Overview

overview

10

Static

static

8

hive.exe

windows7-x64

10

hive.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    09-01-2023 16:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hive.exe

  • Size

    764KB

  • MD5

    2f9fc82898d718f2abe99c4a6fa79e69

  • SHA1

    9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb

  • SHA256

    88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1

  • SHA512

    19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b

  • SSDEEP

    12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67jM4v4kCSPDjlLtbwt8IQLH

Score
10/10
hiveransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data is encrypted. To decrypt all the data you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: EQA9oydTxwXS Password: vNtgAgb3kMFmCooANNQr Follow the guidelines below to avoid losing your data: - Do not shutdown or reboot your computers, unmount external storages. - Do not try to decrypt data using third party software. It may cause irreversible damage. - Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key. - Do not modify, rename or delete *.key.hive files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. - Do not reject to purchase. Your sensitive data will be publicly disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
URLs

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

Signatures

  • Detects Go variant of Hive Ransomware 2 IoCs
  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops file in Drivers directory 28 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Program crash 1 IoCs
  • Delays execution with timeout.exe 64 IoCs
    evasion
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hive.exe
    "C:\Users\Admin\AppData\Local\Temp\hive.exe"
    1⤵
    • Drops file in Drivers directory
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:788
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c hive.bat >NUL 2>NUL
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:620
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:748
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1904
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1608
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1572
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1972
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1344
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:2036
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:884
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1056
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1204
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:632
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:840
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1948
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1960
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1980
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
          PID:1444
        • C:\Windows\SysWOW64\timeout.exe
          timeout 1
          3⤵
            PID:1664
          • C:\Windows\SysWOW64\timeout.exe
            timeout 1
            3⤵
              PID:1008
            • C:\Windows\SysWOW64\timeout.exe
              timeout 1
              3⤵
              • Delays execution with timeout.exe
              PID:868
            • C:\Windows\SysWOW64\timeout.exe
              timeout 1
              3⤵
                PID:772
              • C:\Windows\SysWOW64\timeout.exe
                timeout 1
                3⤵
                • Delays execution with timeout.exe
                PID:1676
              • C:\Windows\SysWOW64\timeout.exe
                timeout 1
                3⤵
                • Delays execution with timeout.exe
                PID:1744
              • C:\Windows\SysWOW64\timeout.exe
                timeout 1
                3⤵
                • Delays execution with timeout.exe
                PID:532
              • C:\Windows\SysWOW64\timeout.exe
                timeout 1
                3⤵
                • Delays execution with timeout.exe
                PID:944
              • C:\Windows\SysWOW64\timeout.exe
                timeout 1
                3⤵
                • Delays execution with timeout.exe
                PID:964
              • C:\Windows\SysWOW64\timeout.exe
                timeout 1
                3⤵
                • Delays execution with timeout.exe
                PID:1752
              • C:\Windows\SysWOW64\timeout.exe
                timeout 1
                3⤵
                  PID:664
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  3⤵
                  • Delays execution with timeout.exe
                  PID:1468
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  3⤵
                  • Delays execution with timeout.exe
                  PID:560
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  3⤵
                  • Delays execution with timeout.exe
                  PID:1660
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  3⤵
                  • Delays execution with timeout.exe
                  PID:1332
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  3⤵
                  • Delays execution with timeout.exe
                  PID:1068
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  3⤵
                  • Delays execution with timeout.exe
                  PID:452
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  3⤵
                  • Delays execution with timeout.exe
                  PID:1100
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  3⤵
                  • Delays execution with timeout.exe
                  PID:1608
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  3⤵
                  • Delays execution with timeout.exe
                  PID:860
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  3⤵
                  • Delays execution with timeout.exe
                  PID:1092
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  3⤵
                  • Delays execution with timeout.exe
                  PID:1632
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  3⤵
                  • Delays execution with timeout.exe
                  PID:1304
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  3⤵
                  • Delays execution with timeout.exe
                  PID:1148
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  3⤵
                  • Delays execution with timeout.exe
                  PID:1824
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  3⤵
                  • Delays execution with timeout.exe
                  PID:1736
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  3⤵
                  • Delays execution with timeout.exe
                  PID:1676
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  3⤵
                  • Delays execution with timeout.exe
                  PID:336
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  3⤵
                    PID:1748
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout 1
                    3⤵
                    • Delays execution with timeout.exe
                    PID:1692
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout 1
                    3⤵
                      PID:1616
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout 1
                      3⤵
                        PID:1752
                      • C:\Windows\SysWOW64\timeout.exe
                        timeout 1
                        3⤵
                          PID:664
                        • C:\Windows\SysWOW64\timeout.exe
                          timeout 1
                          3⤵
                            PID:1468
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1464
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1756
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1724
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1884
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:864
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1952
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1332
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1068
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:860
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1092
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1632
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1204
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1812
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:632
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1384
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1960
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:952
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1064
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1444
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1472
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1096
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1360
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1304
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1088
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c shadow.bat >NUL 2>NUL
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1312
                          • C:\Windows\SysWOW64\vssadmin.exe
                            vssadmin.exe delete shadows /all /quiet
                            3⤵
                            • Interacts with shadow copies
                            PID:692
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1168
                      • C:\Windows\system32\WerFault.exe
                        C:\Windows\system32\WerFault.exe -u -p 1284 -s 2628
                        1⤵
                        • Program crash
                        PID:452

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\desktop.ini
                        Filesize

                        129B

                        MD5

                        a526b9e7c716b3489d8cc062fbce4005

                        SHA1

                        2df502a944ff721241be20a9e449d2acd07e0312

                        SHA256

                        e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                        SHA512

                        d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\hive.bat
                        Filesize

                        162B

                        MD5

                        fca5799115172398c63263fad7e854b1

                        SHA1

                        2874a1c796f511f94bed6ae020f4b20c38c59cf1

                        SHA256

                        27323f85f788e124f6024486f7d2a3dee9a1e88f2fc1617625b8612e47657663

                        SHA512

                        a03fecd20d94def5ea75015613d40656d85094eb5584993cd2d082b17badeef6833ae214dc1e8058bda0afe29d8a4cd9a805a2519b1ea76f2bc1cdb274a1841b

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\shadow.bat
                        Filesize

                        57B

                        MD5

                        df5552357692e0cba5e69f8fbf06abb6

                        SHA1

                        4714f1e6bb75a80a8faf69434726d176b70d7bd8

                        SHA256

                        d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8

                        SHA512

                        a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

                        Download Submit

                      • memory/336-105-0x0000000000000000-mapping.dmp

                        Download

                      • memory/452-94-0x0000000000000000-mapping.dmp

                        Download

                      • memory/532-84-0x0000000000000000-mapping.dmp

                        Download

                      • memory/560-90-0x0000000000000000-mapping.dmp

                        Download

                      • memory/620-55-0x0000000000000000-mapping.dmp

                        Download

                      • memory/632-72-0x0000000000000000-mapping.dmp

                        Download

                      • memory/664-88-0x0000000000000000-mapping.dmp

                        Download

                      • memory/664-110-0x0000000000000000-mapping.dmp

                        Download

                      • memory/692-60-0x0000000000000000-mapping.dmp

                        Download

                      • memory/748-59-0x0000000000000000-mapping.dmp

                        Download

                      • memory/772-81-0x0000000000000000-mapping.dmp

                        Download

                      • memory/788-54-0x0000000000FA0000-0x0000000001203000-memory.dmp

                        Filesize

                        2.4MB

                        Download

                      • memory/788-62-0x0000000000FA0000-0x0000000001203000-memory.dmp

                        Filesize

                        2.4MB

                        Download

                      • memory/840-73-0x0000000000000000-mapping.dmp

                        Download

                      • memory/860-97-0x0000000000000000-mapping.dmp

                        Download

                      • memory/860-120-0x0000000000000000-mapping.dmp

                        Download

                      • memory/864-116-0x0000000000000000-mapping.dmp

                        Download

                      • memory/868-80-0x0000000000000000-mapping.dmp

                        Download

                      • memory/884-69-0x0000000000000000-mapping.dmp

                        Download

                      • memory/944-85-0x0000000000000000-mapping.dmp

                        Download

                      • memory/964-86-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1008-79-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1056-70-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1068-119-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1068-93-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1092-98-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1092-121-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1100-95-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1148-101-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1204-71-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1304-100-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1312-56-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1332-118-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1332-92-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1344-67-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1444-77-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1464-112-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1468-89-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1468-111-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1572-65-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1608-96-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1608-63-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1616-108-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1632-99-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1632-122-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1660-91-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1664-78-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1676-82-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1676-104-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1692-107-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1724-114-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1736-103-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1744-83-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1748-106-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1752-109-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1752-87-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1756-113-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1824-102-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1884-115-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1904-61-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1948-74-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1952-117-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1960-75-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1972-66-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1980-76-0x0000000000000000-mapping.dmp

                        Download

                      • memory/2036-68-0x0000000000000000-mapping.dmp

                        Download