Overview

overview

10

Static

static

8

77a398c870...18.exe

windows7_x64

10

77a398c870...18.exe

windows10_x64

10

Analysis

  • max time kernel
    57s
  • max time network
    128s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    28-07-2021 11:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

Score
10/10
hiveransomwarespywarestealer

Malware Config

Signatures

  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 6 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Delays execution with timeout.exe 28 IoCs
    evasion
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
    "C:\Users\Admin\AppData\Local\Temp\77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1360
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:3636
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:3944
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1464
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:496
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:2428
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:2716
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:2756
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:184
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:2148
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:2436
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1000
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:732
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:192
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:4004
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:2188
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:736
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:2208
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:3928
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:2768
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:3504
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1188
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1612
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:2428
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1648
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:4072
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:4052
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:4016
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:780
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1840
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini
    MD5

    a526b9e7c716b3489d8cc062fbce4005

    SHA1

    2df502a944ff721241be20a9e449d2acd07e0312

    SHA256

    e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

    SHA512

    d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\hive.bat
    MD5

    3c34a87cf0107262a93c2adccde10b37

    SHA1

    bcf860da19191d91f015096aedf16e7492238763

    SHA256

    5993e915a2c1520c5f1261d4139544dd998cb7f2c4f780bbe1ff29f5e86d0560

    SHA512

    8c6503bf188583611b000bdb128a3146b372ddf1ba9780942dc8675ad5bc39bf6da5ef61a35fc0153d154ee74662d6b9118f57ad24b0afe0fdc95068583905a8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\shadow.bat
    MD5

    df5552357692e0cba5e69f8fbf06abb6

    SHA1

    4714f1e6bb75a80a8faf69434726d176b70d7bd8

    SHA256

    d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8

    SHA512

    a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

    Download Submit
  • memory/184-127-0x0000000000000000-mapping.dmp
    Download
  • memory/192-132-0x0000000000000000-mapping.dmp
    Download
  • memory/496-123-0x0000000000000000-mapping.dmp
    Download
  • memory/732-131-0x0000000000000000-mapping.dmp
    Download
  • memory/736-135-0x0000000000000000-mapping.dmp
    Download
  • memory/780-147-0x0000000000000000-mapping.dmp
    Download
  • memory/1000-130-0x0000000000000000-mapping.dmp
    Download
  • memory/1188-140-0x0000000000000000-mapping.dmp
    Download
  • memory/1360-114-0x0000000000000000-mapping.dmp
    Download
  • memory/1464-122-0x0000000000000000-mapping.dmp
    Download
  • memory/1576-115-0x0000000000000000-mapping.dmp
    Download
  • memory/1612-141-0x0000000000000000-mapping.dmp
    Download
  • memory/1648-143-0x0000000000000000-mapping.dmp
    Download
  • memory/1840-120-0x0000000000000000-mapping.dmp
    Download
  • memory/2148-128-0x0000000000000000-mapping.dmp
    Download
  • memory/2188-134-0x0000000000000000-mapping.dmp
    Download
  • memory/2208-136-0x0000000000000000-mapping.dmp
    Download
  • memory/2428-124-0x0000000000000000-mapping.dmp
    Download
  • memory/2428-142-0x0000000000000000-mapping.dmp
    Download
  • memory/2436-129-0x0000000000000000-mapping.dmp
    Download
  • memory/2716-125-0x0000000000000000-mapping.dmp
    Download
  • memory/2756-126-0x0000000000000000-mapping.dmp
    Download
  • memory/2768-138-0x0000000000000000-mapping.dmp
    Download
  • memory/3504-139-0x0000000000000000-mapping.dmp
    Download
  • memory/3636-118-0x0000000000000000-mapping.dmp
    Download
  • memory/3928-137-0x0000000000000000-mapping.dmp
    Download
  • memory/3944-121-0x0000000000000000-mapping.dmp
    Download
  • memory/4004-133-0x0000000000000000-mapping.dmp
    Download
  • memory/4016-146-0x0000000000000000-mapping.dmp
    Download
  • memory/4052-145-0x0000000000000000-mapping.dmp
    Download
  • memory/4072-144-0x0000000000000000-mapping.dmp
    Download