76eea14ab_virlock

    • Size

      257KB

    • MD5

      52ef9814c95d98b0656761b76eea14ab

    • SHA1

      1e7fa2c018361b90ac4fe47f400dd6d7fb6238db

    • SHA256

      3688755062e4d2c2b5f8fdd279a5bbe7bdeb7b7dba9ca21e25185906d76804a5

    • SHA512

      e225983bb494954476f447791b6bdf17778810537ee6a8c18709c2ff5781ee19fb69fd81ed84cacc92524609e90856d5652ce01351cb6dab9d65b85c235b72a6

    • SSDEEP

      3072:d/h20xW9747yNy24gMkzxXNGnnCwJDHGCSfCkCLA329eTAtV6cQV3+z+JPsLveyh:9A0k1Vwn9t9pLA329eTOr83+vj3dv

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (55) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks