General

  • Target

    2024-05-15_f1182f3f9c134edee1e71f373cccdf5e_virlock

  • Size

    201KB

  • Sample

    240515-nt8tvafh47

  • MD5

    f1182f3f9c134edee1e71f373cccdf5e

  • SHA1

    97ccbca0cf004a67c245c1fe33b68a62ec833c5e

  • SHA256

    4faba2d229cf714c370f43b9e1a095f1347c8faf26179306ad601529b12187a4

  • SHA512

    7f8003f390f8cd6d959a8bc5d120b01894f36f76fb559062695039f46769d5be8727d871f1c7bae13ad3683c6df958285cbb521236ad256efdf8d44e20798c3f

  • SSDEEP

    6144:/3XQuTBvz5HAyiqIWQvansh3IA7gOhM7XvF:/3XQuTlz5oqITansh44pU/

Malware Config

Targets

    • Target

      2024-05-15_f1182f3f9c134edee1e71f373cccdf5e_virlock

    • Size

      201KB

    • MD5

      f1182f3f9c134edee1e71f373cccdf5e

    • SHA1

      97ccbca0cf004a67c245c1fe33b68a62ec833c5e

    • SHA256

      4faba2d229cf714c370f43b9e1a095f1347c8faf26179306ad601529b12187a4

    • SHA512

      7f8003f390f8cd6d959a8bc5d120b01894f36f76fb559062695039f46769d5be8727d871f1c7bae13ad3683c6df958285cbb521236ad256efdf8d44e20798c3f

    • SSDEEP

      6144:/3XQuTBvz5HAyiqIWQvansh3IA7gOhM7XvF:/3XQuTlz5oqITansh44pU/

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (51) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks