Analysis
-
max time kernel
33s -
max time network
50s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 12:58
Static task
static1
Behavioral task
behavioral1
Sample
9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.exe
Resource
win10v20210410
General
-
Target
9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.exe
-
Size
179KB
-
MD5
06ce6cd8bde756265f95fcf4eecadbe9
-
SHA1
bacf50b20f1cf2165ac96535aeac36b49c8a8677
-
SHA256
9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0
-
SHA512
b13677539da247707e7016c56aaba889826648b3050428974aca6d109d7fa88d7e610a61214ddee06f1fa09c287ade6f71182b999955c6d3674d5701b0f89326
Malware Config
Extracted
C:\MSOCache\read_me_lkdtt.txt
http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/02f6af250649555ea1b65f20fd9e815b23ba7d84829b93e6d8dbdb10f82c5af4
Signatures
-
HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\ClearAssert.tif => C:\Users\Admin\Pictures\ClearAssert.tif.crypted 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.exe File renamed C:\Users\Admin\Pictures\ConnectUnprotect.tif => C:\Users\Admin\Pictures\ConnectUnprotect.tif.crypted 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.exe File renamed C:\Users\Admin\Pictures\ConvertUninstall.tiff => C:\Users\Admin\Pictures\ConvertUninstall.tiff.crypted 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.exe File renamed C:\Users\Admin\Pictures\OpenAdd.raw => C:\Users\Admin\Pictures\OpenAdd.raw.crypted 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.exe File renamed C:\Users\Admin\Pictures\RenameSearch.png => C:\Users\Admin\Pictures\RenameSearch.png.crypted 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.exe File opened for modification C:\Users\Admin\Pictures\ConvertUninstall.tiff 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.exe File renamed C:\Users\Admin\Pictures\CheckpointRestart.crw => C:\Users\Admin\Pictures\CheckpointRestart.crw.crypted 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1628 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
vssvc.exeAUDIODG.EXEdescription pid process Token: SeBackupPrivilege 1692 vssvc.exe Token: SeRestorePrivilege 1692 vssvc.exe Token: SeAuditPrivilege 1692 vssvc.exe Token: 33 1112 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1112 AUDIODG.EXE Token: 33 1112 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1112 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.execmd.exedescription pid process target process PID 332 wrote to memory of 1628 332 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.exe cmd.exe PID 332 wrote to memory of 1628 332 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.exe cmd.exe PID 332 wrote to memory of 1628 332 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.exe cmd.exe PID 332 wrote to memory of 1628 332 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.exe cmd.exe PID 1628 wrote to memory of 1596 1628 cmd.exe PING.EXE PID 1628 wrote to memory of 1596 1628 cmd.exe PING.EXE PID 1628 wrote to memory of 1596 1628 cmd.exe PING.EXE PID 1628 wrote to memory of 1596 1628 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.exe"C:\Users\Admin\AppData\Local\Temp\9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.exe"1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 & del 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0.sample.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x49c1⤵
- Suspicious use of AdjustPrivilegeToken