Analysis
-
max time kernel
77s -
max time network
77s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
27-02-2021 10:30
Static task
static1
Behavioral task
behavioral1
Sample
HelloKitty.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
HelloKitty.bin.exe
Resource
win10v20201028
Errors
General
-
Target
HelloKitty.bin.exe
-
Size
179KB
-
MD5
06ce6cd8bde756265f95fcf4eecadbe9
-
SHA1
bacf50b20f1cf2165ac96535aeac36b49c8a8677
-
SHA256
9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0
-
SHA512
b13677539da247707e7016c56aaba889826648b3050428974aca6d109d7fa88d7e610a61214ddee06f1fa09c287ade6f71182b999955c6d3674d5701b0f89326
Malware Config
Extracted
C:\odt\read_me_lkdtt.txt
http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/02f6af250649555ea1b65f20fd9e815b23ba7d84829b93e6d8dbdb10f82c5af4
Signatures
-
HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
-
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
HelloKitty.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\EnableWait.crw => C:\Users\Admin\Pictures\EnableWait.crw.crypted HelloKitty.bin.exe File renamed C:\Users\Admin\Pictures\RequestTest.raw => C:\Users\Admin\Pictures\RequestTest.raw.crypted HelloKitty.bin.exe File renamed C:\Users\Admin\Pictures\SubmitCopy.crw => C:\Users\Admin\Pictures\SubmitCopy.crw.crypted HelloKitty.bin.exe File renamed C:\Users\Admin\Pictures\SwitchProtect.png => C:\Users\Admin\Pictures\SwitchProtect.png.crypted HelloKitty.bin.exe File opened for modification C:\Users\Admin\Pictures\BackupMeasure.tiff HelloKitty.bin.exe File renamed C:\Users\Admin\Pictures\BackupMeasure.tiff => C:\Users\Admin\Pictures\BackupMeasure.tiff.crypted HelloKitty.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
HelloKitty.bin.exepid process 812 HelloKitty.bin.exe 812 HelloKitty.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3204 vssvc.exe Token: SeRestorePrivilege 3204 vssvc.exe Token: SeAuditPrivilege 3204 vssvc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
LogonUI.exepid process 1112 LogonUI.exe 1112 LogonUI.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
HelloKitty.bin.execmd.exedescription pid process target process PID 812 wrote to memory of 2108 812 HelloKitty.bin.exe cmd.exe PID 812 wrote to memory of 2108 812 HelloKitty.bin.exe cmd.exe PID 812 wrote to memory of 2108 812 HelloKitty.bin.exe cmd.exe PID 2108 wrote to memory of 3028 2108 cmd.exe PING.EXE PID 2108 wrote to memory of 3028 2108 cmd.exe PING.EXE PID 2108 wrote to memory of 3028 2108 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\HelloKitty.bin.exe"C:\Users\Admin\AppData\Local\Temp\HelloKitty.bin.exe"1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 & del HelloKitty.bin.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad5055 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx