hellokitty | 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0

Reason

Machine shutdown

General

Target

HelloKitty.bin.exe
Size

179KB
MD5

06ce6cd8bde756265f95fcf4eecadbe9
SHA1

bacf50b20f1cf2165ac96535aeac36b49c8a8677
SHA256

9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0
SHA512

b13677539da247707e7016c56aaba889826648b3050428974aca6d109d7fa88d7e610a61214ddee06f1fa09c287ade6f71182b999955c6d3674d5701b0f89326

Score

10^/10

hellokitty bootkit ransomware

Malware Config

Extracted

Path

C:\odt\read_me_lkdtt.txt

Ransom Note

Hello dear user. Your files have been encrypted. -- What does it mean?! Content of your files have been modified. Without special key you can't undo that operation. -- How to get special key? If you want to get it, you must pay us some money and we will help you. We will give you special decryption program and instructions. -- Ok, how i can pay you? 1) Download TOR browser, if you don't know how to do it you can google it. 2) Open this website in tor browser: http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/02f6af250649555ea1b65f20fd9e815b23ba7d84829b93e6d8dbdb10f82c5af4 3) Follow instructions in chat.

URLs

http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/02f6af250649555ea1b65f20fd9e815b23ba7d84829b93e6d8dbdb10f82c5af4

Signatures

HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
ransomware hellokitty
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
ransomware bootkit

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

HelloKitty.bin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\EnableWait.crw => C:\Users\Admin\Pictures\EnableWait.crw.crypted	HelloKitty.bin.exe
File renamed	C:\Users\Admin\Pictures\RequestTest.raw => C:\Users\Admin\Pictures\RequestTest.raw.crypted	HelloKitty.bin.exe
File renamed	C:\Users\Admin\Pictures\SubmitCopy.crw => C:\Users\Admin\Pictures\SubmitCopy.crw.crypted	HelloKitty.bin.exe
File renamed	C:\Users\Admin\Pictures\SwitchProtect.png => C:\Users\Admin\Pictures\SwitchProtect.png.crypted	HelloKitty.bin.exe
File opened for modification	C:\Users\Admin\Pictures\BackupMeasure.tiff	HelloKitty.bin.exe
File renamed	C:\Users\Admin\Pictures\BackupMeasure.tiff => C:\Users\Admin\Pictures\BackupMeasure.tiff.crypted	HelloKitty.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3028 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

HelloKitty.bin.exe

pid process

812 HelloKitty.bin.exe
812 HelloKitty.bin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3204 vssvc.exe
Token: SeRestorePrivilege 3204 vssvc.exe
Token: SeAuditPrivilege 3204 vssvc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

LogonUI.exe

pid process

1112 LogonUI.exe
1112 LogonUI.exe

pid	process
3028	PING.EXE

pid	process
812	HelloKitty.bin.exe
812	HelloKitty.bin.exe

description	pid	process
Token: SeBackupPrivilege	3204	vssvc.exe
Token: SeRestorePrivilege	3204	vssvc.exe
Token: SeAuditPrivilege	3204	vssvc.exe

pid	process
1112	LogonUI.exe
1112	LogonUI.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

HelloKitty.bin.execmd.exe

description	pid	process	target process
PID 812 wrote to memory of 2108	812	HelloKitty.bin.exe	cmd.exe
PID 812 wrote to memory of 2108	812	HelloKitty.bin.exe	cmd.exe
PID 812 wrote to memory of 2108	812	HelloKitty.bin.exe	cmd.exe
PID 2108 wrote to memory of 3028	2108	cmd.exe	PING.EXE
PID 2108 wrote to memory of 3028	2108	cmd.exe	PING.EXE
PID 2108 wrote to memory of 3028	2108	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\HelloKitty.bin.exe
"C:\Users\Admin\AppData\Local\Temp\HelloKitty.bin.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 & del HelloKitty.bin.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad5055 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1112