Overview

overview

10

Static

static

c7d6719bbf...le.exe

windows7_x64

10

c7d6719bbf...le.exe

windows10_x64

10

Analysis

  • max time kernel
    16s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    26-07-2021 12:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe

  • Size

    179KB

  • MD5

    8e4a887acab5f9475c5fa9a26fb9e720

  • SHA1

    3294a12a583d2634f6e3d1232052dfe0cd51a44a

  • SHA256

    c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e

  • SHA512

    56978ab3cb8172239da8742ebe41ef099bb9e1b58e23956a82bf495d7cc94c00a6067ecff5c441c2e9654abfe928ae5a81b57e19f3a80ac945a7780f92b39ff3

Score
10/10
hellokittyransomware

Malware Config

Extracted

Path

C:\odt\read_me_lkdtt.txt

Ransom Note
Hello dear user. Your files have been encrypted. -- What does it mean?! Content of your files have been modified. Without special key you can't undo that operation. -- How to get special key? If you want to get it, you must pay us some money and we will help you. We will give you special decryption program and instructions. -- Ok, how i can pay you? 1) Download TOR browser, if you don't know how to do it you can google it. 2) Open this website in tor browser: http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/030492044ded20e85096d439f92bc1d1f02d647c189459977d1e43aca3090a69 3) Follow instructions in chat.
URLs

http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/030492044ded20e85096d439f92bc1d1f02d647c189459977d1e43aca3090a69

Signatures

  • HelloKitty Ransomware

    Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.

    ransomwarehellokitty
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3968
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 & del c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e.sample.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:3784
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2732-114-0x0000000000000000-mapping.dmp
    Download
  • memory/3784-115-0x0000000000000000-mapping.dmp
    Download