Hive ransomware command-line parameters analysis

 

Back to July 22, 2022, I noted that Hive ransomware gets upgrades in Rust by Microsoft Threat Intelligence (Hive ransomware gets upgrades in Rust | Microsoft Security Blog).

The report mentioned that Unlike in previous variants where there was a ‘help’ menu, in the new variant, the attacker must know the parameters beforehand. Since all strings are encrypted, it makes finding the parameters challenging for security researchers.

Getting the command-line parameters is very challenging for beginners, but recently I wanted to challenge myself.

I choose the sample (SHA-256: 33744c420884adf582c46a4b74cbd9c145f2e15a036bb1e557e89d6fd428e724) to debug.

The sample won’t continue its execution, but it will also tell key information to the analyst.

The first thing is the sample has to handle input from the user.

the second thing it prints is an error

Figure 1 – Without a username and a password, the sample won’t continue its execution

The sample uses the function “GetCommandLineW” to get command-line parameters.

Figure 2 – “GetCommandLineW” for getting paramters

Beginning before we change the command line first with any short string like the “xx,” which makes running error

Figure 3 – change the command line with appending string “xx”

And now let’s debug using “GetCommandLineW” to set a breakpoint and make it run there as follows:

Figure 4 – set breakpoint with GetCommandLineW

From here, we will debug step by step and be more patient, and finally we will find all parameters like –da, –wmi, and –min-size.

Figure 5 – -da parameter

Figure 6 – -wmi and –min-size parameter

Different variants have different parameters.

End.