hellokitty | 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0

Resubmissions

11-06-2024 02:42

240611-c64j4ssbkm 3

18-11-2020 19:24

201118-4lq83cnnxs 10

Analysis

max time kernel
17s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
18-11-2020 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ag.exe
Size

179KB
MD5

06ce6cd8bde756265f95fcf4eecadbe9
SHA1

bacf50b20f1cf2165ac96535aeac36b49c8a8677
SHA256

9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0
SHA512

b13677539da247707e7016c56aaba889826648b3050428974aca6d109d7fa88d7e610a61214ddee06f1fa09c287ade6f71182b999955c6d3674d5701b0f89326

Score

10^/10

hellokitty ransomware

Malware Config

Extracted

Path

C:\odt\read_me_lkdtt.txt

Ransom Note

Hello dear user. Your files have been encrypted. -- What does it mean?! Content of your files have been modified. Without special key you can't undo that operation. -- How to get special key? If you want to get it, you must pay us some money and we will help you. We will give you special decryption program and instructions. -- Ok, how i can pay you? 1) Download TOR browser, if you don't know how to do it you can google it. 2) Open this website in tor browser: http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/02f6af250649555ea1b65f20fd9e815b23ba7d84829b93e6d8dbdb10f82c5af4 3) Follow instructions in chat.

URLs

http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/02f6af250649555ea1b65f20fd9e815b23ba7d84829b93e6d8dbdb10f82c5af4

Signatures

HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
ransomware hellokitty

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

ag.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SetDisable.crw => C:\Users\Admin\Pictures\SetDisable.crw.crypted	ag.exe
File renamed	C:\Users\Admin\Pictures\SyncComplete.tiff => C:\Users\Admin\Pictures\SyncComplete.tiff.crypted	ag.exe
File renamed	C:\Users\Admin\Pictures\NewConnect.crw => C:\Users\Admin\Pictures\NewConnect.crw.crypted	ag.exe
File renamed	C:\Users\Admin\Pictures\UnregisterUse.tiff => C:\Users\Admin\Pictures\UnregisterUse.tiff.crypted	ag.exe
File renamed	C:\Users\Admin\Pictures\SyncCheckpoint.raw => C:\Users\Admin\Pictures\SyncCheckpoint.raw.crypted	ag.exe
File opened for modification	C:\Users\Admin\Pictures\SyncComplete.tiff	ag.exe
File opened for modification	C:\Users\Admin\Pictures\UnregisterUse.tiff	ag.exe
File renamed	C:\Users\Admin\Pictures\DenyGet.png => C:\Users\Admin\Pictures\DenyGet.png.crypted	ag.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2344 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ag.exe

pid process

580 ag.exe
580 ag.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 752 vssvc.exe
Token: SeRestorePrivilege 752 vssvc.exe
Token: SeAuditPrivilege 752 vssvc.exe

pid	process
2344	PING.EXE

pid	process
580	ag.exe
580	ag.exe

description	pid	process
Token: SeBackupPrivilege	752	vssvc.exe
Token: SeRestorePrivilege	752	vssvc.exe
Token: SeAuditPrivilege	752	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ag.execmd.exe

description	pid	process	target process
PID 580 wrote to memory of 4000	580	ag.exe	cmd.exe
PID 580 wrote to memory of 4000	580	ag.exe	cmd.exe
PID 580 wrote to memory of 4000	580	ag.exe	cmd.exe
PID 4000 wrote to memory of 2344	4000	cmd.exe	PING.EXE
PID 4000 wrote to memory of 2344	4000	cmd.exe	PING.EXE
PID 4000 wrote to memory of 2344	4000	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\ag.exe
"C:\Users\Admin\AppData\Local\Temp\ag.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 & del ag.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2344

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2344-1-0x0000000000000000-mapping.dmp

Download
memory/4000-0-0x0000000000000000-mapping.dmp

Download