From ScreenConnect to Hive Ransomware in 61 hours - The DFIR Report
Tags
cmtmf-attack-pattern: Masquerading Process Injection
maec-delivery-vectors: Watering Hole
attack-pattern: Data Model Models Account Access Removal - T1640 Account Access Removal - T1531 Cloud Services - T1021.007 Command Obfuscation - T1027.010 Credentials - T1589.001 Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Data From Local System - T1533 Dns - T1071.004 Dns - T1590.002 Domain Account - T1087.002 Domain Account - T1136.002 Domain Groups - T1069.002 Domain Trust Discovery - T1482 Domains - T1583.001 Domains - T1584.001 Dynamic Api Resolution - T1027.007 Embedded Payloads - T1027.009 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 Exfiltration Over C2 Channel - T1646 File And Directory Discovery - T1420 File Deletion - T1070.004 File Deletion - T1630.002 Hidden Window - T1564.003 Ingress Tool Transfer - T1544 Inhibit System Recovery - T1490 Ip Addresses - T1590.005 Lateral Tool Transfer - T1570 Local Account - T1087.001 Local Account - T1136.001 System Network Configuration Discovery - T1422 Lsass Memory - T1003.001 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Match Legitimate Name Or Location - T1036.005 Match Legitimate Name Or Location - T1655.001 System Information Discovery - T1426 Msiexec - T1218.007 Native Api - T1575 Non-Standard Port - T1509 Non-Standard Port - T1571 Powershell - T1059.001 Process Injection - T1631 Protocol Impersonation - T1001.003 Remote Access Software - T1663 Remote Desktop Protocol - T1021.001 Rundll32 - T1218.011 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Service Execution - T1569.002 Smb/Windows Admin Shares - T1021.002 Software - T1592.002 Ssh - T1021.004 Windows Command Shell - T1059.003 Web Protocols - T1071.001 Web Protocols - T1437.001 Windows Service - T1543.003 Tool - T1588.002 Bits Jobs - T1197 Connection Proxy - T1090 Credential Dumping - T1003 Data From Local System - T1005 Data From Network Shared Drive - T1039 Execution Through Api - T1106 Exfiltration Over Command And Control Channel - T1041 File And Directory Discovery - T1083 File Deletion - T1107 Graphical User Interface - T1061 Hidden Window - T1143 Remote File Copy - T1105 Masquerading - T1036 Multi-Stage Channels - T1104 Network Share Discovery - T1135 Permission Groups Discovery - T1069 Powershell - T1086 Process Injection - T1055 Remote Access Tools - T1219 Remote Desktop Protocol - T1076 Remote Services - T1021 Rundll32 - T1085 Scheduled Task - T1053 Scripting - T1064 Service Execution - T1035 System Information Discovery - T1082 System Network Configuration Discovery - T1016 System Owner/User Discovery - T1033 Windows Management Instrumentation - T1047 Graphical User Interface Masquerading Scripting
Show in Graph
Common Information
Type Value
UUID b4afc23c-e23a-46fd-9aab-70ca3648680e
Fingerprint 2629b775a1a28424
Analysis status DONE
Considered CTI value 2
Text language
Published Sept. 25, 2023, 12:58 a.m.
Added to db Nov. 19, 2023, 10:35 p.m.
Last updated Nov. 17, 2024, 7:44 p.m.
Headline From ScreenConnect to Hive Ransomware in 61 hours
Title From ScreenConnect to Hive Ransomware in 61 hours - The DFIR Report
Detected Hints/Tags/Attributes 252/3/206
Source URLs
Redirection Url
Details Source https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/
URL Provider
Details Provider Source level domain
Details thedfirreport.com thedfirreport.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 249 The DFIR Report https://thedfirreport.com/feed/ 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 49 
wmiexec.py
Details Domain 1 
environmentca.com
Details Domain 228 
system.io
Details Domain 339 
system.net
Details Domain 6 
system.net.security
Details Domain 2 
net.security
Details Domain 22 
stream.read
Details Domain 1 
sodiwugoc.com
Details Domain 1 
server-nixd7639ccc-relay.screenconnect.com
Details Domain 1 
server-nixee656b9a-relay.screenconnect.com
Details Domain 4 
hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion
Details Domain 3 
hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion
Details Domain 179 
www.torproject.org
Details Domain 10 
detection.fyi
Details Domain 4127 
github.com
Details File 45 
wmiexec.py
Details File 2 
document8765.exe
Details File 269 
msiexec.exe
Details File 1018 
rundll32.exe
Details File 1208 
powershell.exe
Details File 11 
'system.dll
Details File 748 
kernel32.dll
Details File 2 
'crypt32.dll
Details File 83 
crypt32.dll
Details File 44 
submit.php
Details File 21 
%windir%\\syswow64\\rundll32.exe
Details File 21 
%windir%\\sysnative\\rundll32.exe
Details File 1 
%temp%\p6nqedwk.exe
Details File 1 
p6nqedwk.exe
Details File 81 
werfault.exe
Details File 27 
c:\windows\system32\msiexec.exe
Details File 1 
c:\programdata\setup.msi
Details File 1 
%programfiles%\atera networks\ateraagent\packages\agentpackageruncommandinteractive\agentpackageruncommandinteractive.exe
Details File 2125 
cmd.exe
Details File 1 
agentpackagestremote.exe
Details File 1 
c:\windows\system32\config\system.log
Details File 6 
clientservice.exe
Details File 23 
c:\windows\system32\services.exe
Details File 1122 
svchost.exe
Details File 92 
c:\windows\system32\svchost.exe
Details File 478 
lsass.exe
Details File 29 
c:\windows\system32\lsass.exe
Details File 212 
winlogon.exe
Details File 131 
spoolsv.exe
Details File 8 
c:\windows\system32\spoolsv.exe
Details File 1 
m2.exe
Details File 2 
adcomp.bat
Details File 1 
netping.exe
Details File 142 
wmiprvse.exe
Details File 409 
c:\windows\system32\cmd.exe
Details File 35 
'powershell.exe
Details File 36 
compression.gzip
Details File 31 
c:\windows\system32\wbem\wmic.exe
Details File 12 
c:\windows\system32\vssadmin.exe
Details File 7 
c:\windows\system32\bcdedit.exe
Details File 1 
c:\users\default\how_to_decrypt.txt
Details File 4 
windows_x64_encrypt.exe
Details File 1 
c:\users\redacted\appdata\local\temp\setup.msi
Details File 1 
700893a5-90ad-456f-b9a8-7ce8e2f291afrun.ps1
Details File 1 
de873d67-cd59-4075-9a9a-aa1d3cd0817erun.ps1
Details File 1 
c:\windows\temp\p6nqedwk.exe
Details File 1 
c:\programdata\m2.exe
Details File 1 
c:\programdata\adcomp.bat
Details File 1 
c:\windows\temp\unpack\setup.msi
Details File 1 
c:\programdata\rclone\rclone.exe
Details File 1 
c:\programdata\netscan\netscan.exe
Details File 1 
c:\programdata\c64.dll
Details File 1 
c:\programdata\x2.dll
Details File 1 
c:\windows_x64_encrypt.exe
Details File 1 
c:\programdata\windows_x64_encrypt.exe
Details File 13 
scheduledtasks.xml
Details File 256 
net.exe
Details Github username 29 
gentilkiwi
Details Github username 19 
the-dfir-report
Details md5 26 
a0e9f5d64349fb13191bc781f81f42e1
Details md5 14 
ae4edc6faf64d08308082ad26be60767
Details md5 1 
5B4B0713FC9A9B203A9FC2393F26439E
Details md5 1 
3DF36FB3A469CFE6172A65ED8CF7C8F3
Details md5 1 
BAC73D85EFC48B0517F4E0CC3DDEBB65
Details md5 1 
813E3BD0C15DBC0A394CD030C508BA84
Details md5 1 
ACAE4CC666AB060797ABB92F02E94327
Details md5 1 
578188E75C3FB543D04930DEA547CFAA
Details md5 1 
5FB4780E00B965F8454EF28BC61C0605
Details md5 1 
F0AAC1F299148638688C067F2029D27A
Details md5 1 
BC19BF002CD9B7E0AE90FE7374755639
Details md5 1 
7D0F3C5AD18ABE8C4F7270D115E910F2
Details md5 1 
07CC694B9B3FC636710FA08B6922C42B
Details md5 1 
CAB4CBEF593DB0F14ED4ADF041ECD6B1
Details md5 1 
481F47BBB2C9C21E108D65F52B04C448
Details md5 1 
947A9B0FA0B5F6FEFB4FCA98D577EBDB
Details md5 1 
AF25483D713A3BBB87483340CCFF0B31
Details md5 1 
17E022F96085B5DE3A2CD85F7CC791CA
Details md5 1 
EB2335E887875619B24B9C48396D4D48
Details md5 1 
59216909D3E63903D2426272EC72FE61
Details md5 1 
B3FF5B773388E741559D6D9FCA914D9C
Details md5 1 
9ED01AB5DA47D5D90680F44088D41DD1
Details md5 1 
A768244CA664349A6D1AF84A712083C0
Details md5 1 
8E081065872436B21EF3B90597247997
Details md5 1 
ED70A46CA74BE495AEFA84FCFDCA48EC
Details md5 1 
83F0993D7B939D94887D773073847DED
Details md5 1 
3B375E1765628817FD2EB01240C7D262
Details md5 1 
04133426D49D0049E9825522E2A41306
Details md5 1 
E6EC25A3D448A1490AC10C239A001570
Details sha1 1 
1107586e676b0df849948c5a5501cdec1c72af9e
Details sha1 1 
93a2cae74fc883b88049c6c1f92bfd9a45b5881d
Details sha1 1 
7b9543925caa83a5145ff5f419d5eba6f0819133
Details sha1 1 
08439255df7a9fa5553d5bd1cdc5291327fad1c4
Details sha1 1 
3ddb8ca1b50e240736bb4b86fdff00ffc79d8c47
Details sha1 1 
6cc49bd84647c6dea09609689d5f5dfb58bdce09
Details sha1 1 
21ef9f0a078dbc4e4c45be12f1cfaf8a3864dfa7
Details sha1 1 
265137bdef97fe25ca0b23ce6d3dd4ab501ab7b5
Details sha1 1 
f479cdb6a34462c664fad0051f4bd5cfe84017e0
Details sha1 1 
4ac2a4fabab8eb621130b979642f239b19b37330
Details sha1 1 
714eea0f4c980736bde0065fe73f573487f08e3a
Details sha1 1 
080b77c2d5e94e86607cbe462224ff46b20b6288
Details sha1 1 
c27dd709e7122e782dd0c8b2e3a2709b6622bed4
Details sha1 1 
1febdc5ade9d979cdd800c330ad5d875c5bf160b
Details sha1 2 
b658ab9ac2453cde5ca82be667040ac94bfcbe2e
Details sha1 1 
1dd933817806728380fd1aee46d9f8d42251ea7f
Details sha1 1 
940355f1cede7793190886aecc9d15d42a62c1fa
Details sha1 1 
39300863bcaad71e5d4efc9a1cae118440aa778f
Details sha1 1 
f3741eae58e9053773fec7c01472862933e3b91a
Details sha1 1 
7d51d3d2ac2f16672cae331a48431b8ccb9f0820
Details sha1 1 
37af04902e237a19effdf09e8b106c0309717233
Details sha256 1 
95c86ac5ce23aba5133f61ca0d2d637f74105fa05e88d232141f057a1df7dd8b
Details sha256 1 
81997f4404febfb9c23f2f3939934513d499593750b4a4826c32878e05b83f30
Details sha256 1 
d04e7e776ea28af69381e346a1bf86be5f5e4715003f7048783e7d1f049b1bd2
Details sha256 1 
f6834c4a5bb01a7d3a43b11a4792f8149714e4d1b271810f79772e50b6395615
Details sha256 1 
7c89590cea3b702c84d3b1a566705067d4bde1b97ecd160d553ff1380e0ef5a6
Details sha256 1 
59cb534e02a16fd3d21d1ba5d34ee15e665d7a955751171249563d1192aa33e4
Details sha256 1 
df024e7ae2ff6cef51ee80d30f10f94233a5ddd62da22ecf3c6ab3ebc293264b
Details sha256 1 
d51e34a47a79465a0ef3916fe01fe667e8e4281ef3b676569e6a1a33419e51ea
Details sha256 1 
99a54ff551197d131477152d3d27e38787ca949ffdbb041f15752767efe1e645
Details sha256 1 
03ee627a2557d83d28a90857678966709ec24582434a5d2f0653012b088276d1
Details sha256 1 
02f4b8d558edb290fae03b8f1a7b412e988eab3738d11edb7d59890c784edb68
Details sha256 1 
336074805fc853987abe6f7fe3ad97a6a6f3077a16391fec744f671a015fbd7e
Details sha256 1 
9b39887828999f7f3916262574c46b835d38f200fcd3c07c2bbe9a83c9f935a9
Details sha256 1 
dbe18ffc724931dee3ea99c75c9b4ea8e27b228e19508211689cc7c3249680d3
Details sha256 1 
197b8ccddb54c39049b308a9a5037dc7bf7d3689bdc759504f3c36d483beb9d3
Details sha256 2 
4aa4ee8efcf68441808d0055c26a24e5b8f32de89c6a7a0d9b742cce588213ed
Details sha256 1 
f25863daa1ad0104b25b91581f7b1cc4f65ca63ff4d1bb956ecd3f9350e365a5
Details sha256 1 
f1c87c2a32b1f0d2210a12ebcb1d3146b54e3bb5db3fb97dbd81fe123d411632
Details sha256 1 
e14ba0fb92e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c
Details sha256 1 
34452711502c9304db8745510f96aa644481162c389f591147327f54d4ae3727
Details sha256 1 
14f00d914ccd46553fb30933fbe691e22e5197ad6a32bc076ba19935ebb7e5aa
Details sha256 1 
10525032a7595df974a9649042acab0fda5c1e5a59297ad1709bbf463adb2e50
Details IPv4 1 
31.41.244.192
Details IPv4 1 
94.232.43.201
Details IPv4 1441 
127.0.0.1
Details IPv4 2 
23.108.57.83
Details IPv4 1 
190.2.146.96
Details IPv4 1 
145.40.113.124
Details IPv4 1 
147.75.84.232
Details MITRE ATT&CK Techniques 141 
T1219
Details MITRE ATT&CK Techniques 139 
T1021.002
Details MITRE ATT&CK Techniques 460 
T1059.001
Details MITRE ATT&CK Techniques 333 
T1059.003
Details MITRE ATT&CK Techniques 275 
T1053.005
Details MITRE ATT&CK Techniques 174 
T1569.002
Details MITRE ATT&CK Techniques 365 
T1204.002
Details MITRE ATT&CK Techniques 310 
T1047
Details MITRE ATT&CK Techniques 99 
T1087.002
Details MITRE ATT&CK Techniques 72 
T1087.001
Details MITRE ATT&CK Techniques 74 
T1069.002
Details MITRE ATT&CK Techniques 440 
T1055
Details MITRE ATT&CK Techniques 297 
T1070.004
Details MITRE ATT&CK Techniques 25 
T1027.010
Details MITRE ATT&CK Techniques 39 
T1218.007
Details MITRE ATT&CK Techniques 119 
T1218.011
Details MITRE ATT&CK Techniques 173 
T1003.001
Details MITRE ATT&CK Techniques 585 
T1083
Details MITRE ATT&CK Techniques 176 
T1135
Details MITRE ATT&CK Techniques 1006 
T1082
Details MITRE ATT&CK Techniques 245 
T1016
Details MITRE ATT&CK Techniques 230 
T1033
Details MITRE ATT&CK Techniques 118 
T1570
Details MITRE ATT&CK Techniques 160 
T1021.001
Details MITRE ATT&CK Techniques 442 
T1071.001
Details MITRE ATT&CK Techniques 492 
T1105
Details MITRE ATT&CK Techniques 19 
T1048.002
Details MITRE ATT&CK Techniques 472 
T1486
Details MITRE ATT&CK Techniques 276 
T1490
Details MITRE ATT&CK Techniques 239 
T1106
Details MITRE ATT&CK Techniques 180 
T1543.003
Details MITRE ATT&CK Techniques 40 
T1027.009
Details MITRE ATT&CK Techniques 67 
T1039
Details MITRE ATT&CK Techniques 10 
T1001.003
Details MITRE ATT&CK Techniques 40 
T1197
Details MITRE ATT&CK Techniques 115 
T1571
Details MITRE ATT&CK Techniques 534 
T1005
Details MITRE ATT&CK Techniques 26 
T1531
Details MITRE ATT&CK Techniques 183 
T1036.005
Details MITRE ATT&CK Techniques 422 
T1041
Details MITRE ATT&CK Techniques 25 
T1104
Details MITRE ATT&CK Techniques 65 
T1069
Details MITRE ATT&CK Techniques 124 
T1482
Details MITRE ATT&CK Techniques 28 
T1027.007
Details Url 1 
https://environmentca.com/bkh6q.
Details Url 1 
http://31.41.244.192:80/96945jgjf
Details Url 1 
http://31.41.244.192:80/645gkdkfgd
Details Url 1 
http://94.232.43.201:8080/dqhnzov3qm
Details Url 4 
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion
Details Url 3 
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion
Details Url 63 
https://www.torproject.org
Details Url 1 
https://github.com/gentilkiwi/mimikatz/blob/master/kiwi_passwords.yar
Details Url 1 
https://github.com/the-dfir-report/yara-rules/blob/main/18364/18364.yar