Analysis
-
max time kernel
285s -
max time network
383s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-es -
resource tags
arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
06-12-2022 20:19
Static task
static1
Behavioral task
behavioral1
Sample
f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe
Resource
win7-20221111-es
Behavioral task
behavioral2
Sample
f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe
Resource
win10v2004-20221111-es
General
-
Target
f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe
-
Size
727KB
-
MD5
f293ec38bb674e4f56239c2942ae9f01
-
SHA1
78d708e2d1586cc229d1c277173eb00c0fe27c96
-
SHA256
f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa
-
SHA512
09773fcf5a5c97d8494078ae9c443859bbafeb9e8fc92a2211525e59a5cd439cf6b4babaaf958e613e7c9fe2bd7347574bc538b5ef5e8d55c6e7ab9c26d1d035
-
SSDEEP
12288:XoUopVzNYSwOEWtA2OrSxcXB3Q4abIom+2+3NrMv/xjGj9YNCC+NQoEf6Y7kSCd6:XoUopV8ABbhEf4GSwi88yxtK34Y
Malware Config
Extracted
C:\HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2204 bcdedit.exe 2256 bcdedit.exe -
pid Process 9196 wbadmin.exe 8552 wbadmin.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ConvertRedo.tif => C:\Users\Admin\Pictures\ConvertRedo.tif.gFhgvpgk_9OPhEPhhLD4 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File renamed C:\Users\Admin\Pictures\WriteOut.tif => C:\Users\Admin\Pictures\WriteOut.tif.3Ng5Abtc_6YYGJFSnyBc f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened for modification C:\Users\Admin\Pictures\WriteOut.tif.3Ng5Abtc_6YYGJFSnyBc f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File renamed C:\Users\Admin\Pictures\ReadSkip.crw => C:\Users\Admin\Pictures\ReadSkip.crw.3Ng5Abtc_wAEVWu8Lrk9 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened for modification C:\Users\Admin\Pictures\ReadSkip.crw.3Ng5Abtc_wAEVWu8Lrk9 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened for modification C:\Users\Admin\Pictures\ConvertRedo.tif.gFhgvpgk_9OPhEPhhLD4 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File renamed C:\Users\Admin\Pictures\LimitGrant.raw => C:\Users\Admin\Pictures\LimitGrant.raw.gFhgvpgk_174PhVIimKK f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened for modification C:\Users\Admin\Pictures\LimitGrant.raw.gFhgvpgk_174PhVIimKK f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\N: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\E: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\J: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\H: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\I: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\O: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\Q: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\R: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\S: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\B: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\G: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\X: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\Y: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\Z: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\U: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\W: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\L: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\T: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\V: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\A: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\K: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\F: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe File opened (read-only) \??\P: f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 8752 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 8696 notepad.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe Token: SeIncreaseQuotaPrivilege 8808 WMIC.exe Token: SeSecurityPrivilege 8808 WMIC.exe Token: SeTakeOwnershipPrivilege 8808 WMIC.exe Token: SeLoadDriverPrivilege 8808 WMIC.exe Token: SeSystemProfilePrivilege 8808 WMIC.exe Token: SeSystemtimePrivilege 8808 WMIC.exe Token: SeProfSingleProcessPrivilege 8808 WMIC.exe Token: SeIncBasePriorityPrivilege 8808 WMIC.exe Token: SeCreatePagefilePrivilege 8808 WMIC.exe Token: SeBackupPrivilege 8808 WMIC.exe Token: SeRestorePrivilege 8808 WMIC.exe Token: SeShutdownPrivilege 8808 WMIC.exe Token: SeDebugPrivilege 8808 WMIC.exe Token: SeSystemEnvironmentPrivilege 8808 WMIC.exe Token: SeRemoteShutdownPrivilege 8808 WMIC.exe Token: SeUndockPrivilege 8808 WMIC.exe Token: SeManageVolumePrivilege 8808 WMIC.exe Token: 33 8808 WMIC.exe Token: 34 8808 WMIC.exe Token: 35 8808 WMIC.exe Token: 36 8808 WMIC.exe Token: SeIncreaseQuotaPrivilege 8808 WMIC.exe Token: SeSecurityPrivilege 8808 WMIC.exe Token: SeTakeOwnershipPrivilege 8808 WMIC.exe Token: SeLoadDriverPrivilege 8808 WMIC.exe Token: SeSystemProfilePrivilege 8808 WMIC.exe Token: SeSystemtimePrivilege 8808 WMIC.exe Token: SeProfSingleProcessPrivilege 8808 WMIC.exe Token: SeIncBasePriorityPrivilege 8808 WMIC.exe Token: SeCreatePagefilePrivilege 8808 WMIC.exe Token: SeBackupPrivilege 8808 WMIC.exe Token: SeRestorePrivilege 8808 WMIC.exe Token: SeShutdownPrivilege 8808 WMIC.exe Token: SeDebugPrivilege 8808 WMIC.exe Token: SeSystemEnvironmentPrivilege 8808 WMIC.exe Token: SeRemoteShutdownPrivilege 8808 WMIC.exe Token: SeUndockPrivilege 8808 WMIC.exe Token: SeManageVolumePrivilege 8808 WMIC.exe Token: 33 8808 WMIC.exe Token: 34 8808 WMIC.exe Token: 35 8808 WMIC.exe Token: 36 8808 WMIC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3532 wrote to memory of 8696 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 80 PID 3532 wrote to memory of 8696 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 80 PID 3532 wrote to memory of 8752 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 81 PID 3532 wrote to memory of 8752 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 81 PID 3532 wrote to memory of 8808 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 83 PID 3532 wrote to memory of 8808 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 83 PID 3532 wrote to memory of 9196 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 86 PID 3532 wrote to memory of 9196 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 86 PID 3532 wrote to memory of 4368 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 89 PID 3532 wrote to memory of 4368 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 89 PID 3532 wrote to memory of 2204 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 91 PID 3532 wrote to memory of 2204 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 91 PID 3532 wrote to memory of 2256 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 93 PID 3532 wrote to memory of 2256 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 93 PID 3532 wrote to memory of 8552 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 94 PID 3532 wrote to memory of 8552 3532 f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exeC:\Users\Admin\AppData\Local\Temp\f01f7d18b2e154522abd47cbafe80565b32f4a52103224a9e725656582e63efa.exe -u EuWBdGraQgag:sRajKy5i2Zbt6piiSpNc1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:8696
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:8752
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8808
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete systemstatebackup2⤵
- Deletes System State backups
PID:9196
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete catalog-quiet2⤵PID:4368
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:2204
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2256
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete systemstatebackup -keepVersions:32⤵
- Deletes System State backups
PID:8552
-