Extracted

• • Target

    Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.7z

  • Size

    894KB

  • MD5

    d41f6613256eb0ad7422d080e25b1295

  • SHA1

    1b0467ff55f311fbb2374d60167954c8afa1bf6e

  • SHA256

    773a84c3fcd0056ba603a8289affadb52b3ec1162fe161d4874aa9bc30b4e8d8

  • SHA512

    cc94ead6e6ae0b999082decd7ed656c25647e16b2ce09b6f604cab565aaa7ef2a12cac5b4d60e6553236fb5b53f51e8098a4282df429e0c44b1b6fc19f40a228

  • SSDEEP

    12288:/ve9LHimubryf14MQQ95OJHu9DgCgAaDKIMgaeI1jgeheAIm0w39D8wT0EJ3d7a:ogumMQQ9IF3CUKeehlv0Ih8G0EJ1a

  Score

  10^/10

  hivedefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealertrojan

  • Disables service(s)

    defense_evasionexecution

  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive

  • Hive family

    hive

  • Modifies Windows Defender DisableAntiSpyware settings

    evasiontrojan

  • Modifies Windows Defender Real-time Protection settings

    defense_evasiontrojan

  • Modifies security service

    defense_evasion

  • Clears Windows event logs

    defense_evasionransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Modifies Security services

    Modifies the startup behavior of a security service.

    defense_evasion
  behavioral1