Analysis
-
max time kernel
16s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20221125-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20221125-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
13-05-2023 13:02
Static task
static1
Behavioral task
behavioral1
Sample
6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf
Resource
ubuntu1804-amd64-20221125-en
ubuntu-18.04-amd64
5 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf
-
Size
2.2MB
-
MD5
c41d9625ccd175647ffa10484ab2556d
-
SHA1
77d7614156607b68265b122fb35a1d408625cb96
-
SHA256
6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0
-
SHA512
7036bbdd7079b560abcfe3aac1b5951571c318708d48fea340e82185e351c3853091900b31ef0d790ca3309943318620e00f9567440693e89a259b56fc09c9b2
-
SSDEEP
49152:kOAAzrb/TYvO90dL3BmAFd4A64nsfJiTZxwuXf9nTCqw0Xfgg778laMex5D1:k1Dw+b3+
Score
10/10
Malware Config
Extracted
Path
/4oEi_HOW_TO_DECRYPT.txt
Family
hive
Ransom Note
Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.
To decrypt all the data and to prevent exfiltrated files to be disclosed at
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
you will need to purchase our decryption software.
Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Login: xUvZHAXDfpoW
Password: xvsX47VFucuDKUw4i77C
To get an access to .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)
Follow the guidelines below to avoid losing your data:
- Do not modify, rename or delete *.key.21k5p files. Your data will be
undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the Police, FBI, etc. They don't care about your business.
They simply won't allow you to pay. As a result you will lose everything.
- Do not hire a recovery company. They can't decrypt without the key.
They also don't care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
- Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Deletes itself 1 IoCs
pid Process 625 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf -
Reads CPU attributes 1 TTPs 22 IoCs
description ioc File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/power File opened for reading /sys/devices/system/cpu/cpu0/microcode File opened for reading /sys/devices/system/cpu/hotplug File opened for reading /sys/devices/system/cpu/power File opened for reading /sys/devices/system/cpu/vulnerabilities File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index1 File opened for reading /sys/devices/system/cpu/cpu0/power File opened for reading /sys/devices/system/cpu/microcode File opened for reading /sys/devices/system/cpu/smt File opened for reading /sys/devices/system/cpu/cpu0/cache/index0 File opened for reading /sys/devices/system/cpu/cpu0/cache File opened for reading /sys/devices/system/cpu/cpu0/cache/index2 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/power File opened for reading /sys/devices/system/cpu/cpu0/hotplug File opened for reading /sys/devices/system/cpu/cpu0 File opened for reading /sys/devices/system/cpu/cpu0/cache/power File opened for reading /sys/devices/system/cpu/cpu0/topology File opened for reading /sys/devices/system/cpu/cpufreq File opened for reading /sys/devices/system/cpu/cpuidle File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/power -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/kernel/debug/tracing/events/napi Process not Found File opened for reading /sys/devices/system/memory/memory14 Process not Found File opened for reading /sys/devices/virtual/block/loop0 Process not Found File opened for reading /sys/kernel/debug/tracing/events/cgroup/cgroup_rmdir Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_ftruncate Process not Found File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4/id 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/virtual/tty/tty15 Process not Found File opened for reading /sys/kernel/slab/:0000832/cgroup 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_eventfd2 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/timer/hrtimer_expire_entry 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/virtual/vc/vcsa2 Process not Found File opened for reading /sys/kernel/debug/tracing/events/kmem/mm_page_alloc_extfrag Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_setsid 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/module/pci_hotplug/parameters 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata3/link3 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/system/clockevents Process not Found File opened for reading /sys/devices/virtual/misc/tun/power Process not Found File opened for reading /sys/kernel/slab/:0000064 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:03 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata6/link6/ata_link/link6 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/xhci-hcd/xhci_urb_giveback 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_mlockall Process not Found File opened for reading /sys/devices/platform/serial8250/tty/ttyS17 Process not Found File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_insert_range Process not Found File opened for reading /sys/devices/virtual/vc Process not Found File opened for reading /sys/kernel/debug/tracing/events/mmc/mmc_request_done Process not Found File opened for reading /sys/kernel/debug/tracing/events/sched/sched_waking Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_mq_notify Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_getscheduler 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/module/random 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/ACPI0010:00/LNXCPU:00/power 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/pnp0/00:04/tty/ttyS0 Process not Found File opened for reading /sys/module/ttm/sections 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_mq_unlink Process not Found File opened for reading /sys/kernel/debug/usb 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/module/parport_pc/notes 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/module/parport_pc/sections 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/virtual/tty/tty29 Process not Found File opened for reading /sys/devices/virtual/tty/tty61 Process not Found File opened for reading /sys/devices/platform/serial8250/tty 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_inotify_add_watch Process not Found File opened for reading /sys/kernel/debug/tracing/events/kmem/kmalloc Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_getrusage Process not Found File opened for reading /sys/fs/cgroup/cpu,cpuacct Process not Found File opened for reading /sys/kernel/debug/tracing/events/ftrace/mmiotrace_map Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_getcwd 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/slab/:a-0000056 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/parport0/power 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/pci0000:00/0000:00:06.0/virtio0/block/vda/vda1/trace 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_semtimedop 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/slab/:0000384/cgroup 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/bus/pci/slots/27 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata3 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_inotify_init1 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/tcp/tcp_retransmit_skb 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/xen/xen_mmu_set_pud 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/module/x_tables 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/platform/serial8250/tty/ttyS3/power Process not Found File opened for reading /sys/fs/cgroup/unified/system.slice/swapfile.swap Process not Found File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_writepages_result Process not Found File opened for reading /sys/kernel/debug/tracing/events/vmscan/mm_vmscan_direct_reclaim_begin 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/slab/:0000960 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/bus/event_source/devices 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/368/task/368/attr Process not Found File opened for reading /proc/453/task/453/fdinfo Process not Found File opened for reading /proc/19/task/19/fd Process not Found File opened for reading /proc/sys/dev/mac_hid Process not Found File opened for reading /proc/641/net/dev_snmp6 Process not Found File opened for reading /proc/188/net/dev_snmp6 Process not Found File opened for reading /proc/24/task/24/net Process not Found File opened for reading /proc/29/task/29/attr/smack Process not Found File opened for reading /proc/638/attr/smack Process not Found File opened for reading /proc/89/attr Process not Found File opened for reading /proc/irq/9/acpi Process not Found File opened for reading /proc/186/fd Process not Found File opened for reading /proc/5/task/5 Process not Found File opened for reading /proc/6/task/6 Process not Found File opened for reading /proc/bus/pci/00 Process not Found File opened for reading /proc/185/task Process not Found File opened for reading /proc/189/task/189/ns Process not Found File opened for reading /proc/191/map_files Process not Found File opened for reading /proc/224/task/224/ns Process not Found File opened for reading /proc/283/task/283/attr/smack Process not Found File opened for reading /proc/394/attr/selinux Process not Found File opened for reading /proc/645/task/646 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /proc/187/attr/smack Process not Found File opened for reading /proc/394/task/394/net/netfilter Process not Found File opened for reading /proc/620/task/620/attr Process not Found File opened for reading /proc/629/task/631 Process not Found File opened for reading /proc/89/task/89/net/stat Process not Found File opened for reading /proc/32/task/32/attr Process not Found File opened for reading /proc/24/task Process not Found File opened for reading /proc/387/task/387/net Process not Found File opened for reading /proc/629/task/630/net/dev_snmp6 Process not Found File opened for reading /proc/80/net 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /proc/9/net/netfilter Process not Found File opened for reading /proc/sys/dev/cdrom Process not Found File opened for reading /proc/sys/kernel/yama Process not Found File opened for reading /proc/18/task/18/fd Process not Found File opened for reading /proc/635/task/639/fd Process not Found File opened for reading /proc/7/net 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /proc/8/task/8/fdinfo 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /proc/3/task/3/net/stat Process not Found File opened for reading /proc/191/task/191/attr Process not Found File opened for reading /proc/194/attr/apparmor Process not Found File opened for reading /proc/401/ns Process not Found File opened for reading /proc/401/task/401/fd Process not Found File opened for reading /proc/477/task Process not Found File opened for reading /proc/625/net/dev_snmp6 Process not Found File opened for reading /proc/80/fd 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /proc/189/attr/selinux Process not Found File opened for reading /proc/sys/dev/scsi Process not Found File opened for reading /proc/35/net/dev_snmp6 Process not Found File opened for reading /proc/477/attr/selinux Process not Found File opened for reading /proc/625/task/626/net/dev_snmp6 Process not Found File opened for reading /proc/9 Process not Found File opened for reading /proc/18/task/18/attr Process not Found File opened for reading /proc/195/task/195/fdinfo Process not Found File opened for reading /proc/3/fd Process not Found File opened for reading /proc/81/ns Process not Found File opened for reading /proc/129/task/129/attr/smack Process not Found File opened for reading /proc/200/task/200/attr/selinux Process not Found File opened for reading /proc/29/task/29/ns Process not Found File opened for reading /proc/36/attr/apparmor Process not Found File opened for reading /proc/197/task/197/attr Process not Found File opened for reading /proc/199/task/199/fdinfo Process not Found File opened for reading /proc/201/task/201/attr/apparmor Process not Found
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD52255cdb36dea7f236e348f8fda80d95e
SHA1e013295625e576f517b13021c2386b1c91575d05
SHA256e99793011f9f4ed491279556251e8f69b096124f1e5c3edca997815f51f3ae2f
SHA512e00d2fe1db4d22dadb26eba2a50af3cdac0cc252ed38cc3370799004390c445ab0e26b34367b4bc43c8a671d05681c2b16c08537c5462a9a9b8fdf419804bf4d
-
Filesize
1KB
MD59932bbfea02ad4bb0c43b36fddd98a7a
SHA11faee3c9dbb5f005769c8123387b45cf545cac89
SHA25613f91b1c2c02259660f4d83dd7383b5bbc4f04be98331fbbcf92f1e56f8557a4
SHA512cad236319f2bc80d4223aca681e1adc446ae72dd46530e00aa9887c331b94ac95c9b23c55c3d98c4615cb05da689d68006d75c3f0d213c6f9303ee04f2d4f7ab