Overview

overview

10

Static

static

xxx.exe

windows7_x64

10

xxx.exe

windows10-2004_x64

1

Resubmissions

09-12-2022 08:35

221209-khhxhacg28 10

07-04-2022 07:16

220407-h33rashggq 10

Analysis

  • max time kernel
    135s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20220331-en
  • submitted
    07-04-2022 07:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xxx.exe

  • Size

    416KB

  • MD5

    23f82ce9f5f8e02614b31cc0810e0d5f

  • SHA1

    0bbde5e6b3aefc33014ec3c1f1e61d8664a33a75

  • SHA256

    206de75058a7dfa0b96784965baab63a137f2e89a97e623842e7d0bb3f12c2fc

  • SHA512

    1231dc5046cb609b5cf2240a95cb728842048609a93d3034984948f9fe99ed54c508e154f3f7516f9b15a8244ec49574dc6d6ad4a95daa8ed6bcf8e4fbf4f52d

Score
10/10
hiveransomwarespywarestealer

Malware Config

Extracted

Path

C:\HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: abc Password: abc To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: abc Password: abc To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed. Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: abc Password: abc To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\xxx.exe
    "C:\Users\Admin\AppData\Local\Temp\xxx.exe"
    1⤵
      PID:1484
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:892
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x44c
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1760
      • C:\Users\Admin\AppData\Local\Temp\xxx.exe
        "C:\Users\Admin\AppData\Local\Temp\xxx.exe"
        1⤵
          PID:1736
        • C:\Users\Admin\AppData\Local\Temp\xxx.exe
          "C:\Users\Admin\AppData\Local\Temp\xxx.exe"
          1⤵
            PID:1320
          • C:\Users\Admin\AppData\Local\Temp\xxx.exe
            "C:\Users\Admin\AppData\Local\Temp\xxx.exe"
            1⤵
              PID:1612
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /s /k pushd "C:\Users\Admin\AppData\Local\Temp"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:1964
              • C:\Users\Admin\AppData\Local\Temp\xxx.exe
                xxx.exe
                2⤵
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:1160
              • C:\Users\Admin\AppData\Local\Temp\xxx.exe
                xxx.exe -u abc:abc 127.0.0.1
                2⤵
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:1848
              • C:\Users\Admin\AppData\Local\Temp\xxx.exe
                xxx.exe -u abc:abc 222.222.222.222
                2⤵
                • Modifies extensions of user files
                • Enumerates connected drives
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1924
                • C:\Windows\SysWOW64\vssadmin.exe
                  "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
                  3⤵
                  • Interacts with shadow copies
                  PID:6596
                • C:\Windows\SysWOW64\notepad.exe
                  "C:\Windows\system32\notepad.exe" C:\HOW_TO_DECRYPT.txt
                  3⤵
                  • Opens file in notepad (likely ransom note)
                  PID:6608
                • C:\Windows\SysWOW64\Wbem\wmic.exe
                  "C:\Windows\System32\Wbem\wmic.exe" shadowcopy delete
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:6708
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:6760

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\HOW_TO_DECRYPT.txt
              Filesize

              1KB

              MD5

              0214bcaca4b3d3ef139ea5bd3045f52a

              SHA1

              201d5dc7bf0fd927807c36da52977d21ec0fce58

              SHA256

              68e36460c5deff70f47732af87120db943c048ae7bcbaade336a84950d7d831a

              SHA512

              4a033de9b1d5fed4d8579f648d953cd5a968efc14ed52ab3f74d407e3a3efc03b04986255f0dd34d87860001c245bda7437b9a27de289e7edd7e82d260dd049f

              Download Submit

            • memory/892-54-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmp

              Filesize

              8KB

              Download

            • memory/6608-60-0x00000000757D1000-0x00000000757D3000-memory.dmp

              Filesize

              8KB

              Download