General

  • Target

    2024-10-20_772c8dae29c8bd73d1358fa6084ced5e_virlock

  • Size

    156KB

  • Sample

    241020-hgwe4avang

  • MD5

    772c8dae29c8bd73d1358fa6084ced5e

  • SHA1

    a987059e813d24814a8784a004e0fffa465fd124

  • SHA256

    0be0e24cbe73be277cdd7452eb304454f638370ef707a9b0900053a84bd937db

  • SHA512

    9c3ccbcb3be2ae2da34b9c26bcd19258990e48ddc82c7a3f9848ad68c489caee6fbd617ac976d5bc33c6dfb8d5f77f4dbfe7c6021fabae9e65a4d3194f15b76d

  • SSDEEP

    3072:jmPQECj2jNSlYd9DSM6ce8qJ5+alQVEiDX7Ph9xFivAXIGbPHLd:jnEq2jNSlYzSvP8qJ55GTrdsAXI0Prd

Malware Config

Targets

    • Target

      2024-10-20_772c8dae29c8bd73d1358fa6084ced5e_virlock

    • Size

      156KB

    • MD5

      772c8dae29c8bd73d1358fa6084ced5e

    • SHA1

      a987059e813d24814a8784a004e0fffa465fd124

    • SHA256

      0be0e24cbe73be277cdd7452eb304454f638370ef707a9b0900053a84bd937db

    • SHA512

      9c3ccbcb3be2ae2da34b9c26bcd19258990e48ddc82c7a3f9848ad68c489caee6fbd617ac976d5bc33c6dfb8d5f77f4dbfe7c6021fabae9e65a4d3194f15b76d

    • SSDEEP

      3072:jmPQECj2jNSlYd9DSM6ce8qJ5+alQVEiDX7Ph9xFivAXIGbPHLd:jnEq2jNSlYzSvP8qJ55GTrdsAXI0Prd

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (80) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks