Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
19-12-2022 14:36
General
-
Target
hive.exe
-
Size
764KB
-
MD5
2f9fc82898d718f2abe99c4a6fa79e69
-
SHA1
9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
-
SHA256
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
-
SHA512
19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b
-
SSDEEP
12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67jM4v4kCSPDjlLtbwt8IQLH
Score
10/10
Malware Config
Extracted
Path
C:\HOW_TO_DECRYPT.txt
Family
hive
Ransom Note
Your network has been breached and all data is encrypted.
To decrypt all the data you will need to purchase our decryption software.
Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Login: EQA9oydTxwXS
Password: vNtgAgb3kMFmCooANNQr
Follow the guidelines below to avoid losing your data:
- Do not shutdown or reboot your computers, unmount external storages.
- Do not try to decrypt data using third party software. It may cause irreversible damage.
- Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key.
- Do not modify, rename or delete *.key.hive files. Your data will be undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased.
- Do not reject to purchase. Your sensitive data will be publicly disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
URLs
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
Signatures
-
Detects Go variant of Hive Ransomware 2 IoCs
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Drops file in Drivers directory 8 IoCs
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Program crash 2 IoCs
-
Delays execution with timeout.exe 64 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\hive.exe"C:\Users\Admin\AppData\Local\Temp\hive.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL2⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 2440 -ip 24401⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2440 -s 58321⤵
- Program crash
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1464 -s 23162⤵
- Program crash
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 532 -p 1464 -ip 14641⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
622KB
MD554ac69fa48c4818ceccbc2e57e9fed8b
SHA10d628cd634c74320cdb939b01641682ee7db9af2
SHA25649be9453491b3b3551d8cde235010f5f36b29843cb4fcef357d5fa00424f50e2
SHA512f42106446575f702919d6cc42336f18070503f224d8dc1ff9c21e792968a2b9a685e6ae1a23628aceeb759b1a68efb11be6222ebf5a6be2be8f5851874e74857
-
Filesize
162B
MD5fca5799115172398c63263fad7e854b1
SHA12874a1c796f511f94bed6ae020f4b20c38c59cf1
SHA25627323f85f788e124f6024486f7d2a3dee9a1e88f2fc1617625b8612e47657663
SHA512a03fecd20d94def5ea75015613d40656d85094eb5584993cd2d082b17badeef6833ae214dc1e8058bda0afe29d8a4cd9a805a2519b1ea76f2bc1cdb274a1841b
-
Filesize
57B
MD5df5552357692e0cba5e69f8fbf06abb6
SHA14714f1e6bb75a80a8faf69434726d176b70d7bd8
SHA256d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8
SHA512a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
2.4MB
-
Filesize
2.4MB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-