Analysis

  • max time kernel
    167s
  • max time network
    100s
  • platform
    windows7_x64
  • resource
    win7-20221111-es
  • resource tags

    arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    06-12-2022 20:19

General

  • Target

    f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe

  • Size

    727KB

  • MD5

    f293ec38bb674e4f56239c2942ae9f01

  • SHA1

    78d708e2d1586cc229d1c277173eb00c0fe27c96

  • SHA256

    f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa

  • SHA512

    09773fcf5a5c97d8494078ae9c443859bbafeb9e8fc92a2211525e59a5cd439cf6b4babaaf958e613e7c9fe2bd7347574bc538b5ef5e8d55c6e7ab9c26d1d035

  • SSDEEP

    12288:XoUopVzNYSwOEWtA2OrSxcXB3Q4abIom+2+3NrMv/xjGj9YNCC+NQoEf6Y7kSCd6:XoUopV8ABbhEf4GSwi88yxtK34Y

Malware Config

Extracted

Path

C:\HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: EuWBdGraQgag Password: sRajKy5i2Zbt6piiSpNc To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Extracted

Path

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ae6vytmk.default-release\cache2\entries\HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: EuWBdGraQgag Password: sRajKy5i2Zbt6piiSpNc To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed. Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: EuWBdGraQgag Password: sRajKy5i2Zbt6piiSpNc To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed. Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: EuWBdGraQgag Password: sRajKy5i2Zbt6piiSpNc To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

  • Hive

    A ransomware written in Golang first seen in June 2021.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes System State backups 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Opens file in notepad (likely ransom note) 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe
    C:\Users\Admin\AppData\Local\Temp\f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe -u EuWBdGraQgag:sRajKy5i2Zbt6piiSpNc
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe" C:\HOW_TO_DECRYPT.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:6684
    • C:\Windows\System32\vssadmin.exe
      "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:6692
    • C:\Windows\System32\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:6712
    • C:\Windows\System32\wbadmin.exe
      "C:\Windows\System32\wbadmin.exe" delete systemstatebackup
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:6800
    • C:\Windows\System32\wbadmin.exe
      "C:\Windows\System32\wbadmin.exe" delete catalog-quiet
      2⤵
        PID:6844
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled No
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:6944
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:6968
      • C:\Windows\System32\wbadmin.exe
        "C:\Windows\System32\wbadmin.exe" delete systemstatebackup -keepVersions:3
        2⤵
        • Deletes System State backups
        PID:6992
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:6872
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\HOW_TO_DECRYPT.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:1492
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\HOW_TO_DECRYPT.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:884

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\HOW_TO_DECRYPT.txt

      Filesize

      1KB

      MD5

      9d1d4259958592e0b79a6adc2f2e669d

      SHA1

      cabd7a8c134121a24f29f7c5febf476fb59ab2cc

      SHA256

      5b0fb092c946ea38e923d02e95cc4150f9330870710311f9489f9e33bdbb83b6

      SHA512

      8935688b2d11c6eb3e01b5ecb40f9b064ef7e263ab1c95c084ab33c1b7f53399c7cb7f7b012392e6820a738e76ae22b48e1d9382175d2f8e1b9e5c2b802a6a5d

    • memory/6684-57-0x000007FEFBB61000-0x000007FEFBB63000-memory.dmp

      Filesize

      8KB