General

  • Target

    2024-05-28_a5edd7783acd799dd6a3f96fd43e6f58_virlock

  • Size

    565KB

  • Sample

    240528-j5bk9sdc64

  • MD5

    a5edd7783acd799dd6a3f96fd43e6f58

  • SHA1

    323867aacc4a4a6aebf864ac6ff41e4d38db2dc1

  • SHA256

    57c175ac821315906f5b507ce9fe3132630aadf77fdab6a70aad3fc171deed7c

  • SHA512

    428d88fe5ef9de54044bbad852afe4ca48b93edeee6348f76826e696bc9ccd39754fc02a25c74fbdb4b2df7f10632e3be7a96d386862697483b6874bef6d7c59

  • SSDEEP

    12288:SEqtszlNSuj0XatrZ8d/mDvLWHlrWNZzd2FoLaPcBwTraDc:S1CPid/eH1vaP3

Malware Config

Targets

    • Target

      2024-05-28_a5edd7783acd799dd6a3f96fd43e6f58_virlock

    • Size

      565KB

    • MD5

      a5edd7783acd799dd6a3f96fd43e6f58

    • SHA1

      323867aacc4a4a6aebf864ac6ff41e4d38db2dc1

    • SHA256

      57c175ac821315906f5b507ce9fe3132630aadf77fdab6a70aad3fc171deed7c

    • SHA512

      428d88fe5ef9de54044bbad852afe4ca48b93edeee6348f76826e696bc9ccd39754fc02a25c74fbdb4b2df7f10632e3be7a96d386862697483b6874bef6d7c59

    • SSDEEP

      12288:SEqtszlNSuj0XatrZ8d/mDvLWHlrWNZzd2FoLaPcBwTraDc:S1CPid/eH1vaP3

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (83) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks