Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2025-03-07...ch.exe

windows7-x64

10

2025-03-07...ch.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-03-07_760ccfdb30fe7eaab9cd4c7450d73c24_frostygoop_hive_sliver_snatch

  • Size

    2.5MB

  • Sample

    250307-cfa5wasscx

  • MD5

    760ccfdb30fe7eaab9cd4c7450d73c24

  • SHA1

    5eb8513686554a871a8dea173f0c175eeec74f38

  • SHA256

    2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709

  • SHA512

    25050f6fa163acec8de703210439d004ce1a752dea70ca6c7daea8c5d19c46647f573e1934609e5aeeee787dd6ef180701304f9f695fa30193f2d9704aaaa5c5

  • SSDEEP

    24576:pT6Gyv2Cc+qVzsnjRaPTbGQtIYph4qDqz15QAml7+GgEEtKBM7i4ArwRV6LUEFga:pCXo8m04Td2xDoCLyv1D1

Score
10/10
hivedefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\UZEP_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: zo6NZMEhyHgb Password: Ao1KMM8jU6P2DgkuhXqN To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.gtqbv files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Targets

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

System Services

1
T1569

Service Execution

1
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Privilege Escalation

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Defense Evasion

Direct Volume Access

1
T1006

Impair Defenses

4
T1562

Disable or Modify Tools

2
T1562.001

Indicator Removal

3
T1070

Clear Windows Event Logs

1
T1070.001

File Deletion

2
T1070.004

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Remote System Discovery

1
T1018

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Service Stop

1
T1489

Tasks