Malware Analysis Report

2024-10-16 03:10

Sample ID 240917-ctdg6azdle
Target Hive Ransomware.exe
SHA256 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
Tags
hive discovery ransomware upx defense_evasion execution impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1

Threat Level: Known bad

The file Hive Ransomware.exe was found to be: Known bad.

Malicious Activity Summary

hive discovery ransomware upx defense_evasion execution impact

Hive

Detects Go variant of Hive Ransomware

Deletes shadow copies

UPX packed file

Drops desktop.ini file(s)

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Opens file in notepad (likely ransom note)

Delays execution with timeout.exe

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-17 02:21

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-17 02:21

Reported

2024-09-17 02:22

Platform

win11-20240802-en

Max time kernel

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe"

Signatures

Detects Go variant of Hive Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Hive

ransomware hive

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4272559161-3282441186-401869126-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-4272559161-3282441186-401869126-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.CSQi6f9nvsbrKxtf2-SXAnBxusBrSHtENi2S5iXxvyw.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-black\GetHelpAppList.targetsize-48_contrast-black.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.CSQi6f9nvsbrKxtf2-SXApG0QNyqs8IVuCNvl_C_ElU.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-80_contrast-white.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML.CSQi6f9nvsbrKxtf2-SXAq-gu6-exf5B_npKNFkJdmA.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintAppList.targetsize-60_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\CSIRESOURCES.DLL C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.CSQi6f9nvsbrKxtf2-SXAmFMtzzXWgJMmK-_DrhWuQE.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE.CSQi6f9nvsbrKxtf2-SXApyEYSmR_yYuSCvy48ZB7h8.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe.CSQi6f9nvsbrKxtf2-SXAhdG7fqt94UpmDJHpObTWV0.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC32.DLL C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Microsoft.Advertising.winmd C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll.CSQi6f9nvsbrKxtf2-SXAhrAR7WA1n4cKPZsVC6rdGs.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr.CSQi6f9nvsbrKxtf2-SXAv2ksnYTUVAzQNpUDPsjhmI.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Core.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFRHD.DLL.CSQi6f9nvsbrKxtf2-SXAlboUSQ-oWdwosbyD9IDdFQ.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PaintStoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmpgv_plugin.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\NotepadAppList.scale-125.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.CSQi6f9nvsbrKxtf2-SXAgGF5a73rKpT4tCqW32pMVI.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-phn.xrm-ms.CSQi6f9nvsbrKxtf2-SXAruGnLn4Q4pQx4QR0umjHls.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\en-us\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Icons\StickyNotesBadgeLogo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\security\trusted.libraries C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.CSQi6f9nvsbrKxtf2-SXApRXnQbhEfhJHI2hJ3lO_Ck.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Paint_10.2104.17.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PaintWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.Runtime.Serialization.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.CSQi6f9nvsbrKxtf2-SXAls6O7IvEh1Ff99CjVr_vD4.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\th-TH\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_contrast-black.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\as_IN\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Resources\en-us\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART8.BDR C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpSplashScreen.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.CSQi6f9nvsbrKxtf2-SXAkAEbQJOa1kCRh5V-dUSomw.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.CSQi6f9nvsbrKxtf2-SXArR5W63CWSJxoQJuvkEwb0s.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.122.manifest C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\Wide310x150Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.CSQi6f9nvsbrKxtf2-SXAnIvFgYDbAxDYxE1m3n1HHk.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms.CSQi6f9nvsbrKxtf2-SXAg57wHm_DuUNI0H3YTL4PGY.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 912 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 1340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 1340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 1340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 3136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 3136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 3136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 3860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 3860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 3860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2768 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe

"C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

Network

N/A

Files

memory/912-0-0x00000000002E0000-0x0000000000543000-memory.dmp

memory/912-1-0x00000000002E0000-0x0000000000543000-memory.dmp

memory/912-2-0x00000000002E0000-0x0000000000543000-memory.dmp

C:\$Recycle.Bin\HOW_TO_DECRYPT.txt

MD5 80207d0f8ea42bdfeaf9f5c586230aca
SHA1 747481fe2b0b6d81c3b19ba62d1e49eab6a5461f
SHA256 25edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131
SHA512 73f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304

C:\$Recycle.Bin\S-1-5-21-4272559161-3282441186-401869126-1000\desktop.ini

MD5 f387196b087b99ca7f2b42fc75b0de95
SHA1 3f534719c3d45f0a08d0302ba6fb845aa1f6b915
SHA256 cb9b4f60fa190efa0223704ff2f02e736b9cf4e0c1feaf958f7f732dce2df523
SHA512 558ae03b3693052a9e2fc512bc1cd7c80ee61f77c649142ea86c7ec12fdcdf4d37298d91cd61d1b6eae294f7d044f15ac621c83016ad134cfaba7c17f0bcdcf0

C:\Users\Admin\AppData\Local\Temp\shadow.bat

MD5 df5552357692e0cba5e69f8fbf06abb6
SHA1 4714f1e6bb75a80a8faf69434726d176b70d7bd8
SHA256 d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8
SHA512 a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

C:\Users\Admin\AppData\Local\Temp\hive.bat

MD5 dc70612dee31a62e834e95709feaa5f7
SHA1 e3bbac5149ec5f27af0743d4fd332622920d518d
SHA256 07dc3fa1e68246d5a57206cf5ae3598a00049a80339bcd89db12fb1b10ba785c
SHA512 4a43ffae88b8026d272626aecb091a4177dec2ffc9f83999dc62499a2ecf80849580e32ddcbb40a57acca90e9dce1a9ab5712544fea96d4f68821c7bc39e1162

memory/912-2130-0x00000000002E0000-0x0000000000543000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-17 02:21

Reported

2024-09-17 02:22

Platform

win7-20240903-en

Max time kernel

27s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe"

Signatures

Detects Go variant of Hive Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Hive

ransomware hive

Deletes shadow copies

ransomware defense_evasion impact execution

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrespsh.dat C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\it-IT\DVDMaker.exe.mui C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\Common Files\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\ConvertToSubmit.midi C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado28.tlb C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msdaprst.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\am.pak C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msadds.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mr.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\WMM2CLIP.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hi.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tt.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\Filters.xml C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\bod_r.TTF C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2640 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2528 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2528 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2528 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2176 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2176 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2176 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2176 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2528 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2528 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2528 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2528 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2528 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2528 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2528 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2528 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe

"C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c hive.bat >NUL 2>NUL

C:\Windows\SysWOW64\cmd.exe

cmd /c shadow.bat >NUL 2>NUL

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

Network

N/A

Files

memory/2640-0-0x0000000000BA0000-0x0000000000E03000-memory.dmp

memory/2640-1-0x0000000000BA0000-0x0000000000E03000-memory.dmp

memory/2640-2-0x0000000000BA0000-0x0000000000E03000-memory.dmp

memory/2640-3-0x0000000000BA0000-0x0000000000E03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hive.bat

MD5 dc70612dee31a62e834e95709feaa5f7
SHA1 e3bbac5149ec5f27af0743d4fd332622920d518d
SHA256 07dc3fa1e68246d5a57206cf5ae3598a00049a80339bcd89db12fb1b10ba785c
SHA512 4a43ffae88b8026d272626aecb091a4177dec2ffc9f83999dc62499a2ecf80849580e32ddcbb40a57acca90e9dce1a9ab5712544fea96d4f68821c7bc39e1162

C:\Users\Admin\AppData\Local\Temp\shadow.bat

MD5 df5552357692e0cba5e69f8fbf06abb6
SHA1 4714f1e6bb75a80a8faf69434726d176b70d7bd8
SHA256 d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8
SHA512 a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

C:\MSOCache\HOW_TO_DECRYPT.txt

MD5 80207d0f8ea42bdfeaf9f5c586230aca
SHA1 747481fe2b0b6d81c3b19ba62d1e49eab6a5461f
SHA256 25edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131
SHA512 73f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304

C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-17 02:21

Reported

2024-09-17 02:22

Platform

win10-20240611-en

Max time kernel

30s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe"

Signatures

Detects Go variant of Hive Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Hive

ransomware hive

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe

"C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UndoConfirm.css

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL

Network

N/A

Files

memory/1468-0-0x0000000000DB0000-0x0000000001013000-memory.dmp

memory/1468-1-0x0000000000DB0000-0x0000000001013000-memory.dmp

memory/1468-2-0x0000000000DB0000-0x0000000001013000-memory.dmp

memory/1468-3-0x0000000000DB0000-0x0000000001013000-memory.dmp

C:\$Recycle.Bin\HOW_TO_DECRYPT.txt

MD5 80207d0f8ea42bdfeaf9f5c586230aca
SHA1 747481fe2b0b6d81c3b19ba62d1e49eab6a5461f
SHA256 25edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131
SHA512 73f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-17 02:21

Reported

2024-09-17 02:22

Platform

win10v2004-20240802-en

Max time kernel

30s

Max time network

14s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe"

Signatures

Detects Go variant of Hive Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Hive

ransomware hive

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll.mab1sTa8wlieG8wMuZKpeTv_VTVH7c4-vpNXxF0HmgM.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Conversion.v3.5.resources.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms.mab1sTa8wlieG8wMuZKpeRz-qvaov8NSAmrHPhM-5C8.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.mab1sTa8wlieG8wMuZKpeS1uBzx8BswA4EI9aPBtzGo.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-180.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-runtime-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Shutter.m4a C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.mab1sTa8wlieG8wMuZKpeSR_a6laGpVYWsbAvhr_1kQ.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\openssl64.dlla.manifest.mab1sTa8wlieG8wMuZKpefNlWihyJsR5lTH3j6Mo_hg.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jfxwebkit.dll.mab1sTa8wlieG8wMuZKpeSaXo_sCzwlnN5vWYhgUHCE.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LargeTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.mab1sTa8wlieG8wMuZKpecd5591W8vpNW_KN-E_keTg.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.mab1sTa8wlieG8wMuZKpeXG2SZ0OUAscwiq8Yl-XJ20.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\MilitaryLeft.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Generic.xbf C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-unplated_contrast-white_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.mab1sTa8wlieG8wMuZKpeStuIO9I6mVhWtecfy3b2SY.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml.mab1sTa8wlieG8wMuZKpeUyYp-oTfbxHhgrtIcEiInA.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Opacity.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\OneNoteFirstRunCarousel_Animation2.mp4 C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll.mab1sTa8wlieG8wMuZKpeb6lxGlMw197InqMwRGObnQ.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-multibyte-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms.mab1sTa8wlieG8wMuZKpecsbOC_ev40xGLVBxIrtVRk.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_vi.json C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-125.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\back-icon.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jfxmedia.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Design.Resources.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.mab1sTa8wlieG8wMuZKpeQUUC6msn2ISIe5AlRS-7GQ.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.mab1sTa8wlieG8wMuZKpee4x3rv5rU41x8cd6k96HlM.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\WMPMediaSharing.dll.mui C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll.mab1sTa8wlieG8wMuZKpeYCgE6k0UThQluAnHaoDYU0.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.mab1sTa8wlieG8wMuZKpeRqQbCzlspFVG7W6-_cFtUw.hive C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8en.dub C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\NativeShim.dll C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4404 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2424 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe

"C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp

Files

memory/4404-0-0x0000000000E10000-0x0000000001073000-memory.dmp

memory/4404-2-0x0000000000E10000-0x0000000001073000-memory.dmp

memory/4404-1-0x0000000000E10000-0x0000000001073000-memory.dmp

C:\$Recycle.Bin\HOW_TO_DECRYPT.txt

MD5 80207d0f8ea42bdfeaf9f5c586230aca
SHA1 747481fe2b0b6d81c3b19ba62d1e49eab6a5461f
SHA256 25edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131
SHA512 73f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

C:\Users\Admin\AppData\Local\Temp\hive.bat

MD5 dc70612dee31a62e834e95709feaa5f7
SHA1 e3bbac5149ec5f27af0743d4fd332622920d518d
SHA256 07dc3fa1e68246d5a57206cf5ae3598a00049a80339bcd89db12fb1b10ba785c
SHA512 4a43ffae88b8026d272626aecb091a4177dec2ffc9f83999dc62499a2ecf80849580e32ddcbb40a57acca90e9dce1a9ab5712544fea96d4f68821c7bc39e1162

C:\Users\Admin\AppData\Local\Temp\shadow.bat

MD5 df5552357692e0cba5e69f8fbf06abb6
SHA1 4714f1e6bb75a80a8faf69434726d176b70d7bd8
SHA256 d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8
SHA512 a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

memory/4404-2433-0x0000000000E10000-0x0000000001073000-memory.dmp