Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-08-2022 02:49
Static task
static1
Behavioral task
behavioral1
Sample
windows_x64_encrypt.dll
Resource
win10v2004-20220812-en
General
-
Target
windows_x64_encrypt.dll
-
Size
601KB
-
MD5
5a22a872d458c1dcb66cc2506d57afb7
-
SHA1
5dbdd31a29f702b317d7907a69a42e7d21a5b32e
-
SHA256
940f22327b5693b1246187f49e87e0ebbd01454033029c7aa6eab15a0ae85fa9
-
SHA512
6ffe0696aff39449e110811c2f862f835cbd51e46942b9a9cef987e4d24ac9d9efdc9a32102d76df433b423004c8d194e6d23e5369f109449917b0b55ade9845
-
SSDEEP
12288:O4jAC6F/0doKJcT/L/DcQVV03YKHLbdOrqoeOQB8eA2wmuKE6bxmdemEll6/vTF+:O4jF05/XPnEbynuLEhAoFci4HksWld9E
Malware Config
Extracted
C:\HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 9288 bcdedit.exe 9312 bcdedit.exe -
pid Process 9184 wbadmin.exe 9432 wbadmin.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\SendDisconnect.raw => C:\Users\Admin\Pictures\SendDisconnect.raw.HT9NbX4b_3046FSPpo0D rundll32.exe File opened for modification C:\Users\Admin\Pictures\SendDisconnect.raw.HT9NbX4b_3046FSPpo0D rundll32.exe File renamed C:\Users\Admin\Pictures\SwitchMount.raw => C:\Users\Admin\Pictures\SwitchMount.raw.fhF_ZaIS_8w7GuGBS7FA rundll32.exe File opened for modification C:\Users\Admin\Pictures\SwitchMount.raw.fhF_ZaIS_8w7GuGBS7FA rundll32.exe File renamed C:\Users\Admin\Pictures\ConvertFromWait.crw => C:\Users\Admin\Pictures\ConvertFromWait.crw.HT9NbX4b__KeccNb225e rundll32.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromWait.crw.HT9NbX4b__KeccNb225e rundll32.exe File renamed C:\Users\Admin\Pictures\PopResolve.raw => C:\Users\Admin\Pictures\PopResolve.raw.fhF_ZaIS_w9aa6GPUwBq rundll32.exe File opened for modification C:\Users\Admin\Pictures\PopResolve.raw.fhF_ZaIS_w9aa6GPUwBq rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\V: rundll32.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2060 4972 WerFault.exe 81 -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 9116 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 9780 notepad.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4456 rundll32.exe 4456 rundll32.exe 4456 rundll32.exe 4456 rundll32.exe 4456 rundll32.exe 4456 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 4456 rundll32.exe Token: SeIncreaseQuotaPrivilege 9160 WMIC.exe Token: SeSecurityPrivilege 9160 WMIC.exe Token: SeTakeOwnershipPrivilege 9160 WMIC.exe Token: SeLoadDriverPrivilege 9160 WMIC.exe Token: SeSystemProfilePrivilege 9160 WMIC.exe Token: SeSystemtimePrivilege 9160 WMIC.exe Token: SeProfSingleProcessPrivilege 9160 WMIC.exe Token: SeIncBasePriorityPrivilege 9160 WMIC.exe Token: SeCreatePagefilePrivilege 9160 WMIC.exe Token: SeBackupPrivilege 9160 WMIC.exe Token: SeRestorePrivilege 9160 WMIC.exe Token: SeShutdownPrivilege 9160 WMIC.exe Token: SeDebugPrivilege 9160 WMIC.exe Token: SeSystemEnvironmentPrivilege 9160 WMIC.exe Token: SeRemoteShutdownPrivilege 9160 WMIC.exe Token: SeUndockPrivilege 9160 WMIC.exe Token: SeManageVolumePrivilege 9160 WMIC.exe Token: 33 9160 WMIC.exe Token: 34 9160 WMIC.exe Token: 35 9160 WMIC.exe Token: 36 9160 WMIC.exe Token: SeIncreaseQuotaPrivilege 9160 WMIC.exe Token: SeSecurityPrivilege 9160 WMIC.exe Token: SeTakeOwnershipPrivilege 9160 WMIC.exe Token: SeLoadDriverPrivilege 9160 WMIC.exe Token: SeSystemProfilePrivilege 9160 WMIC.exe Token: SeSystemtimePrivilege 9160 WMIC.exe Token: SeProfSingleProcessPrivilege 9160 WMIC.exe Token: SeIncBasePriorityPrivilege 9160 WMIC.exe Token: SeCreatePagefilePrivilege 9160 WMIC.exe Token: SeBackupPrivilege 9160 WMIC.exe Token: SeRestorePrivilege 9160 WMIC.exe Token: SeShutdownPrivilege 9160 WMIC.exe Token: SeDebugPrivilege 9160 WMIC.exe Token: SeSystemEnvironmentPrivilege 9160 WMIC.exe Token: SeRemoteShutdownPrivilege 9160 WMIC.exe Token: SeUndockPrivilege 9160 WMIC.exe Token: SeManageVolumePrivilege 9160 WMIC.exe Token: 33 9160 WMIC.exe Token: 34 9160 WMIC.exe Token: 35 9160 WMIC.exe Token: 36 9160 WMIC.exe Token: SeBackupPrivilege 9548 vssvc.exe Token: SeRestorePrivilege 9548 vssvc.exe Token: SeAuditPrivilege 9548 vssvc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4760 wrote to memory of 4456 4760 cmd.exe 115 PID 4760 wrote to memory of 4456 4760 cmd.exe 115 PID 4456 wrote to memory of 9116 4456 rundll32.exe 116 PID 4456 wrote to memory of 9116 4456 rundll32.exe 116 PID 4456 wrote to memory of 9160 4456 rundll32.exe 118 PID 4456 wrote to memory of 9160 4456 rundll32.exe 118 PID 4456 wrote to memory of 9184 4456 rundll32.exe 120 PID 4456 wrote to memory of 9184 4456 rundll32.exe 120 PID 4456 wrote to memory of 9240 4456 rundll32.exe 122 PID 4456 wrote to memory of 9240 4456 rundll32.exe 122 PID 4456 wrote to memory of 9288 4456 rundll32.exe 124 PID 4456 wrote to memory of 9288 4456 rundll32.exe 124 PID 4456 wrote to memory of 9312 4456 rundll32.exe 125 PID 4456 wrote to memory of 9312 4456 rundll32.exe 125 PID 4456 wrote to memory of 9432 4456 rundll32.exe 129 PID 4456 wrote to memory of 9432 4456 rundll32.exe 129 PID 4456 wrote to memory of 9780 4456 rundll32.exe 134 PID 4456 wrote to memory of 9780 4456 rundll32.exe 134
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.dll,#11⤵PID:4972
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4972 -s 4442⤵
- Program crash
PID:2060
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 4972 -ip 49721⤵PID:632
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\system32\rundll32.exerundll32 windows_x64_encrypt.dll,Open -u f4swBDMf1oJe:8uwzKs2qSfZSNfHco6A62⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:9116
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:9160
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete systemstatebackup3⤵
- Deletes System State backups
- Drops file in Windows directory
PID:9184
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete catalog-quiet3⤵PID:9240
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:9288
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:9312
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete systemstatebackup -keepVersions:33⤵
- Deletes System State backups
PID:9432
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\HOW_TO_DECRYPT.txt3⤵
- Opens file in notepad (likely ransom note)
PID:9780
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:9548
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD520bdd0550a456bce8e13c274b664773a
SHA1fb0cc4524af1a037a86894674a0bc35c131d4541
SHA2569c7bc541a871e58404ec31e4b2472343321af96fcc0e789177f460ce0b33ac9e
SHA5123e774427b55fe014d00e947d57e933eeb90f934ecb58213e3b161b0bf4cb5cc02973f84134e85133c9d9f3bb297616a91ce06f8437ca35d6dc5ec6997b53fbc0