Overview

overview

10

Static

static

89a9279a31...4b.exe

windows7_x64

10

89a9279a31...4b.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.7z

  • Size

    1.0MB

  • Sample

    220320-awyj1adbcp

  • MD5

    a1213df88059f997ad3377b65a27f9c3

  • SHA1

    04143da10ae06e286c2b334549aab0424292e5c8

  • SHA256

    6c0e759936d63c0dfc6f9ab077817b6de3b251b44e0bde1d966aea3a73ac2c2e

  • SHA512

    c78de38a565e2f1c517ebce79ad2290becaec84de41a226502f1365f52e34aa2e267a59794840feab193fab68e895576db034a42b4ebbd0542406fbcd8182d59

Score
10/10
hiveevasionransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\xG7b_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: wxvja8MijQ1u Password: HP1JW35zEJ22aScDZgmh To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.4g3j7 files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Targets

    • Target

      89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe

    • Size

      4.0MB

    • MD5

      4659444b7bbab080d3234579ad0998b3

    • SHA1

      f0744f0825f967180eae995ce733d7b82ccb8db0

    • SHA256

      89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b

    • SHA512

      601cb4f7be6742fef403efd67d581040a693204113ba6427e99c3789d76c423b340708c0bb7f84d638520a991485051b4b1dd6406f5a0f6e2ec353bdcd918258

    Score
    10/10
    hiveevasionransomwarespywarestealertrojan

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

      evasion

    • Hive

      A ransomware written in Golang first seen in June 2021.

      ransomwarehive

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies security service

      evasion

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks