Overview

overview

10

Static

static

10

396f35b1bd...cs.exe

windows7-x64

7

396f35b1bd...cs.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe

  • Size

    9.9MB

  • Sample

    240525-3w7f5afa9x

  • MD5

    396f35b1bdeb8dd81739eb7f2cc769d0

  • SHA1

    d678bafbf8a85922cc9d38293c35a805844eeef3

  • SHA256

    261ffc5a219a6a834eb57c4595b28912aa78f75eff32caa3d79d44c5ff400c60

  • SHA512

    cf89004f3ff589589ecd00863c9a92dbb81375be3b1ef8e2231afe23c161b72a61c3a39de268486cfde0d1a1694a2fbac235075515df2b0e27dee12992e83bca

  • SSDEEP

    196608:OhHFRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:MGFG8S1+TtIi+Y9Z8D8CclydoPx

Score
10/10
evasionexecutionpyinstallerransomware

Malware Config

Extracted

Path

C:\Encrypt\encrypt.html

Ransom Note
Your Files Have Been Encrypted Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware The price for the Decryption is $0 in Bitcoin (BTC). Follow these steps to get your decryption: You Do It. But Remember this malware is Just For VMS This is a Test Ransomware Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware Ask AI How to Use the Ransomware key with the decryption algorithm (in this case, the Fernet decryption algorithm) to decrypt each encrypted file. Save the decrypted data to new files or overwrite the original encrypted files if desired. You Will Also Have To install Python and cryptography Please note that the dercyption key is in the path C:\encrypt\Key.txt and please note you have infinite time For support, you can ask ai how to encrypt your data Trustet AI

Targets

    • Target

      396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe

    • Size

      9.9MB

    • MD5

      396f35b1bdeb8dd81739eb7f2cc769d0

    • SHA1

      d678bafbf8a85922cc9d38293c35a805844eeef3

    • SHA256

      261ffc5a219a6a834eb57c4595b28912aa78f75eff32caa3d79d44c5ff400c60

    • SHA512

      cf89004f3ff589589ecd00863c9a92dbb81375be3b1ef8e2231afe23c161b72a61c3a39de268486cfde0d1a1694a2fbac235075515df2b0e27dee12992e83bca

    • SSDEEP

      196608:OhHFRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:MGFG8S1+TtIi+Y9Z8D8CclydoPx

    Score
    10/10
    evasionexecutionransomware

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Renames multiple (153) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks