General

  • Target

    2024-11-12_363b885a4d48aa274c8ede896f7e6512_virlock

  • Size

    645KB

  • Sample

    241112-jw1tssybpm

  • MD5

    363b885a4d48aa274c8ede896f7e6512

  • SHA1

    857f60d2a41d1dfddc474ba363c25af2620a448d

  • SHA256

    db0b1b978189a863b13c05c269a1da8703ad598629c1471c2ebe731da45de611

  • SHA512

    57989e76074eaa7ae26c2ab754729bbbc565f05afb8247f95bb659f111f1018ae06f80ecbae2b86214c44aa66245953d2b4345424b39485c5aada67791724a9c

  • SSDEEP

    12288:kg4kNHNCMuEWCDXoWWkBR3WA/4qYFlTdq2UkStrHq8z3TFuVhaCMc4rRcuWIaEZP:kgHduEW4XoJoWiYFh4MSYx6rmnEZoK

Malware Config

Targets

    • Target

      2024-11-12_363b885a4d48aa274c8ede896f7e6512_virlock

    • Size

      645KB

    • MD5

      363b885a4d48aa274c8ede896f7e6512

    • SHA1

      857f60d2a41d1dfddc474ba363c25af2620a448d

    • SHA256

      db0b1b978189a863b13c05c269a1da8703ad598629c1471c2ebe731da45de611

    • SHA512

      57989e76074eaa7ae26c2ab754729bbbc565f05afb8247f95bb659f111f1018ae06f80ecbae2b86214c44aa66245953d2b4345424b39485c5aada67791724a9c

    • SSDEEP

      12288:kg4kNHNCMuEWCDXoWWkBR3WA/4qYFlTdq2UkStrHq8z3TFuVhaCMc4rRcuWIaEZP:kgHduEW4XoJoWiYFh4MSYx6rmnEZoK

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (76) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks