General

  • Target

    2024-06-08_7d5b700e6ce1ab6a84e4472957acee76_virlock

  • Size

    150KB

  • Sample

    240608-nlpe8scb23

  • MD5

    7d5b700e6ce1ab6a84e4472957acee76

  • SHA1

    35efc5fbd0d2710fed55c633da85a3e3138e0ce5

  • SHA256

    d73463d1ac707cb026e247093e01920005d8bc3debf0d801cd5055c1a2911382

  • SHA512

    29a9f4ce50870cce44725c4207a05d927ec4c7a4a78241618fbfd312c6c01f8ea03ac455fece4bfb31fdd34c789c9d0fc2fae7a040c55b45703c4af7ef979f16

  • SSDEEP

    3072:NgQYrXbjFDP0fZrw/7vLtzm6bGQitvpv2z/GV49W3t6yJTnNvG0OurV5jvtpzKu/:mQYrXbjFyUrRzmqGQiOzeVj3tzTnsYjK

Malware Config

Targets

    • Target

      2024-06-08_7d5b700e6ce1ab6a84e4472957acee76_virlock

    • Size

      150KB

    • MD5

      7d5b700e6ce1ab6a84e4472957acee76

    • SHA1

      35efc5fbd0d2710fed55c633da85a3e3138e0ce5

    • SHA256

      d73463d1ac707cb026e247093e01920005d8bc3debf0d801cd5055c1a2911382

    • SHA512

      29a9f4ce50870cce44725c4207a05d927ec4c7a4a78241618fbfd312c6c01f8ea03ac455fece4bfb31fdd34c789c9d0fc2fae7a040c55b45703c4af7ef979f16

    • SSDEEP

      3072:NgQYrXbjFDP0fZrw/7vLtzm6bGQitvpv2z/GV49W3t6yJTnNvG0OurV5jvtpzKu/:mQYrXbjFyUrRzmqGQiOzeVj3tzTnsYjK

    • Modifies visibility of file extensions in Explorer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • Renames multiple (53) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks