Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
05/11/2024, 12:23
Behavioral task
behavioral1
Sample
Ransomware Cyb3r Byt3s.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Ransomware Cyb3r Byt3s.exe
Resource
win10v2004-20241007-en
General
-
Target
Ransomware Cyb3r Byt3s.exe
-
Size
735KB
-
MD5
535bc51f49d1106cf06dfe92ad0444b5
-
SHA1
c2260418363cd0b0d099059e4dde4f2ae61da745
-
SHA256
a834b3d15719bbf9f0c7b5740b8a30de2eb3aee9e24598b3a30e37253e0c154e
-
SHA512
17b6c3bdba740d16e96f2212b9d4b7d82ec4ac94cc24eedaf00b30c556473bf6c11d8d1bbdfe98823685b9d0342bf21fb4f4a9db585d60686dbb60b2e7772de2
-
SSDEEP
12288:U3aga2H7TvoQgRFlyt0CLPj3fNFLk6TNcLhytKdGWXQikDhPKOPY6cUe3XQ2fwCB:zU7Glyt7LvNFLkgNcLhYChkDhPPY6cU2
Malware Config
Signatures
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 6 IoCs
description ioc Process File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Ransomware Cyb3r Byt3s.exe File created \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.cvenc Ransomware Cyb3r Byt3s.exe File created \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt Ransomware Cyb3r Byt3s.exe File created \??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt Ransomware Cyb3r Byt3s.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\386UAANV\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Public\Downloads\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CBCNU6WZ\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXDUII3O\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JMFEWY8E\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\f:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\Music\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Public\Desktop\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\25UY7HZX\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\Links\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Public\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Public\Videos\Sample Videos\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B329PW0O\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Public\Libraries\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\Documents\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Public\Music\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Public\Recorded TV\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RTJA0BV0\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Public\Music\Sample Music\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Public\Videos\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\Searches\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3K0NZPWJ\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Public\Documents\desktop.ini Ransomware Cyb3r Byt3s.exe File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini Ransomware Cyb3r Byt3s.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\z: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\g: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\i: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\l: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\m: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\q: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\r: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\e: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\k: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\o: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\s: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\w: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\a: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\p: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\x: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\y: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\b: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\h: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\j: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\n: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\t: Ransomware Cyb3r Byt3s.exe File opened (read-only) \??\u: Ransomware Cyb3r Byt3s.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" Ransomware Cyb3r Byt3s.exe -
resource yara_rule behavioral1/memory/2640-0-0x0000000000400000-0x00000000008A4000-memory.dmp upx behavioral1/memory/2640-596-0x0000000000400000-0x00000000008A4000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ransomware Cyb3r Byt3s.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2640
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53e17ae7a36157cf7158c99cd115c3994
SHA152b9c067aad28210b9fb8c40abeb277dc7edc6b6
SHA25659f23ce58630c59f6d074d7331137717ad70820c936075739970303b0e94733f
SHA5122410b6dc1a6f15c1f12f601f0836134f3ec5bf3007a763f496ce31a7b19b298ed783ab18fbdec93ea85839de8367f0fb42af7d5630ebfa30f98b1e8fc098d59e
-
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.cvenc
Filesize141KB
MD550aa93ab215fa426d6720114a41a2f28
SHA1e4af363a7289d4cafe0dd76d93d9025dd337b2c4
SHA2568b86ea82362464768431dddb427fac824d11f496e90354dae0ae6a01db39a4b1
SHA51213bc31940a592b29b41da690b6e97bc6f4262abba3d59735db07a142178b733d744105c0a2b01a23cfe2fe1d714c8b520f26433073d2f2fae2991863d2b54461
-
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.cvenc
Filesize149KB
MD5525c26f39412bdc28c0a4595ebdd7ef8
SHA1221e4c94e4ba6d579d9d7cd22a4d65869d9fd35b
SHA2569f9b021ad6f2ab61ffb41591fc17c630b1f73a44047a21f2d249fd7d5af68ed2
SHA5123c19a578d89f9850c351668d1f311b90bc911da1356c547a6e08dc5c55c01de4d5cfcf557a2eab5ea043d83766d30f5e0776bb331bd7b35e18c1b066cfab8a2f
-
Filesize
291B
MD50fc56ffcd80bb3b9c72eeeb99d089d76
SHA1993b8d70a51222c52893b3a9697f1a877d604b83
SHA2569a0b5fa8fbbe92d4e39244664eedccd3f64b5567eff3fbd0718d6ea207362b97
SHA512f6e6a788dc0f98c609cc441c36449fbb777d3f161ac904897744a6da062ad67f616d92d98efcddde7a02c7928fe4f04495956d099dff729626cca7487fe2a469
-
Filesize
1KB
MD5ff4ac919f22dd048e15c413e5f40d917
SHA104c47526cd248f68346c4051ecf38de6ac2f25f9
SHA25615d43a835faff24585d4936d2f22cc7d93517ff9430f9d8341d6331b4a911b00
SHA5124b9e2fb8a9a08c6149d993a2b86b8501289a98e61439b67a4d6b6ee659d7f65974ffe95de30785d71242bce83304297a05cbf6261f4f2f8fb6c528b79890eaf4
-
Filesize
29KB
MD5e97af960bd45916f7691f92c7bb2f59c
SHA1a077f3ff4402842e7f6dc7ce85cf2baf931bf898
SHA2561049b201dfdbceef2400aa20b7ee9f7b84b9586f2fdd0e3172d82e961e17b827
SHA51291c0ac2133daa8d9db2c360db47a5f95150b10730527b70c77e1cadef0ce79ac018f5c678214e00695e74025b2d0e76abd12e9bcaf6357e857668f49e8f39081
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXDUII3O\desktop.ini.cvenc
Filesize1KB
MD55d6aad502b6c45366df5ff0c5a8259a0
SHA178ee2e5803d75d34c85b29a9e8e7b050251a0821
SHA25669fbb37508040ec15911379eecdd25e3abccd00c4874e8432526d920fc945707
SHA5120caee26298b30c3fb3e09ea376adaf4a27b47a685497551c855bcc9d09ae5de0ac6e701dd704c6dc582fa3d68f73c4a744f648b84912deff6b8f185de02c5057
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.cvenc
Filesize49KB
MD51070e346072e3385c746ada030a5cc8b
SHA1ecd7f4f94a2899201487ec0dd65f5bbc98e7595e
SHA25691450c3cbf5fa7ade212bdf33ba7ba4699f575750bfefd007971abb919826d34
SHA51294f152f4bb17ff88a32425f299042dd695a87865a9cad6b76de81d63837a962c77ce6355bd544af8f7c5f21e5fc9659bbe0fe06a5d467e154cd046f936b19bee