Analysis
-
max time kernel
15s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20221125-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20221125-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
14/05/2023, 06:40
Static task
static1
Behavioral task
behavioral1
Sample
6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf
Resource
ubuntu1804-amd64-20221125-en
ubuntu-18.04-amd64
5 signatures
150 seconds
General
-
Target
6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf
-
Size
2.2MB
-
MD5
c41d9625ccd175647ffa10484ab2556d
-
SHA1
77d7614156607b68265b122fb35a1d408625cb96
-
SHA256
6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0
-
SHA512
7036bbdd7079b560abcfe3aac1b5951571c318708d48fea340e82185e351c3853091900b31ef0d790ca3309943318620e00f9567440693e89a259b56fc09c9b2
-
SSDEEP
49152:kOAAzrb/TYvO90dL3BmAFd4A64nsfJiTZxwuXf9nTCqw0Xfgg778laMex5D1:k1Dw+b3+
Score
10/10
Malware Config
Extracted
Path
/4oEi_HOW_TO_DECRYPT.txt
Family
hive
Ransom Note
Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.
To decrypt all the data and to prevent exfiltrated files to be disclosed at
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
you will need to purchase our decryption software.
Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Login: xUvZHAXDfpoW
Password: xvsX47VFucuDKUw4i77C
To get an access to .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)
Follow the guidelines below to avoid losing your data:
- Do not modify, rename or delete *.key.21k5p files. Your data will be
undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the Police, FBI, etc. They don't care about your business.
They simply won't allow you to pay. As a result you will lose everything.
- Do not hire a recovery company. They can't decrypt without the key.
They also don't care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
- Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Deletes itself 1 IoCs
pid Process 615 Process not Found -
Reads CPU attributes 1 TTPs 22 IoCs
description ioc File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/power File opened for reading /sys/devices/system/cpu/cpu0/power File opened for reading /sys/devices/system/cpu/hotplug File opened for reading /sys/devices/system/cpu/cpu0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index1 File opened for reading /sys/devices/system/cpu/smt File opened for reading /sys/devices/system/cpu/vulnerabilities File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index2 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3 File opened for reading /sys/devices/system/cpu/cpu0/microcode File opened for reading /sys/devices/system/cpu/cpuidle File opened for reading /sys/devices/system/cpu/microcode File opened for reading /sys/devices/system/cpu/cpu0/cache File opened for reading /sys/devices/system/cpu/cpu0/cache/power File opened for reading /sys/devices/system/cpu/cpu0/hotplug File opened for reading /sys/devices/system/cpu/cpu0/topology File opened for reading /sys/devices/system/cpu/cpufreq File opened for reading /sys/devices/system/cpu/power -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_exit File opened for reading /sys/module/ahci/parameters File opened for reading /sys/module/sch_fq_codel/sections File opened for reading /sys/bus/sdio/devices File opened for reading /sys/class/firmware File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0/integrity File opened for reading /sys/devices/virtual/tty/tty61 File opened for reading /sys/devices/platform/floppy.0/block/fd0/trace File opened for reading /sys/firmware/memmap/5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_sethostname File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_futimesat File opened for reading /sys/bus/pci/slots/22 File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:05/power File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_socketpair File opened for reading /sys/module/pciehp/parameters File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_recvmmsg File opened for reading /sys/devices/pnp0/00:04/tty/ttyS0/power File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_faccessat File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_newfstat File opened for reading /sys/bus/xen/drivers File opened for reading /sys/class/extcon File opened for reading /sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0 File opened for reading /sys/devices/platform/microcode File opened for reading /sys/kernel/debug/tracing/events/xhci-hcd/xhci_handle_event File opened for reading /sys/module/tpm_tis File opened for reading /sys/bus/pci/slots/26 File opened for reading /sys/class/scsi_generic File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_newlstat File opened for reading /sys/kernel/debug/tracing/events/timer/tick_stop File opened for reading /sys/bus/pci/slots File opened for reading /sys/devices/system/memory/memory6 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_setdomainname File opened for reading /sys/kernel/debug/tracing/events/xen/xen_mmu_set_pte_at File opened for reading /sys/kernel/debug/tracing/events/writeback/writeback_written File opened for reading /sys/module/srcutree/parameters File opened for reading /sys/devices/virtual/block/loop5/mq/0 File opened for reading /sys/devices/virtual/mem/mem File opened for reading /sys/fs/cgroup/unified/system.slice/system-serial\x2dgetty.slice File opened for reading /sys/kernel/debug/block File opened for reading /sys/fs/cgroup/pids/system.slice/systemd-resolved.service File opened for reading /sys/kernel/debug/tracing/events/irq_vectors/vector_teardown File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_semctl File opened for reading /sys/kernel/slab/:A-0000072/cgroup File opened for reading /sys/kernel/debug/tracing/events/xhci-hcd/xhci_setup_device File opened for reading /sys/kernel/slab/:0000192/cgroup File opened for reading /sys/bus/serio File opened for reading /sys/devices/virtual/block/loop2/trace File opened for reading /sys/devices/virtual/mem/kmsg/power File opened for reading /sys/devices/virtual/tty/tty21 File opened for reading /sys/kernel/slab/anon_vma/cgroup File opened for reading /sys/kernel/slab/squashfs_inode_cache File opened for reading /sys/kernel/slab/squashfs_inode_cache/cgroup File opened for reading /sys/bus/container/drivers File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:16/power File opened for reading /sys/kernel/debug/tracing/events/filelock/break_lease_block File opened for reading /sys/kernel/debug/tracing/events/percpu/percpu_destroy_chunk File opened for reading /sys/kernel/debug/tracing/events/power/clock_disable File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_lsetxattr File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_mq_open File opened for reading /sys/devices/virtual/mem/full File opened for reading /sys/devices/virtual/tty/tty50 File opened for reading /sys/kernel/debug/tracing/events/fib/fib_table_lookup_nh File opened for reading /sys/kernel/debug/tracing/events/module/module_load File opened for reading /sys/devices/virtual/tty/tty11 -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc File opened for reading /proc/11/ns File opened for reading /proc/98/task/98/attr/selinux File opened for reading /proc/fs/nfsd File opened for reading /proc/sys/dev/tty File opened for reading /proc/605/attr/smack File opened for reading /proc/609/task/630/net/netfilter File opened for reading /proc/89/map_files File opened for reading /proc/16/task/16/ns File opened for reading /proc/165/fdinfo File opened for reading /proc/178/task/178/attr/selinux File opened for reading /proc/3 File opened for reading /proc/432/task/432/attr/selinux File opened for reading /proc/98/task/98/net/dev_snmp6 File opened for reading /proc/165/task/165/attr File opened for reading /proc/17/task/17/net/dev_snmp6 File opened for reading /proc/178/fd File opened for reading /proc/428/attr/apparmor File opened for reading /proc/sys/net/ipv6/neigh/default File opened for reading /proc/359/task/359/net/dev_snmp6 File opened for reading /proc/432/task/432/fd File opened for reading /proc/624/ns File opened for reading /proc/628/task/634/fd File opened for reading /proc/irq/12/i8042 File opened for reading /proc/26/task/26/fd File opened for reading /proc/169/ns File opened for reading /proc/172/attr File opened for reading /proc/173 File opened for reading /proc/181/task/181/fd File opened for reading /proc/181/task/181/fdinfo File opened for reading /proc/425/task/425/attr/selinux File opened for reading /proc/605 File opened for reading /proc/628/task/635/attr/smack File opened for reading /proc/165/task/165/net/dev_snmp6 File opened for reading /proc/170/fd File opened for reading /proc/178/task/178/attr/apparmor File opened for reading /proc/179/task/179/attr/smack File opened for reading /proc/18/task/18/attr/smack File opened for reading /proc/78/task/78/net/stat File opened for reading /proc/98/net/dev_snmp6 File opened for reading /proc/sys/dev/parport/default File opened for reading /proc/175/attr File opened for reading /proc/176/net/stat File opened for reading /proc/30/task/30/net/dev_snmp6 File opened for reading /proc/32/task File opened for reading /proc/609/task/609/attr/smack File opened for reading /proc/359 File opened for reading /proc/15/task/15/attr/selinux File opened for reading /proc/179/map_files File opened for reading /proc/21/map_files File opened for reading /proc/28/net File opened for reading /proc/34/ns File opened for reading /proc/605/task/605/net/netfilter File opened for reading /proc/609/net/netfilter File opened for reading /proc/619/net/netfilter File opened for reading /proc/18/net File opened for reading /proc/26/task/26/net/stat File opened for reading /proc/3/fd File opened for reading /proc/34/task/34/net/dev_snmp6 File opened for reading /proc/377/fd File opened for reading /proc/27/task/27/net/netfilter File opened for reading /proc/432/fdinfo File opened for reading /proc/609/task/610/ns File opened for reading /proc/9/task/9/attr/smack File opened for reading /proc/165/attr/selinux
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59932bbfea02ad4bb0c43b36fddd98a7a
SHA11faee3c9dbb5f005769c8123387b45cf545cac89
SHA25613f91b1c2c02259660f4d83dd7383b5bbc4f04be98331fbbcf92f1e56f8557a4
SHA512cad236319f2bc80d4223aca681e1adc446ae72dd46530e00aa9887c331b94ac95c9b23c55c3d98c4615cb05da689d68006d75c3f0d213c6f9303ee04f2d4f7ab
-
Filesize
1.1MB
MD52f6631527fff8d110f498cf07f82416d
SHA122b46be6e1d7d94464c441ae3e3a01abdae919ba
SHA256ece024f255faae7606de6854c8dd97a86db2609886c488c2f73285f3e7388efd
SHA512b536a89a770ed72bb74ed820757cbf40da3b9ca6da70f539cfe9759b262df047d16032c8454cc9675f371f2f078bb1a950134d73c2f4b99cfa225705f76c22bf