hellokitty | 1144d0448fefe26f5b9db7e7a7522c9a46eded3a603daa903052373cecc92b27

Analysis

max time kernel
103s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1144d0448fefe26f5b9db7e7a7522c9a46eded3a603daa903052373cecc92b27.exe
Size

188KB
MD5

db804c3f55c5d09dace40c76c99cab52
SHA1

e170f46854f3ccda006528b14ff09ecf5756cf5e
SHA256

1144d0448fefe26f5b9db7e7a7522c9a46eded3a603daa903052373cecc92b27
SHA512

dc3775844855ce5a8436cdcde4a2f03bd0dac73ed5ac89ab94e2bdc5f1891ea347a6a89db7224e6522ac58ba61e0e9efba1695e23828eeb65853a336553e1a47
SSDEEP

3072:Z0bRbeSCuF7PXuwFyoJ+mKTrZYzXlEmS6ZCHOoSnEYXosMM:Z2FeSCulPXuwIoWT9YlhD4dM

Score

10^/10

hellokitty discovery ransomware

Malware Config

Signatures

HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
ransomware hellokitty
Hellokitty family
hellokitty
Renames multiple (180) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	1144d0448fefe26f5b9db7e7a7522c9a46eded3a603daa903052373cecc92b27.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	1144d0448fefe26f5b9db7e7a7522c9a46eded3a603daa903052373cecc92b27.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1144d0448fefe26f5b9db7e7a7522c9a46eded3a603daa903052373cecc92b27.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2936	cmd.exe
4752	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4752	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	216	vssvc.exe
Token: SeRestorePrivilege	216	vssvc.exe
Token: SeAuditPrivilege	216	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 2936	4164	1144d0448fefe26f5b9db7e7a7522c9a46eded3a603daa903052373cecc92b27.exe	100
PID 4164 wrote to memory of 2936	4164	1144d0448fefe26f5b9db7e7a7522c9a46eded3a603daa903052373cecc92b27.exe	100
PID 4164 wrote to memory of 2936	4164	1144d0448fefe26f5b9db7e7a7522c9a46eded3a603daa903052373cecc92b27.exe	100
PID 2936 wrote to memory of 4752	2936	cmd.exe	102
PID 2936 wrote to memory of 4752	2936	cmd.exe	102
PID 2936 wrote to memory of 4752	2936	cmd.exe	102

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1144d0448fefe26f5b9db7e7a7522c9a46eded3a603daa903052373cecc92b27.exe
"C:\Users\Admin\AppData\Local\Temp\1144d0448fefe26f5b9db7e7a7522c9a46eded3a603daa903052373cecc92b27.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 & del 1144d0448fefe26f5b9db7e7a7522c9a46eded3a603daa903052373cecc92b27.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:216

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\read_me_lkdtt.txt

Filesize
1KB

MD5
10c06898c1a8ee37c2eb262d5c477335

SHA1
363bbdda4afd09205a6434fd690a38b5758ff062

SHA256
97109718795f688bdeaec143eff588df1f053c5f1be69fdfd953c8751132fd3f

SHA512
0efbc79d3b684af74b85744cd390ac1bac2cca018f859447f686c83106590150d11e55f0e1bfba6b7e86b683659c3a0f4da49331dca8a0bf022fd7ed5e942b74

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads