Overview

overview

10

Static

static

7

Ransomware.Hive.zip

windows7-x64

1

Ransomware.Hive.zip

windows10-1703-x64

1

211xahcou.exe

windows7-x64

10

211xahcou.exe

windows10-1703-x64

10

Hive.elf

windows7-x64

3

Hive.elf

windows10-1703-x64

3

hive.exe

windows7-x64

10

hive.exe

windows10-1703-x64

10

hive_linux_elf

windows7-x64

1

hive_linux_elf

windows10-1703-x64

1

linux_hive.elf

windows7-x64

3

linux_hive.elf

windows10-1703-x64

3

sjl8j6ap3.exe

windows7-x64

1

sjl8j6ap3.exe

windows10-1703-x64

1

windows_25...c5.exe

windows7-x64

10

windows_25...c5.exe

windows10-1703-x64

10

zi1ysv64h.exe

windows7-x64

10

zi1ysv64h.exe

windows10-1703-x64

10

Resubmissions

12-02-2024 06:38

240212-hd166sgg25 10

12-02-2024 06:21

240212-g4tdksgd86 7

Analysis

  • max time kernel
    121s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12-02-2024 06:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    linux_hive.elf

  • Size

    2.3MB

  • MD5

    56075e7c63b3f9f612cde6187d4a7877

  • SHA1

    1bcfa979b7b9044ba5ce5c006bd26b0bdbeb8464

  • SHA256

    12389b8af28307fd09fe080fd89802b4e616ed4c961f464f95fdb4b3f0aaf185

  • SHA512

    7df68e37b3c2e7ce197f0d8736d06adf808343fe2d638bcd3e0f285968e1365c06b33157c6e5816b9fa9362e6adc262d3d2da45d3d1a38efb7e2ce980fce8b80

  • SSDEEP

    49152:TzVcrxrb/TGvO90dL3BmAFd4A64nsfJbJ5PhTZDknzImQXNqw0Xfgg778lwQJKTS:TcbP/kB30JKT

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\linux_hive.elf
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\linux_hive.elf
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\linux_hive.elf"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    ea8c8054dfc67f22f1e2dde1ea29b308

    SHA1

    9b9efec71aad4ebdee1760ab9020e62a7a825fcf

    SHA256

    470366b75bc5f42e52156a39768bba63514ed6e4ef019e8b3ad20bd49fef86eb

    SHA512

    6487cd7929dc3c1e5d202c2cf4987a26935be1f5d284c3bba512a9680918399054efdc4b5a2263c84aa55ea492e34df61f0f6a3230a7e07451d8a1c857b3e520

    Download Submit