Analysis
-
max time kernel
167s -
max time network
100s -
platform
windows7_x64 -
resource
win7-20221111-es -
resource tags
arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows -
submitted
06-12-2022 20:19
Static task
static1
Behavioral task
behavioral1
Sample
f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe
Resource
win7-20221111-es
Behavioral task
behavioral2
Sample
f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe
Resource
win10v2004-20221111-es
General
-
Target
f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe
-
Size
727KB
-
MD5
f293ec38bb674e4f56239c2942ae9f01
-
SHA1
78d708e2d1586cc229d1c277173eb00c0fe27c96
-
SHA256
f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa
-
SHA512
09773fcf5a5c97d8494078ae9c443859bbafeb9e8fc92a2211525e59a5cd439cf6b4babaaf958e613e7c9fe2bd7347574bc538b5ef5e8d55c6e7ab9c26d1d035
-
SSDEEP
12288:XoUopVzNYSwOEWtA2OrSxcXB3Q4abIom+2+3NrMv/xjGj9YNCC+NQoEf6Y7kSCd6:XoUopV8ABbhEf4GSwi88yxtK34Y
Malware Config
Extracted
C:\HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Extracted
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ae6vytmk.default-release\cache2\entries\HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 6944 bcdedit.exe 6968 bcdedit.exe -
pid Process 6800 wbadmin.exe 6992 wbadmin.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\NewUnprotect.raw.iXjDO5Qg_84v55zs7Yuv f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File renamed C:\Users\Admin\Pictures\OutEnter.tif => C:\Users\Admin\Pictures\OutEnter.tif.Bm1hZhn8_1vnQLZutgsZ f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File renamed C:\Users\Admin\Pictures\StartInitialize.tiff => C:\Users\Admin\Pictures\StartInitialize.tiff.iXjDO5Qg__lsbElxUFSZ f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened for modification C:\Users\Admin\Pictures\StartInitialize.tiff.iXjDO5Qg__lsbElxUFSZ f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File renamed C:\Users\Admin\Pictures\NewUnprotect.raw => C:\Users\Admin\Pictures\NewUnprotect.raw.iXjDO5Qg_84v55zs7Yuv f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File renamed C:\Users\Admin\Pictures\OpenApprove.tiff => C:\Users\Admin\Pictures\OpenApprove.tiff.Bm1hZhn8_2PiWXe4yKQk f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened for modification C:\Users\Admin\Pictures\OpenApprove.tiff.Bm1hZhn8_2PiWXe4yKQk f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened for modification C:\Users\Admin\Pictures\OutEnter.tif.Bm1hZhn8_1vnQLZutgsZ f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File renamed C:\Users\Admin\Pictures\RestoreUnblock.raw => C:\Users\Admin\Pictures\RestoreUnblock.raw.Bm1hZhn8_z7Y2k2BtU5K f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened for modification C:\Users\Admin\Pictures\RestoreUnblock.raw.Bm1hZhn8_z7Y2k2BtU5K f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\K: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\P: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\T: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\V: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\X: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\A: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\I: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\N: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\Q: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\U: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\Y: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\B: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\L: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\M: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\O: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\W: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\G: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\F: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\J: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\R: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\S: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\Z: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\E: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 6692 vssadmin.exe -
Opens file in notepad (likely ransom note) 3 IoCs
pid Process 6684 notepad.exe 1492 NOTEPAD.EXE 884 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe Token: SeIncreaseQuotaPrivilege 6712 WMIC.exe Token: SeSecurityPrivilege 6712 WMIC.exe Token: SeTakeOwnershipPrivilege 6712 WMIC.exe Token: SeLoadDriverPrivilege 6712 WMIC.exe Token: SeSystemProfilePrivilege 6712 WMIC.exe Token: SeSystemtimePrivilege 6712 WMIC.exe Token: SeProfSingleProcessPrivilege 6712 WMIC.exe Token: SeIncBasePriorityPrivilege 6712 WMIC.exe Token: SeCreatePagefilePrivilege 6712 WMIC.exe Token: SeBackupPrivilege 6712 WMIC.exe Token: SeRestorePrivilege 6712 WMIC.exe Token: SeShutdownPrivilege 6712 WMIC.exe Token: SeDebugPrivilege 6712 WMIC.exe Token: SeSystemEnvironmentPrivilege 6712 WMIC.exe Token: SeRemoteShutdownPrivilege 6712 WMIC.exe Token: SeUndockPrivilege 6712 WMIC.exe Token: SeManageVolumePrivilege 6712 WMIC.exe Token: 33 6712 WMIC.exe Token: 34 6712 WMIC.exe Token: 35 6712 WMIC.exe Token: SeIncreaseQuotaPrivilege 6712 WMIC.exe Token: SeSecurityPrivilege 6712 WMIC.exe Token: SeTakeOwnershipPrivilege 6712 WMIC.exe Token: SeLoadDriverPrivilege 6712 WMIC.exe Token: SeSystemProfilePrivilege 6712 WMIC.exe Token: SeSystemtimePrivilege 6712 WMIC.exe Token: SeProfSingleProcessPrivilege 6712 WMIC.exe Token: SeIncBasePriorityPrivilege 6712 WMIC.exe Token: SeCreatePagefilePrivilege 6712 WMIC.exe Token: SeBackupPrivilege 6712 WMIC.exe Token: SeRestorePrivilege 6712 WMIC.exe Token: SeShutdownPrivilege 6712 WMIC.exe Token: SeDebugPrivilege 6712 WMIC.exe Token: SeSystemEnvironmentPrivilege 6712 WMIC.exe Token: SeRemoteShutdownPrivilege 6712 WMIC.exe Token: SeUndockPrivilege 6712 WMIC.exe Token: SeManageVolumePrivilege 6712 WMIC.exe Token: 33 6712 WMIC.exe Token: 34 6712 WMIC.exe Token: 35 6712 WMIC.exe Token: SeBackupPrivilege 6872 vssvc.exe Token: SeRestorePrivilege 6872 vssvc.exe Token: SeAuditPrivilege 6872 vssvc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1788 wrote to memory of 6692 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 31 PID 1788 wrote to memory of 6692 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 31 PID 1788 wrote to memory of 6692 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 31 PID 1788 wrote to memory of 6712 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 34 PID 1788 wrote to memory of 6712 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 34 PID 1788 wrote to memory of 6712 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 34 PID 1788 wrote to memory of 6684 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 30 PID 1788 wrote to memory of 6684 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 30 PID 1788 wrote to memory of 6684 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 30 PID 1788 wrote to memory of 6800 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 35 PID 1788 wrote to memory of 6800 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 35 PID 1788 wrote to memory of 6800 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 35 PID 1788 wrote to memory of 6844 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 37 PID 1788 wrote to memory of 6844 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 37 PID 1788 wrote to memory of 6844 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 37 PID 1788 wrote to memory of 6944 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 41 PID 1788 wrote to memory of 6944 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 41 PID 1788 wrote to memory of 6944 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 41 PID 1788 wrote to memory of 6968 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 43 PID 1788 wrote to memory of 6968 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 43 PID 1788 wrote to memory of 6968 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 43 PID 1788 wrote to memory of 6992 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 45 PID 1788 wrote to memory of 6992 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 45 PID 1788 wrote to memory of 6992 1788 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exeC:\Users\Admin\AppData\Local\Temp\f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe -u EuWBdGraQgag:sRajKy5i2Zbt6piiSpNc1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:6684
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:6692
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6712
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete systemstatebackup2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:6800
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete catalog-quiet2⤵PID:6844
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:6944
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:6968
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete systemstatebackup -keepVersions:32⤵
- Deletes System State backups
PID:6992
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6872
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\HOW_TO_DECRYPT.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1492
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\HOW_TO_DECRYPT.txt1⤵
- Opens file in notepad (likely ransom note)
PID:884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59d1d4259958592e0b79a6adc2f2e669d
SHA1cabd7a8c134121a24f29f7c5febf476fb59ab2cc
SHA2565b0fb092c946ea38e923d02e95cc4150f9330870710311f9489f9e33bdbb83b6
SHA5128935688b2d11c6eb3e01b5ecb40f9b064ef7e263ab1c95c084ab33c1b7f53399c7cb7f7b012392e6820a738e76ae22b48e1d9382175d2f8e1b9e5c2b802a6a5d