Analysis
-
max time kernel
81s -
max time network
80s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
27-02-2021 10:30
Static task
static1
Behavioral task
behavioral1
Sample
HelloKitty.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
HelloKitty.bin.exe
Resource
win10v20201028
Errors
General
-
Target
HelloKitty.bin.exe
-
Size
179KB
-
MD5
06ce6cd8bde756265f95fcf4eecadbe9
-
SHA1
bacf50b20f1cf2165ac96535aeac36b49c8a8677
-
SHA256
9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0
-
SHA512
b13677539da247707e7016c56aaba889826648b3050428974aca6d109d7fa88d7e610a61214ddee06f1fa09c287ade6f71182b999955c6d3674d5701b0f89326
Malware Config
Extracted
C:\MSOCache\read_me_lkdtt.txt
http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/02f6af250649555ea1b65f20fd9e815b23ba7d84829b93e6d8dbdb10f82c5af4
Signatures
-
HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
HelloKitty.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\RepairStep.crw => C:\Users\Admin\Pictures\RepairStep.crw.crypted HelloKitty.bin.exe File renamed C:\Users\Admin\Pictures\SetSearch.tif => C:\Users\Admin\Pictures\SetSearch.tif.crypted HelloKitty.bin.exe File renamed C:\Users\Admin\Pictures\PublishWrite.tif => C:\Users\Admin\Pictures\PublishWrite.tif.crypted HelloKitty.bin.exe File renamed C:\Users\Admin\Pictures\UnblockWrite.crw => C:\Users\Admin\Pictures\UnblockWrite.crw.crypted HelloKitty.bin.exe File opened for modification C:\Users\Admin\Pictures\SendRedo.tiff HelloKitty.bin.exe File opened for modification C:\Users\Admin\Pictures\UnpublishUnregister.tiff HelloKitty.bin.exe File renamed C:\Users\Admin\Pictures\HideEdit.tif => C:\Users\Admin\Pictures\HideEdit.tif.crypted HelloKitty.bin.exe File renamed C:\Users\Admin\Pictures\SearchInitialize.crw => C:\Users\Admin\Pictures\SearchInitialize.crw.crypted HelloKitty.bin.exe File renamed C:\Users\Admin\Pictures\SendRedo.tiff => C:\Users\Admin\Pictures\SendRedo.tiff.crypted HelloKitty.bin.exe File renamed C:\Users\Admin\Pictures\StepPush.tiff => C:\Users\Admin\Pictures\StepPush.tiff.crypted HelloKitty.bin.exe File renamed C:\Users\Admin\Pictures\UnpublishUnregister.tiff => C:\Users\Admin\Pictures\UnpublishUnregister.tiff.crypted HelloKitty.bin.exe File renamed C:\Users\Admin\Pictures\DismountDebug.raw => C:\Users\Admin\Pictures\DismountDebug.raw.crypted HelloKitty.bin.exe File opened for modification C:\Users\Admin\Pictures\StepPush.tiff HelloKitty.bin.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1904 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1640 vssvc.exe Token: SeRestorePrivilege 1640 vssvc.exe Token: SeAuditPrivilege 1640 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
HelloKitty.bin.execmd.exedescription pid process target process PID 1100 wrote to memory of 1904 1100 HelloKitty.bin.exe cmd.exe PID 1100 wrote to memory of 1904 1100 HelloKitty.bin.exe cmd.exe PID 1100 wrote to memory of 1904 1100 HelloKitty.bin.exe cmd.exe PID 1100 wrote to memory of 1904 1100 HelloKitty.bin.exe cmd.exe PID 1904 wrote to memory of 1080 1904 cmd.exe PING.EXE PID 1904 wrote to memory of 1080 1904 cmd.exe PING.EXE PID 1904 wrote to memory of 1080 1904 cmd.exe PING.EXE PID 1904 wrote to memory of 1080 1904 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\HelloKitty.bin.exe"C:\Users\Admin\AppData\Local\Temp\HelloKitty.bin.exe"1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 & del HelloKitty.bin.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1080-4-0x0000000000000000-mapping.dmp
-
memory/1100-2-0x00000000760C1000-0x00000000760C3000-memory.dmpFilesize
8KB
-
memory/1460-5-0x000007FEFB991000-0x000007FEFB993000-memory.dmpFilesize
8KB
-
memory/1460-6-0x0000000002840000-0x0000000002841000-memory.dmpFilesize
4KB
-
memory/1764-8-0x00000000027E0000-0x00000000027E1000-memory.dmpFilesize
4KB
-
memory/1904-3-0x0000000000000000-mapping.dmp