f8154c2eea0c29ff9da2885c61f0d9e5d85a9ee7287c6f52aa020e53b6a70962

General

Target

40cb56b50754f55e106c4eaf0529e4e0_NeikiAnalytics.exe
Size

9.9MB
Sample

240522-y2ntraeh9w
MD5

40cb56b50754f55e106c4eaf0529e4e0
SHA1

08fd714e21cbb8abb492797057dc9796e7ecaaf6
SHA256

f8154c2eea0c29ff9da2885c61f0d9e5d85a9ee7287c6f52aa020e53b6a70962
SHA512

ef65645e8c99601f658b4f0a44741dc5921f1357fe0907847a02118325d7f5361cc00e45c394fe6c2a9e61d4cc4a6001c9d3fc7480b2357b62eaa1b7cd7e5f14
SSDEEP

196608:LhgfRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:qGFG8S1+TtIi+Y9Z8D8CclydoPx

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&

Extracted

Path

C:\Encrypt\encrypt.html

Ransom Note

Your Files Have Been Encrypted Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware The price for the Decryption is $0 in Bitcoin (BTC). Follow these steps to get your decryption: You Do It. But Remember this malware is Just For VMS This is a Test Ransomware Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware Ask AI How to Use the Ransomware key with the decryption algorithm (in this case, the Fernet decryption algorithm) to decrypt each encrypted file. Save the decrypted data to new files or overwrite the original encrypted files if desired. You Will Also Have To install Python and cryptography Please note that the dercyption key is in the path C:\encrypt\Key.txt and please note you have infinite time For support, you can ask ai how to encrypt your data Trustet AI

Targets

- Target
  
  40cb56b50754f55e106c4eaf0529e4e0_NeikiAnalytics.exe
- Size
  
  9.9MB
- MD5
  
  40cb56b50754f55e106c4eaf0529e4e0
- SHA1
  
  08fd714e21cbb8abb492797057dc9796e7ecaaf6
- SHA256
  
  f8154c2eea0c29ff9da2885c61f0d9e5d85a9ee7287c6f52aa020e53b6a70962
- SHA512
  
  ef65645e8c99601f658b4f0a44741dc5921f1357fe0907847a02118325d7f5361cc00e45c394fe6c2a9e61d4cc4a6001c9d3fc7480b2357b62eaa1b7cd7e5f14
- SSDEEP
  
  196608:LhgfRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:qGFG8S1+TtIi+Y9Z8D8CclydoPx
Score

10^/10

discovery evasion execution ransomware
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Renames multiple (145) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Blocklisted process makes network request
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Drops desktop.ini file(s)
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
behavioral1 behavioral2