Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2025-03-12...ch.exe

windows7-x64

10

2025-03-12...ch.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-03-12_8fdfa1997b566f6e086c29e33935dcc5_frostygoop_hive_sliver_snatch

  • Size

    2.5MB

  • Sample

    250312-b5m1astwbt

  • MD5

    8fdfa1997b566f6e086c29e33935dcc5

  • SHA1

    178fbe1c8fc1a6e3440215d668797699f94a4bef

  • SHA256

    cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68

  • SHA512

    b185d1080c62f59ff26592321bf2a5cb85556260f34f59726cc9d5aeed1f82a48c710e8decd1212ddc2e4ca371ba83ad3aca6bf34587ddc73cc9c90afec467d5

  • SSDEEP

    24576:n1aan2Cc2sLnOJaoyN8sAwq5JQx40Dgga3gG7LMzgoUEyQTaRSOPE7O7S88Vt4C3:n3Dqy3PyzMCteCl/G/1D1o

Score
10/10
hivedefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\auw1_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: 8g79kHqNA5hh Password: XVxZo6vidfBS5ZyVVj6a To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.fmu9d files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Targets

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

System Services

1
T1569

Service Execution

1
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Privilege Escalation

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Defense Evasion

Direct Volume Access

1
T1006

Impair Defenses

4
T1562

Disable or Modify Tools

2
T1562.001

Indicator Removal

3
T1070

Clear Windows Event Logs

1
T1070.001

File Deletion

2
T1070.004

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Service Stop

1
T1489

Tasks