Overview

overview

10

Static

static

ag.exe

windows7_x64

10

ag.exe

windows10_x64

10

Analysis

  • max time kernel
    17s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-11-2020 19:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ag.exe

  • Size

    179KB

  • MD5

    06ce6cd8bde756265f95fcf4eecadbe9

  • SHA1

    bacf50b20f1cf2165ac96535aeac36b49c8a8677

  • SHA256

    9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0

  • SHA512

    b13677539da247707e7016c56aaba889826648b3050428974aca6d109d7fa88d7e610a61214ddee06f1fa09c287ade6f71182b999955c6d3674d5701b0f89326

Score
10/10
hellokittyransomware

Malware Config

Extracted

Path

C:\odt\read_me_lkdtt.txt

Ransom Note
Hello dear user. Your files have been encrypted. -- What does it mean?! Content of your files have been modified. Without special key you can't undo that operation. -- How to get special key? If you want to get it, you must pay us some money and we will help you. We will give you special decryption program and instructions. -- Ok, how i can pay you? 1) Download TOR browser, if you don't know how to do it you can google it. 2) Open this website in tor browser: http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/02f6af250649555ea1b65f20fd9e815b23ba7d84829b93e6d8dbdb10f82c5af4 3) Follow instructions in chat.
URLs

http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/02f6af250649555ea1b65f20fd9e815b23ba7d84829b93e6d8dbdb10f82c5af4

Signatures

  • HelloKitty Ransomware

    Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.

    ransomwarehellokitty
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ag.exe
    "C:\Users\Admin\AppData\Local\Temp\ag.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:580
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 & del ag.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4000
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2344
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2344-1-0x0000000000000000-mapping.dmp
    Download
  • memory/4000-0-0x0000000000000000-mapping.dmp
    Download