hive | b5492f77cbc3c2bde85a226f1f47198f2f06f3f02dbe2408a77fd4550021e0ca

Analysis

max time kernel
139s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
10-06-2023 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771
Size

2.3MB
MD5

171d2a50c6d7e69281d1c3ef98d510f2
SHA1

322db4ca435004a127acd4171cc52be9edaf5338
SHA256

713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771
SHA512

2226d1a5e9c8a2920fa8d327b53e10f135e9b30c8c3d1e7fbb3a59a51df782f106f41f60ad8140a1de4a81ef6b230418126ffb24bd75eab3c3a298ada2f58913
SSDEEP

49152:bC9tUNrb/T7vO90dL3BmAFd4A64nsfJcm9M3YJIpgfDVw0ksgg778GzvyKYUcTD1:bzcM4IyEWyKP

Score

10^/10

hive ransomware

Malware Config

Extracted

Path

/MEag_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: 5mX2Ja7tXTQd Password: 36VFJGoJ6t4qhgbHLXyJ To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.ndjmu files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.

URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive

Deletes itself 1 IoCs

pid	Process
596	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 22 IoCs

System Information Discovery

T1082

description	ioc
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/power
File opened for reading	/sys/devices/system/cpu/microcode
File opened for reading	/sys/devices/system/cpu/cpufreq
File opened for reading	/sys/devices/system/cpu/cpu0/cache
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/power
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3
File opened for reading	/sys/devices/system/cpu/cpu0/microcode
File opened for reading	/sys/devices/system/cpu/cpu0/power
File opened for reading	/sys/devices/system/cpu/cpu0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/power
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug
File opened for reading	/sys/devices/system/cpu/power
File opened for reading	/sys/devices/system/cpu/smt
File opened for reading	/sys/devices/system/cpu/vulnerabilities
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/power
File opened for reading	/sys/devices/system/cpu/cpu0/cache/power
File opened for reading	/sys/devices/system/cpu/cpu0/topology
File opened for reading	/sys/devices/system/cpu/cpuidle
File opened for reading	/sys/devices/system/cpu/hotplug

Reads hardware information 1 TTPs 1 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

description	ioc
File opened for reading	/sys/devices/virtual/dmi/id/power

Reads network interface configuration 2 TTPs 12 IoCs

Fetches information about one or more active network interfaces.

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

description	ioc
File opened for reading	/sys/devices/virtual/net/lo/power
File opened for reading	/sys/devices/virtual/net/lo/queues/rx-0
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0
File opened for reading	/sys/devices/virtual/net/lo/statistics
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues
File opened for reading	/sys/devices/virtual/net/lo/queues
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/printk/parameters	Process not Found
File opened for reading	/sys/devices/system	Process not Found
File opened for reading	/sys/kernel/debug/block/loop5	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/oom/mark_victim	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/regulator/regulator_disable	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/xhci-hcd/xhci_inc_deq	Process not Found
File opened for reading	/sys/module/floppy/notes	Process not Found
File opened for reading	/sys/devices/platform	Process not Found
File opened for reading	/sys/devices/virtual/misc/cpu_dma_latency	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_rr_get_interval	Process not Found
File opened for reading	/sys/devices/virtual/bdi/7:1	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_removexattr	Process not Found
File opened for reading	/sys/kernel/mm/ksm	Process not Found
File opened for reading	/sys/class/dmi	Process not Found
File opened for reading	/sys/devices/isa	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_chown	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_yield	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_writev	Process not Found
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/scsi_device/3:0:0:0	Process not Found
File opened for reading	/sys/kernel/debug/bdi/7:7	Process not Found
File opened for reading	/sys/bus/pci/drivers/piix4_smbus	Process not Found
File opened for reading	/sys/devices/virtual/block/loop7/mq/0/cpu0	Process not Found
File opened for reading	/sys/devices/virtual/tty/tty35	Process not Found
File opened for reading	/sys/devices/virtual/tty/tty58	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/net/napi_gro_frags_entry	Process not Found
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771
File opened for reading	/sys/kernel/debug/block/vda	Process not Found
File opened for reading	/sys/module/virtio_blk/parameters	Process not Found
File opened for reading	/sys/devices/platform/i8042	Process not Found
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0/holders	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/jbd2/jbd2_commit_flushing	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/msr/write_msr	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_pwritev2	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_umask	Process not Found
File opened for reading	/sys/kernel/slab/:0008192	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_chdir	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_seccomp	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_accept4	Process not Found
File opened for reading	/sys/module/sysrq	Process not Found
File opened for reading	/sys/bus/platform/drivers	Process not Found
File opened for reading	/sys/devices/system/memory/memory8/power	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/cpuhp	Process not Found
File opened for reading	/sys/module/ppdev	Process not Found
File opened for reading	/sys/devices/pci0000:00/0000:00:01.3/i2c-0/power	Process not Found
File opened for reading	/sys/devices/LNXSYSTM:00/power	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_faccessat	Process not Found
File opened for reading	/sys/module/drm	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/syscalls	Process not Found
File opened for reading	/sys/module/random/parameters	Process not Found
File opened for reading	/sys/devices/virtual/block/loop6/holders	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/random/mix_pool_bytes	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_alarm	Process not Found
File opened for reading	/sys/kernel/slab/:d-0000064	Process not Found
File opened for reading	/sys/module/8250	Process not Found
File opened for reading	/sys/module/ipv6	Process not Found
File opened for reading	/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:05/power	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/irq_vectors/vector_reserve_managed	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_lgetxattr	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_timer_getoverrun	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_dup	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_newuname	Process not Found
File opened for reading	/sys/module/dm_mod/parameters	Process not Found
File opened for reading	/sys/module/virtio_pci/parameters	Process not Found
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_es_shrink_scan_exit	Process not Found

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc
File opened for reading	/proc/389/task/389/attr
File opened for reading	/proc/610/task/610/attr/smack
File opened for reading	/proc/83/map_files
File opened for reading	/proc/irq/4
File opened for reading	/proc/13/task/13/net/dev_snmp6
File opened for reading	/proc/171/task/171/net/stat
File opened for reading	/proc/174/task/174/attr/selinux
File opened for reading	/proc/23/net/dev_snmp6
File opened for reading	/proc/389/task/389/fdinfo
File opened for reading	/proc/615/task/615/fd
File opened for reading	/proc/9/net
File opened for reading	/proc/261/attr
File opened for reading	/proc/34/task/34/ns
File opened for reading	/proc/6/task/6
File opened for reading	/proc/79/task/79/attr/selinux
File opened for reading	/proc/1/map_files
File opened for reading	/proc/1/task/1/attr/smack
File opened for reading	/proc/17/net/netfilter
File opened for reading	/proc/26/task/26/net/stat
File opened for reading	/proc/84/attr
File opened for reading	/proc/89/task/89/net/stat
File opened for reading	/proc/fs/nfsd
File opened for reading	/proc/163/task/163/net/netfilter
File opened for reading	/proc/166/net/netfilter
File opened for reading	/proc/177/attr/selinux
File opened for reading	/proc/36/net/dev_snmp6
File opened for reading	/proc/4/task
File opened for reading	/proc/422/attr
File opened for reading	/proc/79/net/stat
File opened for reading	/proc/81/net
File opened for reading	/proc/169/task/169/net/netfilter
File opened for reading	/proc/19/net/dev_snmp6
File opened for reading	/proc/32/task/32/attr/smack
File opened for reading	/proc/35/ns
File opened for reading	/proc/163/task/163/fd
File opened for reading	/proc/26/map_files
File opened for reading	/proc/89/map_files
File opened for reading	/proc/13/task/13/fdinfo
File opened for reading	/proc/25/task/25
File opened for reading	/proc/596/task/614/ns
File opened for reading	/proc/604/task/604/net/dev_snmp6
File opened for reading	/proc/22/task/22/net
File opened for reading	/proc/366/net/dev_snmp6
File opened for reading	/proc/85/task/85/net
File opened for reading	/proc/sys/net/ipv6/neigh/lo
File opened for reading	/proc/13/fdinfo
File opened for reading	/proc/20/attr
File opened for reading	/proc/32/attr/selinux
File opened for reading	/proc/98/attr
File opened for reading	/proc/11/attr/smack
File opened for reading	/proc/24/ns
File opened for reading	/proc/460/task/460/ns
File opened for reading	/proc/596/task/596
File opened for reading	/proc/22/ns
File opened for reading	/proc/24/task/24/net/netfilter
File opened for reading	/proc/594/map_files
File opened for reading	/proc/594/task/594/net/netfilter
File opened for reading	/proc/1
File opened for reading	/proc/14/attr/apparmor
File opened for reading	/proc/16/task/16
File opened for reading	/proc/180/task/180/net/dev_snmp6
File opened for reading	/proc/615/attr
File opened for reading	/proc/13/map_files
File opened for reading	/proc/203

/tmp/713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771
/tmp/713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771
1⤵
- Deletes itself
- Enumerates kernel/hardware configuration
PID:596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/MEag_HOW_TO_DECRYPT.txt

Filesize
1KB

MD5
24a4eff548b411e7716858ce77d60240

SHA1
757acc90bccf8dc11a1440015b4d02dcb7962d35

SHA256
9f3cb32b4ea42ee56ba952a09af75c5a180488d33945bb06f97df944183a46a0

SHA512
61abe02146c8a2d29c76f0625170cbcb903e8fc8bbf7f4fd4afcdcff70972f3042dc19a741fa5a3756ca0eb2f0e3dbf4fbb6a192e8897d952607f211177844be

Download Submit
/Y84UNN1Y_iEJ0c6cEN5YqNInGP_1_Jz06Gis3-9LoMj_.key.ndjmu

Filesize
1.2MB

MD5
03e179a1cf7bc8f04767aff64bb1d60a

SHA1
5b0a8379f8f72aedd5d55191f2b65425ffe5d72e

SHA256
192d37aa2d69492ad896de28f0b8d812f026f3835de52b05a3711bd62c7d6f1f

SHA512
ba6c61758f2a5c2a3ad83e72ff22fbac3f577321cd31b014dc2e8ba9f8509aa4d691c8b8865ccb119b7002fcb493583ee4cb2656c7cd3d7980f77fc991b36757

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads