Extracted

• • Target

    VHO-Trojan-Ransom.Win32.Hive.dc-d7fe04c042782df6be1fb3e38f171631820e43b9472da93af7e5f49b550a2a33.7z

  • Size

    902KB

  • MD5

    71bda678e703bdb64bcd3316b1c5ef71

  • SHA1

    8345a18f2a2d75f0a77f03562ed7856c2dcd038b

  • SHA256

    1dfccde2de5ee587770c66f98d39e9fdeab1c8c8d016c852bd4891a6076999ee

  • SHA512

    cd1abb60a56992a19c90251968f6adb1dd9406c33a635dd04d1b594e00415baaabfb0e6d4b8a57e50a23c746d4822f8e858bb833476afc278edbddc44a497319

  • SSDEEP

    24576:aWMQs2b3eFviBqj9T5NmvJe6xA99zwkNKptNIu:O2beFviBEtNmvs6xAeksptNIu

  Score

  10^/10

  hivedefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealertrojan

  • Disables service(s)

    defense_evasionexecution

  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive

  • Hive family

    hive

  • Modifies Windows Defender DisableAntiSpyware settings

    evasiontrojan

  • Modifies Windows Defender Real-time Protection settings

    defense_evasiontrojan

  • Modifies security service

    defense_evasion

  • Clears Windows event logs

    defense_evasionransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Modifies Security services

    Modifies the startup behavior of a security service.

    defense_evasion
  behavioral1