General

  • Target

    2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

  • Size

    163KB

  • Sample

    240407-3fcltahh45

  • MD5

    3d894f3a2ff01049d00ec8cb12c42ae5

  • SHA1

    74c4777ad2b799a225cd805b19feb8cb3509f300

  • SHA256

    2cbfc88391763ef2cea1a1307642a6e24daf41170321cd2c05e7d97a7329fc82

  • SHA512

    00b4dfc0831c1517c3ee82b62e4607ba516e87dc965065c8cbc5d4045c8a78e5199ae3e8a99ad117b204f3f1e230021f859e963e0e8defca38a0263ca4b9dbdd

  • SSDEEP

    3072:7WlTZCkx9x0MNAhspumCQCqXC+G9tQO/k2FC5kljGamWkYdzdEI9hUCPBQixxRt9:7WpZCwO8uxx7NckljGaZkYdzh92CPRxX

Malware Config

Targets

    • Target

      2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

    • Size

      163KB

    • MD5

      3d894f3a2ff01049d00ec8cb12c42ae5

    • SHA1

      74c4777ad2b799a225cd805b19feb8cb3509f300

    • SHA256

      2cbfc88391763ef2cea1a1307642a6e24daf41170321cd2c05e7d97a7329fc82

    • SHA512

      00b4dfc0831c1517c3ee82b62e4607ba516e87dc965065c8cbc5d4045c8a78e5199ae3e8a99ad117b204f3f1e230021f859e963e0e8defca38a0263ca4b9dbdd

    • SSDEEP

      3072:7WlTZCkx9x0MNAhspumCQCqXC+G9tQO/k2FC5kljGamWkYdzdEI9hUCPBQixxRt9:7WpZCwO8uxx7NckljGaZkYdzh92CPRxX

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (80) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks