Analysis
-
max time kernel
143s -
max time network
130s -
platform
windows10-1703_x64 -
resource
win10-20231220-en -
resource tags
-
submitted
12-02-2024 07:56
General
-
Target
hive.exe
-
Size
764KB
-
MD5
2f9fc82898d718f2abe99c4a6fa79e69
-
SHA1
9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
-
SHA256
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
-
SHA512
19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b
-
SSDEEP
12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67jM4v4kCSPDjlLtbwt8IQLH
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\HOW_TO_DECRYPT.txt
Family
hive
Ransom Note
Your network has been breached and all data is encrypted.
To decrypt all the data you will need to purchase our decryption software.
Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Login: EQA9oydTxwXS
Password: vNtgAgb3kMFmCooANNQr
Follow the guidelines below to avoid losing your data:
- Do not shutdown or reboot your computers, unmount external storages.
- Do not try to decrypt data using third party software. It may cause irreversible damage.
- Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key.
- Do not modify, rename or delete *.key.hive files. Your data will be undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased.
- Do not reject to purchase. Your sensitive data will be publicly disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
URLs
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
Signatures
-
Detects Go variant of Hive Ransomware 15 IoCs
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Drivers directory 18 IoCs
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Drops startup file 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 16 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops desktop.ini file(s) 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 64 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 5 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\hive.exe"C:\Users\Admin\AppData\Local\Temp\hive.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD580207d0f8ea42bdfeaf9f5c586230aca
SHA1747481fe2b0b6d81c3b19ba62d1e49eab6a5461f
SHA25625edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131
SHA51273f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304
-
Filesize
129B
MD535167ab7882cfa0e57e29cb8201de1ed
SHA1bb817bf693d4a3039e8a8ddd241b72b3d9fd0be2
SHA25616f85f183000004a26e46fdf09808ce127778cf0879f0e1b51f41a105ee327ae
SHA512ca43e4d56171769eae429a910b70686f959d7c53c8a269a1b5b1e3413ff2dbdded267db2f2e91d90e8f19b7f20a70dd1d085ce19a23814883b6948fa7fadb7c1
-
Filesize
97B
MD5ffc33ad51339acd282862b996a5c30ce
SHA19ad8953d49c5005e239792c73c93879dd392a548
SHA256253b640f28d7547188f664dc786145a539e41bf3e299621f90910ba358ff9634
SHA5124f90205bebb6afbf8656b88e1adcea65ffcf894ba4aa5af0ac89b7fdcbb6fb089a851a88fa099e42f247402fe88c8db5645956c364939c4d1f0ea845762b5385
-
Filesize
162B
MD5fca5799115172398c63263fad7e854b1
SHA12874a1c796f511f94bed6ae020f4b20c38c59cf1
SHA25627323f85f788e124f6024486f7d2a3dee9a1e88f2fc1617625b8612e47657663
SHA512a03fecd20d94def5ea75015613d40656d85094eb5584993cd2d082b17badeef6833ae214dc1e8058bda0afe29d8a4cd9a805a2519b1ea76f2bc1cdb274a1841b
-
Filesize
57B
MD5df5552357692e0cba5e69f8fbf06abb6
SHA14714f1e6bb75a80a8faf69434726d176b70d7bd8
SHA256d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8
SHA512a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
204KB