Extracted

• • Target

    Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.7z

  • Size

    877KB

  • MD5

    8bfde4cd67622b8ac75e1f948214026f

  • SHA1

    df768ba61f479bd483122ef0deca7d8e977b0674

  • SHA256

    d4e8c5cd03b3bfe1743c7e0c82e6c9694e861b2f6907b4fbc11f83bb0623e55e

  • SHA512

    0fbc132e7503aa93f31e25cd07918d6ff2ad63155bc6053fdccf9e30c51e8be98dccac5b0ffb1fcc4006a5676db27631934613174f2c10846768545539b41c99

  • SSDEEP

    24576:TPPUy/Jx0qMJfHwUKh/ebyxTDlLu7XQPGu/gnm:TPMrTfoYmrC8PGu/+m

  Score

  10^/10

  hivedefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealertrojan

  • Disables service(s)

    defense_evasionexecution

  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive

  • Hive family

    hive

  • Modifies Windows Defender DisableAntiSpyware settings

    evasiontrojan

  • Modifies Windows Defender Real-time Protection settings

    defense_evasiontrojan

  • Modifies security service

    defense_evasion

  • Clears Windows event logs

    defense_evasionransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Modifies Security services

    Modifies the startup behavior of a security service.

    defense_evasion
  behavioral1