Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
98s -
max time network
148s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20230621-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20230621-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
26/07/2023, 14:01
Static task
static1
Behavioral task
behavioral1
Sample
NA_713b699c04f21000fca981e69_JC.elf
Resource
ubuntu1804-amd64-20230621-en
ubuntu-18.04-amd64
8 signatures
150 seconds
General
-
Target
NA_713b699c04f21000fca981e69_JC.elf
-
Size
2.3MB
-
MD5
171d2a50c6d7e69281d1c3ef98d510f2
-
SHA1
322db4ca435004a127acd4171cc52be9edaf5338
-
SHA256
713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771
-
SHA512
2226d1a5e9c8a2920fa8d327b53e10f135e9b30c8c3d1e7fbb3a59a51df782f106f41f60ad8140a1de4a81ef6b230418126ffb24bd75eab3c3a298ada2f58913
-
SSDEEP
49152:bC9tUNrb/T7vO90dL3BmAFd4A64nsfJcm9M3YJIpgfDVw0ksgg778GzvyKYUcTD1:bzcM4IyEWyKP
Score
10/10
Malware Config
Extracted
Path
/MEag_HOW_TO_DECRYPT.txt
Family
hive
Ransom Note
Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.
To decrypt all the data and to prevent exfiltrated files to be disclosed at
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
you will need to purchase our decryption software.
Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Login: 5mX2Ja7tXTQd
Password: 36VFJGoJ6t4qhgbHLXyJ
To get an access to .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)
Follow the guidelines below to avoid losing your data:
- Do not modify, rename or delete *.key.ndjmu files. Your data will be
undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the Police, FBI, etc. They don't care about your business.
They simply won't allow you to pay. As a result you will lose everything.
- Do not hire a recovery company. They can't decrypt without the key.
They also don't care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
- Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Deletes itself 1 IoCs
pid Process 617 Process not Found -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 22 IoCs
description ioc File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/power File opened for reading /sys/devices/system/cpu/smt File opened for reading /sys/devices/system/cpu/cpu0/topology File opened for reading /sys/devices/system/cpu/cpufreq File opened for reading /sys/devices/system/cpu/cpu0 File opened for reading /sys/devices/system/cpu/cpu0/cache File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index2 File opened for reading /sys/devices/system/cpu/cpu0/hotplug File opened for reading /sys/devices/system/cpu/cpu0/power File opened for reading /sys/devices/system/cpu/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/power File opened for reading /sys/devices/system/cpu/cpu0/cache/power File opened for reading /sys/devices/system/cpu/vulnerabilities File opened for reading /sys/devices/system/cpu/microcode File opened for reading /sys/devices/system/cpu/cpu0/cache/index1 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index3 File opened for reading /sys/devices/system/cpu/cpu0/microcode File opened for reading /sys/devices/system/cpu/cpuidle File opened for reading /sys/devices/system/cpu/hotplug -
Reads hardware information 1 TTPs 1 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc File opened for reading /sys/devices/virtual/dmi/id/power -
Reads network interface configuration 2 TTPs 12 IoCs
Fetches information about one or more active network interfaces.
description ioc File opened for reading /sys/devices/virtual/net/lo/queues File opened for reading /sys/devices/virtual/net/lo/queues/rx-0 File opened for reading /sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits File opened for reading /sys/devices/virtual/net/lo/statistics File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/power File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics File opened for reading /sys/devices/virtual/net/lo/power File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits File opened for reading /sys/devices/virtual/net/lo/queues/tx-0 -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc File opened for reading /sys/kernel/debug/tracing/events/block/block_rq_complete File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_collapse_range File opened for reading /sys/kernel/slab/shmem_inode_cache File opened for reading /sys/kernel/debug/tracing/events/huge_memory/mm_collapse_huge_page_swapin File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_setxattr File opened for reading /sys/devices/platform/serial8250/tty/ttyS21 File opened for reading /sys/fs/cgroup/pids/system.slice/systemd-udevd.service File opened for reading /sys/kernel/debug/tracing/events/compaction/mm_compaction_defer_compaction File opened for reading /sys/kernel/debug/tracing/events/fs_dax/dax_writeback_range_done File opened for reading /sys/devices/pnp0/00:03/ppdev/parport0 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_times File opened for reading /sys/module/acpiphp File opened for reading /sys/module/debug_core File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_seccomp File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_drop_inode File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_insert_range File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_timerfd_settime File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_fchown File opened for reading /sys/kernel/slab/:a-0000040 File opened for reading /sys/devices/platform/serial8250/tty/ttyS12 File opened for reading /sys/devices/virtual/block/loop0/mq File opened for reading /sys/kernel/debug/tracing/events/random/mix_pool_bytes File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_fallocate File opened for reading /sys/bus/pci/slots/23 File opened for reading /sys/kernel/debug/tracing/events/sync_trace/sync_timeline File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_pselect6 File opened for reading /sys/bus/nd/drivers/nd_bus File opened for reading /sys/bus/pci/slots/31 File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata4/host3 File opened for reading /sys/fs/cgroup/systemd/system.slice/cron.service File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_pkey_alloc File opened for reading /sys/kernel/slab/:0000832/cgroup File opened for reading /sys/bus/mmc/devices File opened for reading /sys/kernel/debug/tracing/events/timer/timer_start File opened for reading /sys/class/leds File opened for reading /sys/devices/system/memory/memory6/power File opened for reading /sys/devices/virtual/tty/tty9/power File opened for reading /sys/kernel/debug/tracing/events/fs_dax/dax_pmd_load_hole File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_quotactl File opened for reading /sys/kernel/debug/tracing/events/i2c/i2c_reply File opened for reading /sys/kernel/debug/tracing/events/xhci-hcd/xhci_dbg_reset_ep File opened for reading /sys/module/fscrypto File opened for reading /sys/kernel/slab/radix_tree_node File opened for reading /sys/devices/pnp0/00:03/power File opened for reading /sys/devices/virtual/block/loop6/mq/0/cpu0 File opened for reading /sys/kernel/debug/tracing/events/iommu/add_device_to_group File opened for reading /sys/kernel/slab/:0000048/cgroup File opened for reading /sys/devices/pci0000:00/0000:00:01.0 File opened for reading /sys/kernel/debug/tracing/events/huge_memory/mm_khugepaged_scan_pmd File opened for reading /sys/kernel/debug/tracing/events/power/dev_pm_qos_add_request File opened for reading /sys/devices/pci0000:00/0000:00:01.1/ata1/power File opened for reading /sys/module/spurious/parameters File opened for reading /sys/bus/pci/drivers/agpgart-via File opened for reading /sys/devices/virtual/tty/tty8/power File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_rt_tgsigqueueinfo File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_getpgid File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/ACPI0010:00 File opened for reading /sys/kernel/debug/tracing/events/regulator/regulator_enable_delay File opened for reading /sys/kernel/debug/tracing/events/vmscan File opened for reading /sys/bus/acpi/devices File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:1d File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata3/link3/dev3.0/ata_device/dev3.0/power File opened for reading /sys/fs/cgroup/systemd/system.slice/systemd-timesyncd.service File opened for reading /sys/module/glue_helper/notes -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc File opened for reading /proc/631/attr/selinux File opened for reading /proc/78/ns File opened for reading /proc/8/task/8/fdinfo File opened for reading /proc/irq/26/ahci[0000:00:04.0] File opened for reading /proc/161/attr/smack File opened for reading /proc/170/map_files File opened for reading /proc/29/fd File opened for reading /proc/24/task/24/net File opened for reading /proc/453/fdinfo File opened for reading /proc/78/map_files File opened for reading /proc/10/task/10/fd File opened for reading /proc/155/task/155/net/stat File opened for reading /proc/163/task/163/net/dev_snmp6 File opened for reading /proc/622/ns File opened for reading /proc/84/fdinfo File opened for reading /proc/160/task/160/attr/selinux File opened for reading /proc/162/task/162/attr/apparmor File opened for reading /proc/618/task/619/attr/apparmor File opened for reading /proc/24/net/netfilter File opened for reading /proc/26/task/26 File opened for reading /proc/98/attr/smack File opened for reading /proc/158/net/stat File opened for reading /proc/171/net File opened for reading /proc/195/task/195/fdinfo File opened for reading /proc/627/task/627/ns File opened for reading /proc/627/task/642/attr/apparmor File opened for reading /proc/irq/27 File opened for reading /proc/115/task/115/net/stat File opened for reading /proc/2/task/2/net File opened for reading /proc/614/net File opened for reading /proc/628/task/628/fdinfo File opened for reading /proc/628/task/628/net/netfilter File opened for reading /proc/79/attr File opened for reading /proc/17/attr/selinux File opened for reading /proc/3/ns File opened for reading /proc/448/task/448 File opened for reading /proc/166/task/166/net File opened for reading /proc/172/task/172/fd File opened for reading /proc/sys/fs/quota File opened for reading /proc/156/net File opened for reading /proc/29/attr/apparmor File opened for reading /proc/634/task/636 File opened for reading /proc/161/net/stat File opened for reading /proc/6/ns File opened for reading /proc/610/task/610/net File opened for reading /proc/22/task/22/attr/apparmor File opened for reading /proc/80/task/80/attr/selinux File opened for reading /proc/155/attr/apparmor File opened for reading /proc/195/fd File opened for reading /proc/2/net/netfilter File opened for reading /proc/13/task/13/attr/selinux File opened for reading /proc/19/task/19/attr/selinux File opened for reading /proc/7/fdinfo File opened for reading /proc/4/task/4/attr/apparmor File opened for reading /proc/sys File opened for reading /proc/16/task/16/net File opened for reading /proc/166/task/166/fd File opened for reading /proc/32/task/32/fd File opened for reading /proc/98/task/98/net/netfilter File opened for reading /proc/170/task/170/attr File opened for reading /proc/22/map_files File opened for reading /proc/618/task/620/net/stat File opened for reading /proc/34/net/netfilter File opened for reading /proc/253/task/253/attr/selinux
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD524a4eff548b411e7716858ce77d60240
SHA1757acc90bccf8dc11a1440015b4d02dcb7962d35
SHA2569f3cb32b4ea42ee56ba952a09af75c5a180488d33945bb06f97df944183a46a0
SHA51261abe02146c8a2d29c76f0625170cbcb903e8fc8bbf7f4fd4afcdcff70972f3042dc19a741fa5a3756ca0eb2f0e3dbf4fbb6a192e8897d952607f211177844be
-
Filesize
1.2MB
MD5c0a567a7f6ca9711ca2a3ae2c20e7dc0
SHA18aef2fef9cd65d4a5f8d720bd666ed318a6231ba
SHA256669758e2972b0462073f70a0c89e29c058080b3f931b09dc72bb725f333ab34a
SHA512a0e20b2823d63bf7a23a655576d02a79bdfdb812074ab8025bc551e0affa85ee18a1306eb00762753a13ea1bcbbbf4036973b253104645205d10e1fa26bb9543