| File name: | Ransomware.Hive.zip |
| Full analysis: | https://app.any.run/tasks/dea10de9-5eda-44fd-95ce-ca06460f8430 |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | February 12, 2024, 06:47:29 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=AES Encrypted |
| MD5: | 33DC6CF9108FA7A395D632C29021791C |
| SHA1: | 61CCFFBFB8F2458BE139AA1D3C9DD715F25CD06D |
| SHA256: | AF9E8F301A3677B457345921D7EE765A842ECEB7DF107714EAFFC6193BFC6BBE |
| SSDEEP: | 196608:xUPLIETGA/+0vcL5o/Vu0vlQ77Z0SOJM7j:xmJ6ANa6/Vu0q3+SOw |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3240)
- 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe (PID: 3800)
Changes the autorun value in the registry
- 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe (PID: 3800)
Renames files like ransomware
- 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe (PID: 3800)
Sodinokibi ransom note is found
- 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe (PID: 3800)
SUSPICIOUS
Uses NETSH.EXE to change the status of the firewall
- 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe (PID: 3800)
Executes as Windows Service
- VSSVC.exe (PID: 952)
- VSSVC.exe (PID: 1504)
Creates files like ransomware instruction
- 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe (PID: 3800)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3240)
- WinRAR.exe (PID: 2304)
Manual execution by a user
- WinRAR.exe (PID: 2304)
- windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe (PID: 2968)
- hive.exe (PID: 2248)
- 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe (PID: 3800)
Dropped object may contain TOR URL's
- WinRAR.exe (PID: 3240)
- 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe (PID: 3800)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 2304)
Checks supported languages
- windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe (PID: 2968)
- hive.exe (PID: 2248)
- 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe (PID: 3800)
Reads the computer name
- 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe (PID: 3800)
Reads Environment values
- 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe (PID: 3800)
Reads product name
- 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe (PID: 3800)
Creates files in the program directory
- 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe (PID: 3800)
Reads the machine GUID from the registry
- 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe (PID: 3800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0009 |
| ZipCompression: | Unknown (99) |
| ZipModifyDate: | 2022:08:06 14:25:50 |
| ZipCRC: | 0x15387ab7 |
| ZipCompressedSize: | 780687 |
| ZipUncompressedSize: | 782394 |
| ZipFileName: | hive.bin_exe |
Total processes
62
Monitored processes
9
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 952 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1504 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2040 | netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes | C:\Windows\System32\netsh.exe | — | 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2248 | "C:\Users\admin\Desktop\1\hive.exe" | C:\Users\admin\Desktop\1\hive.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2304 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver "-an=C:\Users\admin\Desktop\sn.zip" "-an=C:\Users\admin\Desktop\la.zip" -- "C:\Users\admin\Desktop\sod.zip" C:\Users\admin\Desktop\ | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2760 | C:\Windows\system32\wbem\unsecapp.exe -Embedding | C:\Windows\System32\wbem\unsecapp.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Sink to receive asynchronous callbacks for WMI client application Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 2968 | "C:\Users\admin\Desktop\1\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe" | C:\Users\admin\Desktop\1\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 3240 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Ransomware.Hive.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 3800 | "C:\Users\admin\Desktop\1\03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe" | C:\Users\admin\Desktop\1\03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
Total events
7 509
Read events
7 382
Write events
127
Delete events
0
Modification events
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Ransomware.Hive.zip | |||
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
6
Suspicious files
146
Text files
0
Unknown types
128
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3800 | 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe | C:\recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim | — | |
MD5:— | SHA256:— | |||
| 3800 | 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.t69c774m | — | |
MD5:— | SHA256:— | |||
| 3240 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3240.47790\Hive.elf | binary | |
MD5:22AE3E19EC54A9D314719158C00986E3 | SHA256:822D89E7917D41A90F5F65BEE75CAD31FE13995E43F47EA9EA536862884EFC25 | |||
| 3240 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3240.47790\linux_hive.elf | binary | |
MD5:56075E7C63B3F9F612CDE6187D4A7877 | SHA256:12389B8AF28307FD09FE080FD89802B4E616ED4C961F464F95FDB4B3F0AAF185 | |||
| 3240 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3240.47790\zi1ysv64h.dll | executable | |
MD5:5384C6825A5707241C11D78529DBBFEE | SHA256:3858E95BCF18C692F8321E3F8380C39684EDB90BB622F37911144950602CEA21 | |||
| 3240 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3240.47790\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5 | executable | |
MD5:DA13022097518D123A91A3958BE326DA | SHA256:25BFEC0C3C81AB55CF85A57367C14CC6803A03E2E9B4AFD72E7BBCA9420FE7C5 | |||
| 3240 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3240.47790\211xahcou.dll | executable | |
MD5:0E4D44DDE522C07D09D9E3086CFAE803 | SHA256:33ACEB3DC0681A56226D4CFCE32EEE7A431E66F5C746A4D6DC7506A72B317277 | |||
| 3240 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3240.47790\sjl8j6ap3.dll | executable | |
MD5:7692A5DCA7C3C48095AA6DB0DB640D4A | SHA256:B6B1EA26464C92C3D25956815C301CAF6FA0DA9723A2EF847E2BB9CD11563D8B | |||
| 2304 | WinRAR.exe | C:\Users\admin\Desktop\03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482 | executable | |
MD5:979635229DFCFAE1AAE74AE296EC78C8 | SHA256:03B5A7FFE111CCA63FC687A295BA8075087CC90812F6B988797A2D49A5DB1482 | |||
| 3800 | 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe | C:\users\default\t69c774m-readme.txt | binary | |
MD5:C98F542B15C0A1CB7F8FE58CFA2808E1 | SHA256:220D66D1C436FE67BB4A281429CBCE7806235E2B841EC35E4128615D360BB405 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |