Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2025-03-12...ch.exe

windows7-x64

10

2025-03-12...ch.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch

  • Size

    2.6MB

  • Sample

    250312-b2374stvbw

  • MD5

    78fb5aaf33ba7bc649c3896f0be1c94b

  • SHA1

    7369fa3e614595cb02ca09b3c8472a7258d569e1

  • SHA256

    c15f267a2f8728cda84ae89122d07f706a92e23154bbb4b99e07892ae94ce083

  • SHA512

    dfa459ab1e493251de0f0f0beba0e709b68c8da41e8a36c945df39f209f15f220d2e1db87fb4ff666c61b11e5e2591912fdb08e2de87171e8cf8147d8d298c22

  • SSDEEP

    24576:LSWJv2CcnkpG1pSh6WFCTfqX9XyLpwE0D3modZ7GE+rcrVoPETgDqhCi1EbGTkSm:L/uEXTdZT+6VfHc3qui0CwSZE701D1j

Score
10/10
hivedefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\pK8K_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: ojxQoX78fsLX Password: rMaNEBFqXrCE9FKmLdwQ To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.pirxq files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Targets

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

System Services

1
T1569

Service Execution

1
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Privilege Escalation

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Defense Evasion

Direct Volume Access

1
T1006

Impair Defenses

4
T1562

Disable or Modify Tools

2
T1562.001

Indicator Removal

3
T1070

Clear Windows Event Logs

1
T1070.001

File Deletion

2
T1070.004

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Service Stop

1
T1489

Tasks