Overview

overview

10

Static

static

3

ByteVaultX 2.0.exe

windows10-2004-x64

10

Resubmissions

26-05-2024 16:12

240526-tnx32sda67 10

25-05-2024 23:21

240525-3cacaaeh66 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ByteVaultX 2.0.exe

  • Size

    9.9MB

  • Sample

    240526-tnx32sda67

  • MD5

    72c65f1b271ae812c9c00fe7dbef3ee7

  • SHA1

    98327e138efdcdbfcb02787ad3f9b729e617df6e

  • SHA256

    d1314cc2b3ddd84224b7b6fe78c9ca75dceed34799b6715086eeacd687e84017

  • SHA512

    21595d8bc9fe4c94a74b28acbe65e9a98f2c39e23d9e41bb5bfcaae01f11c11bfade391f04edd5853081c4ab1df051aa6f71c6203d7eac39b3446a3e357be273

  • SSDEEP

    196608:Th30RIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:mGFG8S1+TtIi+Y9Z8D8CclydoPx

Score
10/10
evasionexecutionpyinstallerransomware

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&

Extracted

Path

C:\Encrypt\encrypt.html

Ransom Note
Your Files Have Been Encrypted Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware The price for the Decryption is $0 in Bitcoin (BTC). Follow these steps to get your decryption: You Do It. But Remember this malware is Just For VMS This is a Test Ransomware Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware Ask AI How to Use the Ransomware key with the decryption algorithm (in this case, the Fernet decryption algorithm) to decrypt each encrypted file. Save the decrypted data to new files or overwrite the original encrypted files if desired. You Will Also Have To install Python and cryptography Please note that the dercyption key is in the path C:\encrypt\Key.txt and please note you have infinite time For support, you can ask ai how to encrypt your data Trustet AI

Targets

    • Target

      ByteVaultX 2.0.exe

    • Size

      9.9MB

    • MD5

      72c65f1b271ae812c9c00fe7dbef3ee7

    • SHA1

      98327e138efdcdbfcb02787ad3f9b729e617df6e

    • SHA256

      d1314cc2b3ddd84224b7b6fe78c9ca75dceed34799b6715086eeacd687e84017

    • SHA512

      21595d8bc9fe4c94a74b28acbe65e9a98f2c39e23d9e41bb5bfcaae01f11c11bfade391f04edd5853081c4ab1df051aa6f71c6203d7eac39b3446a3e357be273

    • SSDEEP

      196608:Th30RIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:mGFG8S1+TtIi+Y9Z8D8CclydoPx

    Score
    10/10
    evasionexecutionransomware

    • Renames multiple (122) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Blocklisted process makes network request

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks