General

  • Target

    2024-05-15_b8c1e2b7a4edcf990e2b4bd45183a7c0_virlock

  • Size

    229KB

  • Sample

    240515-ntk3safg94

  • MD5

    b8c1e2b7a4edcf990e2b4bd45183a7c0

  • SHA1

    91b1c05332325e19f5a572ec7ef48705a9a7a4f5

  • SHA256

    25cef3e2290e846d0c99126f245ff6b04831cc9fc6ab39b1070e4dc5843757e3

  • SHA512

    5b61208c6c6b75944bf397bb94ccf0baae618719f92b5f1bb0499d328e80d57cc312a22510e1062e79eae4913b3c178364c1e03b3439f246e1b75d1b2bebfc63

  • SSDEEP

    3072:N40YyBf+a1DOdRrG+QMHt93CJwCI4la816bmRePvQirVcQZ9KsvcFLDMWsZlD4iH:NpJV1mX3CIIH0vnci9K9LINV4iYAMb

Malware Config

Targets

    • Target

      2024-05-15_b8c1e2b7a4edcf990e2b4bd45183a7c0_virlock

    • Size

      229KB

    • MD5

      b8c1e2b7a4edcf990e2b4bd45183a7c0

    • SHA1

      91b1c05332325e19f5a572ec7ef48705a9a7a4f5

    • SHA256

      25cef3e2290e846d0c99126f245ff6b04831cc9fc6ab39b1070e4dc5843757e3

    • SHA512

      5b61208c6c6b75944bf397bb94ccf0baae618719f92b5f1bb0499d328e80d57cc312a22510e1062e79eae4913b3c178364c1e03b3439f246e1b75d1b2bebfc63

    • SSDEEP

      3072:N40YyBf+a1DOdRrG+QMHt93CJwCI4la816bmRePvQirVcQZ9KsvcFLDMWsZlD4iH:NpJV1mX3CIIH0vnci9K9LINV4iYAMb

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (61) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks