Overview

overview

10

Static

static

10

aa78798172...53.exe

windows7_x64

10

aa78798172...53.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    40s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220331-en
  • submitted
    14-04-2022 15:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153.exe

  • Size

    1.8MB

  • MD5

    0c18bc83e838deec24af20d139b411d7

  • SHA1

    00e5e0e05a18bd01498f247145ae591a654e07f4

  • SHA256

    aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153

  • SHA512

    1d12ac5b2d4917c77964ad9464a334d9340d708e15c1a0ef467b95e1766ed96a9d5927e529d690c580917d6b776c9d9fedcce772f667188645d714b8445a25c7

Score
10/10
hiveransomwarespywarestealer

Malware Config

Extracted

Path

C:\HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: abc Password: abc To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

  • Detects Rust x86 variant of Hive Ransomware 4 IoCs
  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153.exe
    "C:\Users\Admin\AppData\Local\Temp\aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe
      C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe -u abc:abc
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Windows\SysWOW64\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:6480
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "C:\Windows\System32\Wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:6492
      • C:\Windows\SysWOW64\notepad.exe
        "C:\Windows\system32\notepad.exe" C:\HOW_TO_DECRYPT.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:6612
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:6540

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\HOW_TO_DECRYPT.txt
    Filesize

    1KB

    MD5

    0214bcaca4b3d3ef139ea5bd3045f52a

    SHA1

    201d5dc7bf0fd927807c36da52977d21ec0fce58

    SHA256

    68e36460c5deff70f47732af87120db943c048ae7bcbaade336a84950d7d831a

    SHA512

    4a033de9b1d5fed4d8579f648d953cd5a968efc14ed52ab3f74d407e3a3efc03b04986255f0dd34d87860001c245bda7437b9a27de289e7edd7e82d260dd049f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe
    Filesize

    416KB

    MD5

    23f82ce9f5f8e02614b31cc0810e0d5f

    SHA1

    0bbde5e6b3aefc33014ec3c1f1e61d8664a33a75

    SHA256

    206de75058a7dfa0b96784965baab63a137f2e89a97e623842e7d0bb3f12c2fc

    SHA512

    1231dc5046cb609b5cf2240a95cb728842048609a93d3034984948f9fe99ed54c508e154f3f7516f9b15a8244ec49574dc6d6ad4a95daa8ed6bcf8e4fbf4f52d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe
    Filesize

    416KB

    MD5

    23f82ce9f5f8e02614b31cc0810e0d5f

    SHA1

    0bbde5e6b3aefc33014ec3c1f1e61d8664a33a75

    SHA256

    206de75058a7dfa0b96784965baab63a137f2e89a97e623842e7d0bb3f12c2fc

    SHA512

    1231dc5046cb609b5cf2240a95cb728842048609a93d3034984948f9fe99ed54c508e154f3f7516f9b15a8244ec49574dc6d6ad4a95daa8ed6bcf8e4fbf4f52d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\abc.322332655.exe
    Filesize

    416KB

    MD5

    23f82ce9f5f8e02614b31cc0810e0d5f

    SHA1

    0bbde5e6b3aefc33014ec3c1f1e61d8664a33a75

    SHA256

    206de75058a7dfa0b96784965baab63a137f2e89a97e623842e7d0bb3f12c2fc

    SHA512

    1231dc5046cb609b5cf2240a95cb728842048609a93d3034984948f9fe99ed54c508e154f3f7516f9b15a8244ec49574dc6d6ad4a95daa8ed6bcf8e4fbf4f52d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\abc.322332655.exe
    Filesize

    416KB

    MD5

    23f82ce9f5f8e02614b31cc0810e0d5f

    SHA1

    0bbde5e6b3aefc33014ec3c1f1e61d8664a33a75

    SHA256

    206de75058a7dfa0b96784965baab63a137f2e89a97e623842e7d0bb3f12c2fc

    SHA512

    1231dc5046cb609b5cf2240a95cb728842048609a93d3034984948f9fe99ed54c508e154f3f7516f9b15a8244ec49574dc6d6ad4a95daa8ed6bcf8e4fbf4f52d

    Download Submit

  • memory/6612-61-0x0000000076201000-0x0000000076203000-memory.dmp

    Filesize

    8KB

    Download