7f65b5d7be7a9e563e1b577ff1d95c891b16fa9871dc748c7640e6589e6902db | Triage

Submit
Reports

Overview

overview

9

Static

static

3

ByteVault.exe

windows10-1703-x64

9

ByteVault.exe

windows10-2004-x64

9

ByteVault.exe

windows11-21h2-x64

9

Resubmissions

07-05-2024 19:29

240507-x7rbdsed93 9

07-05-2024 18:20

240507-wyy47she2x 9

07-05-2024 17:15

240507-vs3prsac54 9

07-05-2024 08:54

240507-ktxvsshc9s 9

Sharing

General

Target

ByteVault.exe
Size

9.8MB
Sample

240507-vs3prsac54
MD5

25a7375d3a6597707493a0841e878bce
SHA1

173a8e00b00d84830e06b1f3d63988fe895fa001
SHA256

7f65b5d7be7a9e563e1b577ff1d95c891b16fa9871dc748c7640e6589e6902db
SHA512

110518ee80839dcf0e826bfdb41c16591deac371865b3635ef08b005a823e53c296d9de0be9eeba3d6e1c5413905f4d4d8ef175748c2c6e48801b9149668cee9
SSDEEP

196608:fhfefIk7AHkPkRJW9GNZA1HeT39IigaeE9TFa0Z8DOjCdylwo1nz8QW7tx:0QFG8S1+TtIiEY9Z8D8CclPdoPx

Score

9^/10

evasion execution pyinstaller ransomware

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

ByteVault.exe

Resource

win10-20240404-en

evasion execution ransomware

windows10-1703-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

ByteVault.exe

Resource

win10v2004-20240419-en

evasion execution pyinstaller ransomware

windows10-2004-x64

34 signatures

150 seconds

Behavioral task

behavioral3

Sample

ByteVault.exe

Resource

win11-20240419-en

evasion execution ransomware

windows11-21h2-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  ByteVault.exe
- Size
  
  9.8MB
- MD5
  
  25a7375d3a6597707493a0841e878bce
- SHA1
  
  173a8e00b00d84830e06b1f3d63988fe895fa001
- SHA256
  
  7f65b5d7be7a9e563e1b577ff1d95c891b16fa9871dc748c7640e6589e6902db
- SHA512
  
  110518ee80839dcf0e826bfdb41c16591deac371865b3635ef08b005a823e53c296d9de0be9eeba3d6e1c5413905f4d4d8ef175748c2c6e48801b9149668cee9
- SSDEEP
  
  196608:fhfefIk7AHkPkRJW9GNZA1HeT39IigaeE9TFa0Z8DOjCdylwo1nz8QW7tx:0QFG8S1+TtIiEY9Z8D8CclPdoPx
Score

9^/10

evasion execution ransomware pyinstaller
- Renames multiple (153) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

evasionexecutionransomware

behavioral2

evasionexecutionpyinstallerransomware

behavioral3

evasionexecutionransomware

© 2018-2024

Terms | Privacy