Resubmissions

03-03-2024 10:17

240303-mbhz2aha6s 7

03-03-2024 10:02

240303-l27kmshd24 10

General

  • Target

    Ransomware.Hive.zip

  • Size

    6.6MB

  • Sample

    240303-l27kmshd24

  • MD5

    33dc6cf9108fa7a395d632c29021791c

  • SHA1

    61ccffbfb8f2458be139aa1d3c9dd715f25cd06d

  • SHA256

    af9e8f301a3677b457345921d7ee765a842eceb7df107714eaffc6193bfc6bbe

  • SHA512

    5b7206cd076e313f15a13c4f6278ea80c109577530bc43614efc631aeb8b53f8b0abba1135298ba6b6b7fa2f19321ab673b257d3b4c0cbc95bd4c50c8040466d

  • SSDEEP

    196608:xUPLIETGA/+0vcL5o/Vu0vlQ77Z0SOJM7j:xmJ6ANa6/Vu0q3+SOw

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data is encrypted. To decrypt all the data you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: EQA9oydTxwXS Password: vNtgAgb3kMFmCooANNQr Follow the guidelines below to avoid losing your data: - Do not shutdown or reboot your computers, unmount external storages. - Do not try to decrypt data using third party software. It may cause irreversible damage. - Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key. - Do not modify, rename or delete *.key.hive files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. - Do not reject to purchase. Your sensitive data will be publicly disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
URLs

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

Extracted

Path

C:\Program Files\EGdu_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data or to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: jxkdVr8zZs5J Password: GHTM6Qgqyhqs4nMH53ZD To get access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not shutdown or reboot your computers, unmount external storages. - Do not try to decrypt data using third party software. It may cause irreversible damage. - Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key. - Do not modify, rename or delete *.key.uj1ps files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. - Do not reject to purchase. Your sensitive data will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Extracted

Path

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\K8zJ_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at you will need to purchase our decryption software. Please contact our sales department at: Login: Password: To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.2o4xo files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.

Targets

    • Target

      211xahcou.dll

    • Size

      3.9MB

    • MD5

      0e4d44dde522c07d09d9e3086cfae803

    • SHA1

      d8dc26e2094869a0da78ecb47494c931419302dc

    • SHA256

      33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277

    • SHA512

      ac1f269b028217210a72fc5c2e0cb07461e2ff896f8b5ba65771787f99ec34b0f9951cf73d9d387086f79c348c343d147aebc2fd5b7e18da009bc2041e2eee06

    • SSDEEP

      49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA2:e2ANB04yIa0hsirubO

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Target

      Hive.elf

    • Size

      246KB

    • MD5

      22ae3e19ec54a9d314719158c00986e3

    • SHA1

      84353fe08dd87eb2f1086dfd08c014311e7e4889

    • SHA256

      822d89e7917d41a90f5f65bee75cad31fe13995e43f47ea9ea536862884efc25

    • SHA512

      a72a3e8fb908c2ed946b9266cc742b1584709205f1911e381823ef7caac10d55ccec2f35c3e7ca4a3eda7e04e1b57ec2039054c087fdc39241554cd82b62570e

    • SSDEEP

      3072:3Zp7gZzdfvjRCMj1Yk36ioyJ1zgjIlOhXYopNL+V7o0xvvkB/37Nt7xhew8A2Mzc:P7gDj8S1Hlx14+opNClvk977ew8A2M

    Score
    3/10
    • Target

      hive.bin_exe

    • Size

      764KB

    • MD5

      2f9fc82898d718f2abe99c4a6fa79e69

    • SHA1

      9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb

    • SHA256

      88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1

    • SHA512

      19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b

    • SSDEEP

      12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67jM4v4kCSPDjlLtbwt8IQLH

    • Detects Go variant of Hive Ransomware

    • Hive

      A ransomware written in Golang first seen in June 2021.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Drops file in Drivers directory

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Target

      hive_linux_elf

    • Size

      2.4MB

    • MD5

      d3b0102e6632be81ce158c909f583412

    • SHA1

      10bd0f1d3122d6575e882ba8f025eb11b0a95b61

    • SHA256

      bdf3d5f4f1b7c90dfc526340e917da9e188f04238e772049b2a97b4f88f711e3

    • SHA512

      cd7c7d5cd4531fbd11d2c0e4fccfaad485fb804621b6a692dd4f640ac048bb6f596314b655df94f96788cbbcd64bf54e2285697db93b1ce4123852c9c9e00d39

    • SSDEEP

      49152:oBWlwme8nhvmR52bzPOA1nsRTuIQflLQn+MJ3m+02D1:YmeQhvmS/R1nsF

    Score
    1/10
    • Target

      linux_hive.elf

    • Size

      2.3MB

    • MD5

      56075e7c63b3f9f612cde6187d4a7877

    • SHA1

      1bcfa979b7b9044ba5ce5c006bd26b0bdbeb8464

    • SHA256

      12389b8af28307fd09fe080fd89802b4e616ed4c961f464f95fdb4b3f0aaf185

    • SHA512

      7df68e37b3c2e7ce197f0d8736d06adf808343fe2d638bcd3e0f285968e1365c06b33157c6e5816b9fa9362e6adc262d3d2da45d3d1a38efb7e2ce980fce8b80

    • SSDEEP

      49152:TzVcrxrb/TGvO90dL3BmAFd4A64nsfJbJ5PhTZDknzImQXNqw0Xfgg778lwQJKTS:TcbP/kB30JKT

    Score
    3/10
    • Target

      sjl8j6ap3.dll

    • Size

      661KB

    • MD5

      7692a5dca7c3c48095aa6db0db640d4a

    • SHA1

      268faa86ae921da264264f392b541a9facc3bdf5

    • SHA256

      b6b1ea26464c92c3d25956815c301caf6fa0da9723a2ef847e2bb9cd11563d8b

    • SHA512

      2e8c4c0ed23dffc2494e39654f0cec03e4ad6bd4c04a80342afa7ad412d1a3dbcbf4a4cab7841354ca6bc2932252eaacfaf7f0abe3f9380e30eed14a610cc882

    • SSDEEP

      12288:BLF6OtM1z8JLbA689tSfvTvFSYIzp4yzhrWbttQfaa4Gxjzgdlo/AhwN/eh9z/ET:BLF6gb0xqx9z/EO3BxhR

    Score
    1/10
    • Target

      windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5

    • Size

      884KB

    • MD5

      da13022097518d123a91a3958be326da

    • SHA1

      24a71ab462594d5a159bbf176588af951aba1381

    • SHA256

      25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5

    • SHA512

      a82aa97a92cd21ee2d4b556448fd3293396eb7c01d3626ebdb6c3816277783578686830c430014b6b2fc3280bc1301df27da079937f88834c2d35641eb5fc26f

    • SSDEEP

      12288:Sw41dVZvThPCsM18GLHe7wlDdkPAQEtxr0fflvRmhEBWtdUJiAUtP/T/kAfMvgVt:dod1HDmlDdkZ4YXPpaTTXMw

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Hive

      A ransomware written in Golang first seen in June 2021.

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      zi1ysv64h.dll

    • Size

      3.3MB

    • MD5

      5384c6825a5707241c11d78529dbbfee

    • SHA1

      85f5587e8ad534c2e5de0e72450b61ebda93e4fd

    • SHA256

      3858e95bcf18c692f8321e3f8380c39684edb90bb622f37911144950602cea21

    • SHA512

      856861295efb9c1b0000b369297cf6905a277c2d7dd0bc238f3884cd22598055450bf0459d68441f135bb77150685a86707ea9320a37e10548b40185f09b961f

    • SSDEEP

      49152:HJ9mQ5uetkErb/TKvO90dL3BmAFd4A64nsfJ+9NRUMZXuPH9fc0KHPKG/g+eNgiz:HJ9jkl9NbBo9fc0KHYno

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Hive

      A ransomware written in Golang first seen in June 2021.

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks