General

  • Target

    Byte Vault D34TH X .bat

  • Size

    5KB

  • Sample

    240516-2mmjxscc35

  • MD5

    af027f0cf448f9e2edf19c1c01011a72

  • SHA1

    9578ca04a957d7300c479cbdd90a71d5c7357e21

  • SHA256

    320825e55cf9bf0332f5480dcbf6b7f4713c68973db3884199627d47cccb46a1

  • SHA512

    bd45b1faf74e81d90371021f8cd2a32fb4fe3d16f7544612453abcbf5ce996979c8c9a615bc64af978b0909a2baa751232525ef3c8cb6941d43169e80c53dffe

  • SSDEEP

    96:zxRasbP5Elry5wCaRWzWLBLVCaRWzWgMGjU8h/8rF8B78MzqVeeyozZWNVyRhz:zxR/b5AhCaRWzWXCaRWzWgMoUWqe71up

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/1181543227728330774/1237538022371754046/ByteVaultX.exe?ex=66473758&is=6645e5d8&hm=86bba81d6232969cb4ade81e882b8bcee5f5dacefa6cc2ac70ca40db4c969e4c&

Extracted

Path

C:\Encrypt\encrypt.html

Ransom Note
Your Files Have Been Encrypted Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware The price for the Decryption is $0 in Bitcoin (BTC). Follow these steps to get your decryption: You Do It. But Remember this malware is Just For VMS This is a Test Ransomware Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware Ask AI How to Use the Ransomware key with the decryption algorithm (in this case, the Fernet decryption algorithm) to decrypt each encrypted file. Save the decrypted data to new files or overwrite the original encrypted files if desired. You Will Also Have To install Python and cryptography Please note that the dercyption key is in the path C:\encrypt\Key.txt and please note you have infinite time For support, you can ask ai how to encrypt your data Trustet AI

Targets

    • Target

      Byte Vault D34TH X .bat

    • Size

      5KB

    • MD5

      af027f0cf448f9e2edf19c1c01011a72

    • SHA1

      9578ca04a957d7300c479cbdd90a71d5c7357e21

    • SHA256

      320825e55cf9bf0332f5480dcbf6b7f4713c68973db3884199627d47cccb46a1

    • SHA512

      bd45b1faf74e81d90371021f8cd2a32fb4fe3d16f7544612453abcbf5ce996979c8c9a615bc64af978b0909a2baa751232525ef3c8cb6941d43169e80c53dffe

    • SSDEEP

      96:zxRasbP5Elry5wCaRWzWLBLVCaRWzWgMGjU8h/8rF8B78MzqVeeyozZWNVyRhz:zxR/b5AhCaRWzWXCaRWzWgMoUWqe71up

    • Renames multiple (162) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Blocklisted process makes network request

    • Disables Task Manager via registry modification

    • Modifies Windows Firewall

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

MITRE ATT&CK Enterprise v15

Tasks