General

  • Target

    2024-11-06_1175137f9c43cadfd658988907bb20d9_virlock

  • Size

    139KB

  • Sample

    241106-dcm6psspay

  • MD5

    1175137f9c43cadfd658988907bb20d9

  • SHA1

    e76fd91f3076e9767907752542810436ea8ac51a

  • SHA256

    01d90e0102e1f1bfd81cfd472e767623db370a322162b8fee50a31225bc155ed

  • SHA512

    28706f5decaee1b50a6fa32113f690c3d07512b1f18dd016b8110b663b8c9521cb115b206a739d1256d41d8dac210e66d3c301648f2284797ccfbea6269220b1

  • SSDEEP

    3072:MKren+Ej51kHsoAEtDKDF48fJpHVXpRkr+4v:MKqnFkMoAEtDKDpbzO

Malware Config

Targets

    • Target

      2024-11-06_1175137f9c43cadfd658988907bb20d9_virlock

    • Size

      139KB

    • MD5

      1175137f9c43cadfd658988907bb20d9

    • SHA1

      e76fd91f3076e9767907752542810436ea8ac51a

    • SHA256

      01d90e0102e1f1bfd81cfd472e767623db370a322162b8fee50a31225bc155ed

    • SHA512

      28706f5decaee1b50a6fa32113f690c3d07512b1f18dd016b8110b663b8c9521cb115b206a739d1256d41d8dac210e66d3c301648f2284797ccfbea6269220b1

    • SSDEEP

      3072:MKren+Ej51kHsoAEtDKDF48fJpHVXpRkr+4v:MKqnFkMoAEtDKDpbzO

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (86) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks