Resubmissions

22-05-2024 15:54

240522-tca45sgd54 10

22-05-2024 15:32

240522-syx1csfh7z 10

19-05-2024 21:56

240519-1tcgvsca5s 10

19-05-2024 21:54

240519-1sln5sbh9x 10

19-05-2024 21:53

240519-1rn3wabh6x 10

19-05-2024 20:56

240519-zq5hsshf3v 10

18-05-2024 09:15

240518-k76pvsda89 10

18-05-2024 00:54

240518-a9ph9acb22 10

General

  • Target

    ByteVaultX 2.0.exe

  • Size

    9.9MB

  • Sample

    240518-k76pvsda89

  • MD5

    98e3408a9432d5046691c4cc744eb244

  • SHA1

    c1e9d2c89d2cb72ee2f0f11ef97b2cb07d070142

  • SHA256

    958e65dedf5f42e310cbf4e7ba87ce130c2b60d95afb1da8f7390f2002f6caa2

  • SHA512

    dd4451441a051a6e9cc1be16702aaea1ce0fee4bd78c30cde050636e573b0ec1fcae4cde654a1928c941410840b8d0f989932779fc59e7bf70ce444029e689d5

  • SSDEEP

    196608:ShFaRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:tGFG8S1+TtIi+Y9Z8D8CclydoPx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg

Extracted

Path

C:\Encrypt\encrypt.html

Ransom Note
Your Files Have Been Encrypted Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware The price for the Decryption is $0 in Bitcoin (BTC). Follow these steps to get your decryption: You Do It. But Remember this malware is Just For VMS This is a Test Ransomware Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware Ask AI How to Use the Ransomware key with the decryption algorithm (in this case, the Fernet decryption algorithm) to decrypt each encrypted file. Save the decrypted data to new files or overwrite the original encrypted files if desired. You Will Also Have To install Python and cryptography Please note that the dercyption key is in the path C:\encrypt\Key.txt and please note you have infinite time For support, you can ask ai how to encrypt your data Trustet AI

Targets

    • Target

      ByteVaultX 2.0.exe

    • Size

      9.9MB

    • MD5

      98e3408a9432d5046691c4cc744eb244

    • SHA1

      c1e9d2c89d2cb72ee2f0f11ef97b2cb07d070142

    • SHA256

      958e65dedf5f42e310cbf4e7ba87ce130c2b60d95afb1da8f7390f2002f6caa2

    • SHA512

      dd4451441a051a6e9cc1be16702aaea1ce0fee4bd78c30cde050636e573b0ec1fcae4cde654a1928c941410840b8d0f989932779fc59e7bf70ce444029e689d5

    • SSDEEP

      196608:ShFaRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:tGFG8S1+TtIi+Y9Z8D8CclydoPx

    • Renames multiple (146) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Blocklisted process makes network request

    • Disables Task Manager via registry modification

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks