Analysis

  • max time kernel
    285s
  • max time network
    383s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    06-12-2022 20:19

General

  • Target

    f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe

  • Size

    727KB

  • MD5

    f293ec38bb674e4f56239c2942ae9f01

  • SHA1

    78d708e2d1586cc229d1c277173eb00c0fe27c96

  • SHA256

    f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa

  • SHA512

    09773fcf5a5c97d8494078ae9c443859bbafeb9e8fc92a2211525e59a5cd439cf6b4babaaf958e613e7c9fe2bd7347574bc538b5ef5e8d55c6e7ab9c26d1d035

  • SSDEEP

    12288:XoUopVzNYSwOEWtA2OrSxcXB3Q4abIom+2+3NrMv/xjGj9YNCC+NQoEf6Y7kSCd6:XoUopV8ABbhEf4GSwi88yxtK34Y

Malware Config

Extracted

Path

C:\HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: EuWBdGraQgag Password: sRajKy5i2Zbt6piiSpNc To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

  • Hive

    A ransomware written in Golang first seen in June 2021.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes System State backups 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe
    C:\Users\Admin\AppData\Local\Temp\f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe -u EuWBdGraQgag:sRajKy5i2Zbt6piiSpNc
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3532
    • C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe" C:\HOW_TO_DECRYPT.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:8696
    • C:\Windows\System32\vssadmin.exe
      "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:8752
    • C:\Windows\System32\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:8808
    • C:\Windows\System32\wbadmin.exe
      "C:\Windows\System32\wbadmin.exe" delete systemstatebackup
      2⤵
      • Deletes System State backups
      PID:9196
    • C:\Windows\System32\wbadmin.exe
      "C:\Windows\System32\wbadmin.exe" delete catalog-quiet
      2⤵
        PID:4368
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled No
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2204
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2256
      • C:\Windows\System32\wbadmin.exe
        "C:\Windows\System32\wbadmin.exe" delete systemstatebackup -keepVersions:3
        2⤵
        • Deletes System State backups
        PID:8552

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads