Analysis Overview
SHA256
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
Threat Level: Known bad
The file Hive Ransomware.exe was found to be: Known bad.
Malicious Activity Summary
Hive
Detects Go variant of Hive Ransomware
Deletes shadow copies
UPX packed file
Drops desktop.ini file(s)
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Opens file in notepad (likely ransom note)
Delays execution with timeout.exe
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-17 02:21
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-09-17 02:21
Reported
2024-09-17 02:22
Platform
win11-20240802-en
Max time kernel
30s
Command Line
Signatures
Detects Go variant of Hive Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Hive
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-4272559161-3282441186-401869126-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-4272559161-3282441186-401869126-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.CSQi6f9nvsbrKxtf2-SXAnBxusBrSHtENi2S5iXxvyw.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-black\GetHelpAppList.targetsize-48_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.CSQi6f9nvsbrKxtf2-SXApG0QNyqs8IVuCNvl_C_ElU.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-80_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML.CSQi6f9nvsbrKxtf2-SXAq-gu6-exf5B_npKNFkJdmA.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintAppList.targetsize-60_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\CSIRESOURCES.DLL | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.CSQi6f9nvsbrKxtf2-SXAmFMtzzXWgJMmK-_DrhWuQE.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE.CSQi6f9nvsbrKxtf2-SXApyEYSmR_yYuSCvy48ZB7h8.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe.CSQi6f9nvsbrKxtf2-SXAhdG7fqt94UpmDJHpObTWV0.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ODBC32.DLL | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\uk-UA\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Microsoft.Advertising.winmd | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll.CSQi6f9nvsbrKxtf2-SXAhrAR7WA1n4cKPZsVC6rdGs.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr.CSQi6f9nvsbrKxtf2-SXAv2ksnYTUVAzQNpUDPsjhmI.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Core.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\OFFRHD.DLL.CSQi6f9nvsbrKxtf2-SXAlboUSQ-oWdwosbyD9IDdFQ.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PaintStoreLogo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sr-spl.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\demux\libmpgv_plugin.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\NotepadAppList.scale-125.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.CSQi6f9nvsbrKxtf2-SXAgGF5a73rKpT4tCqW32pMVI.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-phn.xrm-ms.CSQi6f9nvsbrKxtf2-SXAruGnLn4Q4pQx4QR0umjHls.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\en-us\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Icons\StickyNotesBadgeLogo.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\security\trusted.libraries | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.CSQi6f9nvsbrKxtf2-SXApRXnQbhEfhJHI2hJ3lO_Ck.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Paint_10.2104.17.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PaintWideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.Runtime.Serialization.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.boot.tree.dat | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.CSQi6f9nvsbrKxtf2-SXAls6O7IvEh1Ff99CjVr_vD4.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\th-TH\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\as_IN\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Resources\en-us\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\dependentlibs.list | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART8.BDR | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\sdxs\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpSplashScreen.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.CSQi6f9nvsbrKxtf2-SXAkAEbQJOa1kCRh5V-dUSomw.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.CSQi6f9nvsbrKxtf2-SXArR5W63CWSJxoQJuvkEwb0s.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.122.manifest | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\Wide310x150Logo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.CSQi6f9nvsbrKxtf2-SXAnIvFgYDbAxDYxE1m3n1HHk.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms.CSQi6f9nvsbrKxtf2-SXAg57wHm_DuUNI0H3YTL4PGY.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
Network
Files
memory/912-0-0x00000000002E0000-0x0000000000543000-memory.dmp
memory/912-1-0x00000000002E0000-0x0000000000543000-memory.dmp
memory/912-2-0x00000000002E0000-0x0000000000543000-memory.dmp
C:\$Recycle.Bin\HOW_TO_DECRYPT.txt
| MD5 | 80207d0f8ea42bdfeaf9f5c586230aca |
| SHA1 | 747481fe2b0b6d81c3b19ba62d1e49eab6a5461f |
| SHA256 | 25edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131 |
| SHA512 | 73f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304 |
C:\$Recycle.Bin\S-1-5-21-4272559161-3282441186-401869126-1000\desktop.ini
| MD5 | f387196b087b99ca7f2b42fc75b0de95 |
| SHA1 | 3f534719c3d45f0a08d0302ba6fb845aa1f6b915 |
| SHA256 | cb9b4f60fa190efa0223704ff2f02e736b9cf4e0c1feaf958f7f732dce2df523 |
| SHA512 | 558ae03b3693052a9e2fc512bc1cd7c80ee61f77c649142ea86c7ec12fdcdf4d37298d91cd61d1b6eae294f7d044f15ac621c83016ad134cfaba7c17f0bcdcf0 |
C:\Users\Admin\AppData\Local\Temp\shadow.bat
| MD5 | df5552357692e0cba5e69f8fbf06abb6 |
| SHA1 | 4714f1e6bb75a80a8faf69434726d176b70d7bd8 |
| SHA256 | d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8 |
| SHA512 | a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d |
C:\Users\Admin\AppData\Local\Temp\hive.bat
| MD5 | dc70612dee31a62e834e95709feaa5f7 |
| SHA1 | e3bbac5149ec5f27af0743d4fd332622920d518d |
| SHA256 | 07dc3fa1e68246d5a57206cf5ae3598a00049a80339bcd89db12fb1b10ba785c |
| SHA512 | 4a43ffae88b8026d272626aecb091a4177dec2ffc9f83999dc62499a2ecf80849580e32ddcbb40a57acca90e9dce1a9ab5712544fea96d4f68821c7bc39e1162 |
memory/912-2130-0x00000000002E0000-0x0000000000543000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-17 02:21
Reported
2024-09-17 02:22
Platform
win7-20240903-en
Max time kernel
27s
Max time network
21s
Command Line
Signatures
Detects Go variant of Hive Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Hive
Deletes shadow copies
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\hwrespsh.dat | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\Common Files\System\msadc\fr-FR\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\ShapeCollector.exe.mui | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\it-IT\DVDMaker.exe.mui | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\Common Files\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\ConvertToSubmit.midi | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msado28.tlb | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\msdaprst.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\am.pak | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\msadds.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mr.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\WMM2CLIP.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hi.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\tt.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\Filters.xml | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\bod_r.TTF | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c hive.bat >NUL 2>NUL
C:\Windows\SysWOW64\cmd.exe
cmd /c shadow.bat >NUL 2>NUL
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
Network
Files
memory/2640-0-0x0000000000BA0000-0x0000000000E03000-memory.dmp
memory/2640-1-0x0000000000BA0000-0x0000000000E03000-memory.dmp
memory/2640-2-0x0000000000BA0000-0x0000000000E03000-memory.dmp
memory/2640-3-0x0000000000BA0000-0x0000000000E03000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hive.bat
| MD5 | dc70612dee31a62e834e95709feaa5f7 |
| SHA1 | e3bbac5149ec5f27af0743d4fd332622920d518d |
| SHA256 | 07dc3fa1e68246d5a57206cf5ae3598a00049a80339bcd89db12fb1b10ba785c |
| SHA512 | 4a43ffae88b8026d272626aecb091a4177dec2ffc9f83999dc62499a2ecf80849580e32ddcbb40a57acca90e9dce1a9ab5712544fea96d4f68821c7bc39e1162 |
C:\Users\Admin\AppData\Local\Temp\shadow.bat
| MD5 | df5552357692e0cba5e69f8fbf06abb6 |
| SHA1 | 4714f1e6bb75a80a8faf69434726d176b70d7bd8 |
| SHA256 | d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8 |
| SHA512 | a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d |
C:\MSOCache\HOW_TO_DECRYPT.txt
| MD5 | 80207d0f8ea42bdfeaf9f5c586230aca |
| SHA1 | 747481fe2b0b6d81c3b19ba62d1e49eab6a5461f |
| SHA256 | 25edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131 |
| SHA512 | 73f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304 |
C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini
| MD5 | a526b9e7c716b3489d8cc062fbce4005 |
| SHA1 | 2df502a944ff721241be20a9e449d2acd07e0312 |
| SHA256 | e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066 |
| SHA512 | d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-17 02:21
Reported
2024-09-17 02:22
Platform
win10-20240611-en
Max time kernel
30s
Max time network
21s
Command Line
Signatures
Detects Go variant of Hive Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Hive
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1468 wrote to memory of 3864 | N/A | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1468 wrote to memory of 3864 | N/A | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1468 wrote to memory of 3864 | N/A | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1468 wrote to memory of 376 | N/A | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1468 wrote to memory of 376 | N/A | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1468 wrote to memory of 376 | N/A | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UndoConfirm.css
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL
Network
Files
memory/1468-0-0x0000000000DB0000-0x0000000001013000-memory.dmp
memory/1468-1-0x0000000000DB0000-0x0000000001013000-memory.dmp
memory/1468-2-0x0000000000DB0000-0x0000000001013000-memory.dmp
memory/1468-3-0x0000000000DB0000-0x0000000001013000-memory.dmp
C:\$Recycle.Bin\HOW_TO_DECRYPT.txt
| MD5 | 80207d0f8ea42bdfeaf9f5c586230aca |
| SHA1 | 747481fe2b0b6d81c3b19ba62d1e49eab6a5461f |
| SHA256 | 25edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131 |
| SHA512 | 73f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-09-17 02:21
Reported
2024-09-17 02:22
Platform
win10v2004-20240802-en
Max time kernel
30s
Max time network
14s
Command Line
Signatures
Detects Go variant of Hive Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Hive
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll.mab1sTa8wlieG8wMuZKpeTv_VTVH7c4-vpNXxF0HmgM.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Conversion.v3.5.resources.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms.mab1sTa8wlieG8wMuZKpeRz-qvaov8NSAmrHPhM-5C8.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.mab1sTa8wlieG8wMuZKpeS1uBzx8BswA4EI9aPBtzGo.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-180.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-runtime-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Shutter.m4a | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.mab1sTa8wlieG8wMuZKpeSR_a6laGpVYWsbAvhr_1kQ.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\openssl64.dlla.manifest.mab1sTa8wlieG8wMuZKpefNlWihyJsR5lTH3j6Mo_hg.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jfxwebkit.dll.mab1sTa8wlieG8wMuZKpeSaXo_sCzwlnN5vWYhgUHCE.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LargeTile.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.mab1sTa8wlieG8wMuZKpecd5591W8vpNW_KN-E_keTg.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.mab1sTa8wlieG8wMuZKpeXG2SZ0OUAscwiq8Yl-XJ20.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\MilitaryLeft.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Generic.xbf | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-unplated_contrast-white_devicefamily-colorfulunplated.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.mab1sTa8wlieG8wMuZKpeStuIO9I6mVhWtecfy3b2SY.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml.mab1sTa8wlieG8wMuZKpeUyYp-oTfbxHhgrtIcEiInA.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Opacity.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\OneNoteFirstRunCarousel_Animation2.mp4 | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll.mab1sTa8wlieG8wMuZKpeb6lxGlMw197InqMwRGObnQ.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-multibyte-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms.mab1sTa8wlieG8wMuZKpecsbOC_ev40xGLVBxIrtVRk.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_vi.json | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-125.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\back-icon.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jfxmedia.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Design.Resources.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.mab1sTa8wlieG8wMuZKpeQUUC6msn2ISIe5AlRS-7GQ.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.mab1sTa8wlieG8wMuZKpee4x3rv5rU41x8cd6k96HlM.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\de-DE\WMPMediaSharing.dll.mui | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-150_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll.mab1sTa8wlieG8wMuZKpeYCgE6k0UThQluAnHaoDYU0.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.mab1sTa8wlieG8wMuZKpeRqQbCzlspFVG7W6-_cFtUw.hive | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8en.dub | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\NativeShim.dll | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
Files
memory/4404-0-0x0000000000E10000-0x0000000001073000-memory.dmp
memory/4404-2-0x0000000000E10000-0x0000000001073000-memory.dmp
memory/4404-1-0x0000000000E10000-0x0000000001073000-memory.dmp
C:\$Recycle.Bin\HOW_TO_DECRYPT.txt
| MD5 | 80207d0f8ea42bdfeaf9f5c586230aca |
| SHA1 | 747481fe2b0b6d81c3b19ba62d1e49eab6a5461f |
| SHA256 | 25edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131 |
| SHA512 | 73f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304 |
C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini
| MD5 | a526b9e7c716b3489d8cc062fbce4005 |
| SHA1 | 2df502a944ff721241be20a9e449d2acd07e0312 |
| SHA256 | e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066 |
| SHA512 | d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88 |
C:\Users\Admin\AppData\Local\Temp\hive.bat
| MD5 | dc70612dee31a62e834e95709feaa5f7 |
| SHA1 | e3bbac5149ec5f27af0743d4fd332622920d518d |
| SHA256 | 07dc3fa1e68246d5a57206cf5ae3598a00049a80339bcd89db12fb1b10ba785c |
| SHA512 | 4a43ffae88b8026d272626aecb091a4177dec2ffc9f83999dc62499a2ecf80849580e32ddcbb40a57acca90e9dce1a9ab5712544fea96d4f68821c7bc39e1162 |
C:\Users\Admin\AppData\Local\Temp\shadow.bat
| MD5 | df5552357692e0cba5e69f8fbf06abb6 |
| SHA1 | 4714f1e6bb75a80a8faf69434726d176b70d7bd8 |
| SHA256 | d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8 |
| SHA512 | a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d |
memory/4404-2433-0x0000000000E10000-0x0000000001073000-memory.dmp