Analysis
-
max time kernel
102s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
09-06-2023 03:07
Static task
static1
Behavioral task
behavioral1
Sample
713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771
Resource
ubuntu1804-amd64-en-20211208
ubuntu-18.04-amd64
8 signatures
150 seconds
General
-
Target
713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771
-
Size
2.3MB
-
MD5
171d2a50c6d7e69281d1c3ef98d510f2
-
SHA1
322db4ca435004a127acd4171cc52be9edaf5338
-
SHA256
713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771
-
SHA512
2226d1a5e9c8a2920fa8d327b53e10f135e9b30c8c3d1e7fbb3a59a51df782f106f41f60ad8140a1de4a81ef6b230418126ffb24bd75eab3c3a298ada2f58913
-
SSDEEP
49152:bC9tUNrb/T7vO90dL3BmAFd4A64nsfJcm9M3YJIpgfDVw0ksgg778GzvyKYUcTD1:bzcM4IyEWyKP
Score
10/10
Malware Config
Extracted
Path
/MEag_HOW_TO_DECRYPT.txt
Family
hive
Ransom Note
Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.
To decrypt all the data and to prevent exfiltrated files to be disclosed at
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
you will need to purchase our decryption software.
Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Login: 5mX2Ja7tXTQd
Password: 36VFJGoJ6t4qhgbHLXyJ
To get an access to .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)
Follow the guidelines below to avoid losing your data:
- Do not modify, rename or delete *.key.ndjmu files. Your data will be
undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the Police, FBI, etc. They don't care about your business.
They simply won't allow you to pay. As a result you will lose everything.
- Do not hire a recovery company. They can't decrypt without the key.
They also don't care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
- Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Deletes itself 1 IoCs
pid Process 577 Process not Found -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 22 IoCs
description ioc File opened for reading /sys/devices/system/cpu/cpu0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index3 File opened for reading /sys/devices/system/cpu/cpu0/topology File opened for reading /sys/devices/system/cpu/vulnerabilities File opened for reading /sys/devices/system/cpu/cpu0/cache File opened for reading /sys/devices/system/cpu/cpu0/cache/index0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1 File opened for reading /sys/devices/system/cpu/cpu0/hotplug File opened for reading /sys/devices/system/cpu/cpu0/microcode File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/power File opened for reading /sys/devices/system/cpu/cpu0/cache/power File opened for reading /sys/devices/system/cpu/cpuidle File opened for reading /sys/devices/system/cpu/hotplug File opened for reading /sys/devices/system/cpu/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index2 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/power File opened for reading /sys/devices/system/cpu/cpu0/power File opened for reading /sys/devices/system/cpu/cpufreq File opened for reading /sys/devices/system/cpu/microcode File opened for reading /sys/devices/system/cpu/smt -
Reads hardware information 1 TTPs 1 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc File opened for reading /sys/devices/virtual/dmi/id/power -
Reads network interface configuration 2 TTPs 12 IoCs
Fetches information about one or more active network interfaces.
description ioc File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics File opened for reading /sys/devices/virtual/net/lo/power File opened for reading /sys/devices/virtual/net/lo/queues File opened for reading /sys/devices/virtual/net/lo/queues/tx-0 File opened for reading /sys/devices/virtual/net/lo/statistics File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits File opened for reading /sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/power File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues File opened for reading /sys/devices/virtual/net/lo/queues/rx-0 -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc File opened for reading /sys/devices/pci0000:00/0000:00:01.1/ata2/host1/scsi_host/host1 File opened for reading /sys/devices/virtual/tty/tty9 File opened for reading /sys/hypervisor File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_getfsmap_mapping File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:0a/power File opened for reading /sys/devices/pci0000:00/0000:00:01.1/ata2/host1/scsi_host/host1/power File opened for reading /sys/devices/virtual/vc/vcsa6/power File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_da_write_pages File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_accept4 File opened for reading /sys/kernel/slab/:0000104 File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata5/ata_port/ata5/power File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata7/host6 File opened for reading /sys/kernel/debug/tracing/events/ftrace/funcgraph_entry File opened for reading /sys/module/virtio_blk/notes File opened for reading /sys/fs/cgroup/pids/user.slice/user-0.slice/session-2.scope File opened for reading /sys/kernel/debug/block/loop4 File opened for reading /sys/kernel/debug/tracing/events/xen/xen_mmu_set_pud File opened for reading /sys/kernel/debug/tracing/events/alarmtimer File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_timerfd_create File opened for reading /sys/module/pcbc/sections File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_enter File opened for reading /sys/bus/platform/drivers/parport_pc File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_getrandom File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_dup File opened for reading /sys/kernel/slab/sock_inode_cache/cgroup File opened for reading /sys/kernel/slab/:a-0000064 File opened for reading /sys/bus/pci_express/drivers/dpc File opened for reading /sys/kernel/debug/kprobes File opened for reading /sys/kernel/debug/tracing/events/spi/spi_controller_busy File opened for reading /sys/devices/virtual/tty/tty61/power File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_lsetxattr File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_utimensat File opened for reading /sys/kernel/debug/bdi File opened for reading /sys/kernel/debug/tracing/events/iommu File opened for reading /sys/bus/usb/drivers/usbfs File opened for reading /sys/devices/virtual/workqueue/power File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_forget File opened for reading /sys/kernel/debug/tracing/events/irq_vectors/spurious_apic_entry File opened for reading /sys/kernel/debug/tracing/events/mdio/mdio_access File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_accept File opened for reading /sys/module/netpoll/parameters File opened for reading /sys/kernel/debug/tracing/events/vmscan/mm_vmscan_lru_shrink_active File opened for reading /sys/module/firmware_class File opened for reading /sys/kernel/debug/tracing/events/irq_vectors/vector_teardown File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_open File opened for reading /sys/devices/virtual/tty/tty47/power File opened for reading /sys/kernel/slab/:A-0001024/cgroup File opened for reading /sys/module/kgdb_nmi/parameters File opened for reading /sys/devices/virtual/misc/ecryptfs/power File opened for reading /sys/kernel/debug/tracing/events/spi/spi_message_start File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/bsg File opened for reading /sys/devices/virtual/mem/null/power File opened for reading /sys/devices/virtual/block/loop0/mq/0/cpu0 File opened for reading /sys/devices/virtual/tty/tty7 File opened for reading /sys/kernel/debug/tracing/events/napi/napi_poll File opened for reading /sys/kernel/slab/:0000576/cgroup File opened for reading /sys/class/mdio_bus File opened for reading /sys/kernel/debug/tracing/events/compaction/mm_compaction_isolate_migratepages File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_quotactl File opened for reading /sys/kernel/debug/tracing/events/xen/xen_mmu_set_pmd File opened for reading /sys/devices/system/container/PNP0A06:01/power File opened for reading /sys/kernel/debug/tracing/events/irq_vectors/irq_work_entry File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_setgid File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_syncfs -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc File opened for reading /proc/153/attr/apparmor File opened for reading /proc/160/attr/selinux File opened for reading /proc/167/task/167/net/stat File opened for reading /proc/22/task/22/ns File opened for reading /proc/81/task/81/fdinfo File opened for reading /proc/sys/net/ipv6/conf/default File opened for reading /proc/154/task/154/attr/selinux File opened for reading /proc/192/task/192/attr/apparmor File opened for reading /proc/573/task/573/fdinfo File opened for reading /proc/575/task/575/attr File opened for reading /proc/7/task/7 File opened for reading /proc/11/task/11 File opened for reading /proc/163/attr/smack File opened for reading /proc/163/task/163/net/stat File opened for reading /proc/18/net/netfilter File opened for reading /proc/370/task/370 File opened for reading /proc/594/net/netfilter File opened for reading /proc/83/task/83/attr File opened for reading /proc/157/net/netfilter File opened for reading /proc/192/task/192/attr File opened for reading /proc/85/net/stat File opened for reading /proc/164/map_files File opened for reading /proc/166/task/166/attr File opened for reading /proc/2/fdinfo File opened for reading /proc/2/net/netfilter File opened for reading /proc/26/task File opened for reading /proc/29 File opened for reading /proc/394/task File opened for reading /proc/594/task/595/ns File opened for reading /proc/26/task/26/attr/smack File opened for reading /proc/356/task/356/net/stat File opened for reading /proc/571/attr File opened for reading /proc/571/map_files File opened for reading /proc/192/task/192/ns File opened for reading /proc/23/task/23/net File opened for reading /proc/32/map_files File opened for reading /proc/394/map_files File opened for reading /proc/590/task/590/ns File opened for reading /proc/13/fdinfo File opened for reading /proc/154/task/154/fd File opened for reading /proc/163/map_files File opened for reading /proc/167/net/dev_snmp6 File opened for reading /proc/17/net File opened for reading /proc/356/map_files File opened for reading /proc/571/net/netfilter File opened for reading /proc/80/net/netfilter File opened for reading /proc/98/net/dev_snmp6 File opened for reading /proc/159/attr/smack File opened for reading /proc/193/attr/selinux File opened for reading /proc/4/attr/apparmor File opened for reading /proc/422/net/dev_snmp6 File opened for reading /proc/575/task/589/net/stat File opened for reading /proc/594/task/594/net File opened for reading /proc/29/task/29 File opened for reading /proc/356 File opened for reading /proc/391/task/391/fd File opened for reading /proc/593/task/593 File opened for reading /proc/85/ns File opened for reading /proc/156/task/156/attr/smack File opened for reading /proc/161 File opened for reading /proc/541/net/stat File opened for reading /proc/575/task/589/net File opened for reading /proc/82/task/82/ns File opened for reading /proc/11/task/11/net
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5e67d97e91f96b1069c618500fd025a09
SHA1d37290754bac11674eebc6a8e0e0e45454c661c7
SHA256a9f4bd6d05b69b80c123d88a1f7c02074f84323ffc6dc5090f3f573b01b45c46
SHA512f4e374d0aab4cb57f6a55d08f342a2c29da90171b174c97c5c06f3fccb5a3e3a6e6a0b9034656e0d531aff3355c4fde938dd5782d4674dc19ffbf0ec28ffebd6
-
Filesize
1KB
MD524a4eff548b411e7716858ce77d60240
SHA1757acc90bccf8dc11a1440015b4d02dcb7962d35
SHA2569f3cb32b4ea42ee56ba952a09af75c5a180488d33945bb06f97df944183a46a0
SHA51261abe02146c8a2d29c76f0625170cbcb903e8fc8bbf7f4fd4afcdcff70972f3042dc19a741fa5a3756ca0eb2f0e3dbf4fbb6a192e8897d952607f211177844be