Analysis
-
max time kernel
37s -
max time network
41s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 12:58
Static task
static1
Behavioral task
behavioral1
Sample
c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe
Resource
win10v20210410
General
-
Target
c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe
-
Size
179KB
-
MD5
8e4a887acab5f9475c5fa9a26fb9e720
-
SHA1
3294a12a583d2634f6e3d1232052dfe0cd51a44a
-
SHA256
c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e
-
SHA512
56978ab3cb8172239da8742ebe41ef099bb9e1b58e23956a82bf495d7cc94c00a6067ecff5c441c2e9654abfe928ae5a81b57e19f3a80ac945a7780f92b39ff3
Malware Config
Extracted
C:\MSOCache\read_me_lkdtt.txt
http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/030492044ded20e85096d439f92bc1d1f02d647c189459977d1e43aca3090a69
Signatures
-
HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\UpdateStart.tif => C:\Users\Admin\Pictures\UpdateStart.tif.crypted c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe File renamed C:\Users\Admin\Pictures\WatchConvert.tiff => C:\Users\Admin\Pictures\WatchConvert.tiff.crypted c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe File opened for modification C:\Users\Admin\Pictures\ApproveExport.tiff c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe File renamed C:\Users\Admin\Pictures\ApproveExport.tiff => C:\Users\Admin\Pictures\ApproveExport.tiff.crypted c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe File renamed C:\Users\Admin\Pictures\BlockRevoke.crw => C:\Users\Admin\Pictures\BlockRevoke.crw.crypted c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe File opened for modification C:\Users\Admin\Pictures\WatchConvert.tiff c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe File renamed C:\Users\Admin\Pictures\EnableReset.tif => C:\Users\Admin\Pictures\EnableReset.tif.crypted c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe File renamed C:\Users\Admin\Pictures\GetSkip.raw => C:\Users\Admin\Pictures\GetSkip.raw.crypted c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe File renamed C:\Users\Admin\Pictures\BackupClose.crw => C:\Users\Admin\Pictures\BackupClose.crw.crypted c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1768 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
vssvc.exeAUDIODG.EXEdescription pid process Token: SeBackupPrivilege 1540 vssvc.exe Token: SeRestorePrivilege 1540 vssvc.exe Token: SeAuditPrivilege 1540 vssvc.exe Token: 33 692 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 692 AUDIODG.EXE Token: 33 692 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 692 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.execmd.exedescription pid process target process PID 1088 wrote to memory of 1768 1088 c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe cmd.exe PID 1088 wrote to memory of 1768 1088 c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe cmd.exe PID 1088 wrote to memory of 1768 1088 c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe cmd.exe PID 1088 wrote to memory of 1768 1088 c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe cmd.exe PID 1768 wrote to memory of 1588 1768 cmd.exe PING.EXE PID 1768 wrote to memory of 1588 1768 cmd.exe PING.EXE PID 1768 wrote to memory of 1588 1768 cmd.exe PING.EXE PID 1768 wrote to memory of 1588 1768 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe"C:\Users\Admin\AppData\Local\Temp\c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe"1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 & del c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1cc1⤵
- Suspicious use of AdjustPrivilegeToken