a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c

General

Target

ByteVaultX 2.0.exe
Size

9.9MB
Sample

240525-3wjp3afg59
MD5

26001ddd86377ac2ec3fcedb8d6f36b9
SHA1

cf4d832df5227ede476c0794cf871a4bcecb4d36
SHA256

a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c
SHA512

a09fe56683b4a42ce02b0e1e28557223bf0e925212e9f6541a805b914e08ab06843821d8e991fa0d3709e4e41b55db4c7b95496a29958665d10ab177b5a62277
SSDEEP

196608:9h5kRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:aGFG8S1+TtIi+Y9Z8D8CclydoPx

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&

Extracted

Path

C:\Encrypt\encrypt.html

Ransom Note

Your Files Have Been Encrypted Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware The price for the Decryption is $0 in Bitcoin (BTC). Follow these steps to get your decryption: You Do It. But Remember this malware is Just For VMS This is a Test Ransomware Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware Ask AI How to Use the Ransomware key with the decryption algorithm (in this case, the Fernet decryption algorithm) to decrypt each encrypted file. Save the decrypted data to new files or overwrite the original encrypted files if desired. You Will Also Have To install Python and cryptography Please note that the dercyption key is in the path C:\encrypt\Key.txt and please note you have infinite time For support, you can ask ai how to encrypt your data Trustet AI

Targets

- Target
  
  ByteVaultX 2.0.exe
- Size
  
  9.9MB
- MD5
  
  26001ddd86377ac2ec3fcedb8d6f36b9
- SHA1
  
  cf4d832df5227ede476c0794cf871a4bcecb4d36
- SHA256
  
  a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c
- SHA512
  
  a09fe56683b4a42ce02b0e1e28557223bf0e925212e9f6541a805b914e08ab06843821d8e991fa0d3709e4e41b55db4c7b95496a29958665d10ab177b5a62277
- SSDEEP
  
  196608:9h5kRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:aGFG8S1+TtIi+Y9Z8D8CclydoPx
Score

10^/10

discovery evasion execution persistence ransomware
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Renames multiple (153) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Blocklisted process makes network request
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Modifies Installed Components in the registry
  persistence
- Modifies Windows Firewall
  evasion
- Registers new Print Monitor
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Modifies system executable filetype association
  persistence
- Registers COM server for autorun
  persistence
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Drops file in System32 directory
- Modifies termsrv.dll
  Commonly used to allow simultaneous RDP sessions.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2 behavioral3