Overview

overview

10

Static

static

3

a022e86b2b...05.exe

windows7-x64

10

a022e86b2b...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-09-2024 15:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a022e86b2bb3ed6b4a8676be8b1688397b6e15c693e69c5093d8eb04396d2905.exe

  • Size

    473KB

  • MD5

    a169a146571b908a412ba8482adee8f1

  • SHA1

    47cd550be7567b8ff091fff32cd0d7c3c0e4f7d2

  • SHA256

    a022e86b2bb3ed6b4a8676be8b1688397b6e15c693e69c5093d8eb04396d2905

  • SHA512

    03e7df0b082efedf5eeca67c9333fe3ad404a66ed33a13f5105cb0774f18351fff3f30860dedd3640e8e66123fdb5a430d33ddb2c92e5ef1d268fe806d6d3999

  • SSDEEP

    1536:heTmjxb5QIul2hD/S8+5hFg2NRrlSYDLGRxHwEEaY4qr6leWvebuFD0MCu7sWZc:19b45hmjqGR2l/mlHaMwGkHJhqDLcCl

Score
10/10
hellokittydiscoveryransomware

Malware Config

Extracted

Path

C:\Users\Admin\Contacts\read_me_lkdtt.txt

Ransom Note
Hello CEMIG! All your fileservers, HyperV infrastructure and backups have been encrypted! Trying to decrypt or modify the files with programs other than our decryptor can lead to permanent loss of data! The only way to recover your files is by cooperating with us. To prove our seriousness, we can decrypt 1 non-critical file for free as proof. We have over 10 TB data of your private files, databases, personal data... etc, you have 24 hours to contact us, another way we publish this information in public channels, and this site will be unavailable. -- Contact with us by method below 1) Open this website in TOR browser: http://x6gjpqs4jjvgpfvhghdz2dk7be34emyzluimticj5s5fexf4wa65ngad.onion/0c04b15081595448821e25e8dd07423d9927fa54cd56d8797ea4d1315a682692 2) Follow instructions in chat.
URLs

http://x6gjpqs4jjvgpfvhghdz2dk7be34emyzluimticj5s5fexf4wa65ngad.onion/0c04b15081595448821e25e8dd07423d9927fa54cd56d8797ea4d1315a682692

Signatures

  • HelloKitty Ransomware

    Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.

    ransomwarehellokitty
  • Renames multiple (175) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\a022e86b2bb3ed6b4a8676be8b1688397b6e15c693e69c5093d8eb04396d2905.exe
    "C:\Users\Admin\AppData\Local\Temp\a022e86b2bb3ed6b4a8676be8b1688397b6e15c693e69c5093d8eb04396d2905.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    PID:3992
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Contacts\read_me_lkdtt.txt
    Filesize

    1KB

    MD5

    039d96e315e46c95b340887c1376d31a

    SHA1

    e4c03b1f13710f9888bbd554ffef8ec2f5bc438e

    SHA256

    e9f4ecd100413d581c14bed13ad22c9448035b0a04bacaafdf9a50edf5546c68

    SHA512

    cbe6929c548fc8d5650b67bab0c6effcd1cf95e0f472db4628dedd1a3920ad5a985bfdfcc6a19975529e8e3dbbfa8d36ed41548fd999c119110a00e9695526da

    Download Submit