Analysis
-
max time kernel
16s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 12:58
Static task
static1
Behavioral task
behavioral1
Sample
c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe
Resource
win10v20210410
General
-
Target
c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe
-
Size
179KB
-
MD5
8e4a887acab5f9475c5fa9a26fb9e720
-
SHA1
3294a12a583d2634f6e3d1232052dfe0cd51a44a
-
SHA256
c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e
-
SHA512
56978ab3cb8172239da8742ebe41ef099bb9e1b58e23956a82bf495d7cc94c00a6067ecff5c441c2e9654abfe928ae5a81b57e19f3a80ac945a7780f92b39ff3
Malware Config
Extracted
C:\odt\read_me_lkdtt.txt
http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/030492044ded20e85096d439f92bc1d1f02d647c189459977d1e43aca3090a69
Signatures
-
HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\SaveRequest.raw => C:\Users\Admin\Pictures\SaveRequest.raw.crypted c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe File renamed C:\Users\Admin\Pictures\StartUninstall.tiff => C:\Users\Admin\Pictures\StartUninstall.tiff.crypted c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe File renamed C:\Users\Admin\Pictures\MountEdit.tif => C:\Users\Admin\Pictures\MountEdit.tif.crypted c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe File opened for modification C:\Users\Admin\Pictures\StartUninstall.tiff c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe File renamed C:\Users\Admin\Pictures\ConvertFromUpdate.raw => C:\Users\Admin\Pictures\ConvertFromUpdate.raw.crypted c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe File renamed C:\Users\Admin\Pictures\MountRead.tif => C:\Users\Admin\Pictures\MountRead.tif.crypted c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exepid process 3968 c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe 3968 c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2592 vssvc.exe Token: SeRestorePrivilege 2592 vssvc.exe Token: SeAuditPrivilege 2592 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.execmd.exedescription pid process target process PID 3968 wrote to memory of 2732 3968 c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe cmd.exe PID 3968 wrote to memory of 2732 3968 c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe cmd.exe PID 3968 wrote to memory of 2732 3968 c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe cmd.exe PID 2732 wrote to memory of 3784 2732 cmd.exe PING.EXE PID 2732 wrote to memory of 3784 2732 cmd.exe PING.EXE PID 2732 wrote to memory of 3784 2732 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe"C:\Users\Admin\AppData\Local\Temp\c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe"1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 & del c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken