Overview

overview

10

Static

static

3

a37c17c442...7c.exe

windows7-x64

7

a37c17c442...7c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c

  • Size

    9.9MB

  • Sample

    240526-ahe6hagc69

  • MD5

    26001ddd86377ac2ec3fcedb8d6f36b9

  • SHA1

    cf4d832df5227ede476c0794cf871a4bcecb4d36

  • SHA256

    a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c

  • SHA512

    a09fe56683b4a42ce02b0e1e28557223bf0e925212e9f6541a805b914e08ab06843821d8e991fa0d3709e4e41b55db4c7b95496a29958665d10ab177b5a62277

  • SSDEEP

    196608:9h5kRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:aGFG8S1+TtIi+Y9Z8D8CclydoPx

Score
10/10
evasionexecutionpyinstallerransomware

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&

Extracted

Path

C:\Encrypt\encrypt.html

Ransom Note
Your Files Have Been Encrypted Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware The price for the Decryption is $0 in Bitcoin (BTC). Follow these steps to get your decryption: You Do It. But Remember this malware is Just For VMS This is a Test Ransomware Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware Ask AI How to Use the Ransomware key with the decryption algorithm (in this case, the Fernet decryption algorithm) to decrypt each encrypted file. Save the decrypted data to new files or overwrite the original encrypted files if desired. You Will Also Have To install Python and cryptography Please note that the dercyption key is in the path C:\encrypt\Key.txt and please note you have infinite time For support, you can ask ai how to encrypt your data Trustet AI

Targets

    • Target

      a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c

    • Size

      9.9MB

    • MD5

      26001ddd86377ac2ec3fcedb8d6f36b9

    • SHA1

      cf4d832df5227ede476c0794cf871a4bcecb4d36

    • SHA256

      a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c

    • SHA512

      a09fe56683b4a42ce02b0e1e28557223bf0e925212e9f6541a805b914e08ab06843821d8e991fa0d3709e4e41b55db4c7b95496a29958665d10ab177b5a62277

    • SSDEEP

      196608:9h5kRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:aGFG8S1+TtIi+Y9Z8D8CclydoPx

    Score
    10/10
    evasionexecutionransomware

    • Renames multiple (149) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Blocklisted process makes network request

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks