Overview

overview

10

Static

static

f01f7d18b2...fa.exe

windows7-x64

10

f01f7d18b2...fa.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe

  • Size

    727KB

  • Sample

    221206-y3y14sdb2v

  • MD5

    f293ec38bb674e4f56239c2942ae9f01

  • SHA1

    78d708e2d1586cc229d1c277173eb00c0fe27c96

  • SHA256

    f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa

  • SHA512

    09773fcf5a5c97d8494078ae9c443859bbafeb9e8fc92a2211525e59a5cd439cf6b4babaaf958e613e7c9fe2bd7347574bc538b5ef5e8d55c6e7ab9c26d1d035

  • SSDEEP

    12288:XoUopVzNYSwOEWtA2OrSxcXB3Q4abIom+2+3NrMv/xjGj9YNCC+NQoEf6Y7kSCd6:XoUopV8ABbhEf4GSwi88yxtK34Y

Score
10/10
hiveevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: EuWBdGraQgag Password: sRajKy5i2Zbt6piiSpNc To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Extracted

Path

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ae6vytmk.default-release\cache2\entries\HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: EuWBdGraQgag Password: sRajKy5i2Zbt6piiSpNc To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed. Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: EuWBdGraQgag Password: sRajKy5i2Zbt6piiSpNc To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed. Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: EuWBdGraQgag Password: sRajKy5i2Zbt6piiSpNc To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Targets

    • Target

      f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe

    • Size

      727KB

    • MD5

      f293ec38bb674e4f56239c2942ae9f01

    • SHA1

      78d708e2d1586cc229d1c277173eb00c0fe27c96

    • SHA256

      f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa

    • SHA512

      09773fcf5a5c97d8494078ae9c443859bbafeb9e8fc92a2211525e59a5cd439cf6b4babaaf958e613e7c9fe2bd7347574bc538b5ef5e8d55c6e7ab9c26d1d035

    • SSDEEP

      12288:XoUopVzNYSwOEWtA2OrSxcXB3Q4abIom+2+3NrMv/xjGj9YNCC+NQoEf6Y7kSCd6:XoUopV8ABbhEf4GSwi88yxtK34Y

    Score
    10/10
    hiveevasionransomwarespywarestealer

    • Hive

      A ransomware written in Golang first seen in June 2021.

      ransomwarehive

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks