fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb

General
Target

fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb

Size

157KB

Sample

210209-36824yd1l2

Score
10 /10
MD5

85cd7c6931b44a14f4899dfd0039e8b4

SHA1

5822f65dec879ba585112976a632b2c4435abf90

SHA256

fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb

SHA512

9a8173eb7f08c1c9e2c9b66b2866c08a5e97bc16ceb3644a55cc9da17dec1b9941f0e30c23994952d31b3b60911d13e7cc20810ecada35cdca4bff72ccad5a15

Malware Config

Extracted

Path C:\Documents and Settings\read_me_lkd.txt
Ransom Note
Hello dear user. Your files have been encrypted. -- What does it mean?! Content of your files have been modified. Without special key you can't undo that operation. -- How to get special key? If you want to get it, you must pay us some money and we will help you. We will give you special decryption program and instructions. -- Ok, how i can pay you? 1) Download TOR browser, if you don't know how to do it you can google it. 2) Open this website in tor browser: http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/d87c3f9baf85b2e9ab2a824bb78868294e19992e2e26b54f248abfa73c42a7c0 3) Follow instructions in chat.
URLs

http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/d87c3f9baf85b2e9ab2a824bb78868294e19992e2e26b54f248abfa73c42a7c0

Targets
Target

fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb

MD5

85cd7c6931b44a14f4899dfd0039e8b4

Filesize

157KB

Score
10 /10
SHA1

5822f65dec879ba585112976a632b2c4435abf90

SHA256

fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb

SHA512

9a8173eb7f08c1c9e2c9b66b2866c08a5e97bc16ceb3644a55cc9da17dec1b9941f0e30c23994952d31b3b60911d13e7cc20810ecada35cdca4bff72ccad5a15

Tags

Signatures

  • HelloKitty Ransomware

    Description

    Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        behavioral1

                        10/10

                        behavioral2

                        10/10