Analysis
-
max time kernel
39s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26-03-2023 06:59
Behavioral task
behavioral1
Sample
Akira_NEWEST.exe
Resource
win7-20230220-en
windows7-x64
6 signatures
150 seconds
General
-
Target
Akira_NEWEST.exe
-
Size
5.1MB
-
MD5
47feab24e4a7a088fcac9a7067cbf318
-
SHA1
bbe0dcbe7eb3d0fa19b4afb5edff51b7066ec45d
-
SHA256
53285fb142e48bd1a568509c8997067370ac4578b3c92d8c3bc75ecdebc2915f
-
SHA512
6b3b0e289d06839cfd32327dfa1795368601a789c3dc2a0db9f0cce01001a28a584d5c26ce4e46e9002626a1f3ba318e038578e86f00cff489956aace8b419aa
-
SSDEEP
98304:KxNeg5VPsVXSfJHbM+A+PoudLZ1uRhkuoxa4kReiX2+jli:TgTZhHbFddNZ1kroxacUbBi
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Akira_NEWEST.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Akira_NEWEST.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Akira_NEWEST.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Akira_NEWEST.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Akira_NEWEST.exe -
Processes:
resource yara_rule behavioral1/memory/1064-54-0x000000013FDD0000-0x0000000140975000-memory.dmp themida behavioral1/memory/1064-55-0x000000013FDD0000-0x0000000140975000-memory.dmp themida behavioral1/memory/1064-56-0x000000013FDD0000-0x0000000140975000-memory.dmp themida behavioral1/memory/1064-57-0x000000013FDD0000-0x0000000140975000-memory.dmp themida behavioral1/memory/1064-59-0x000000013FDD0000-0x0000000140975000-memory.dmp themida behavioral1/memory/1064-58-0x000000013FDD0000-0x0000000140975000-memory.dmp themida behavioral1/memory/1064-60-0x000000013FDD0000-0x0000000140975000-memory.dmp themida behavioral1/memory/1064-61-0x000000013FDD0000-0x0000000140975000-memory.dmp themida behavioral1/memory/1064-62-0x000000013FDD0000-0x0000000140975000-memory.dmp themida -
Processes:
Akira_NEWEST.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Akira_NEWEST.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 968 1064 WerFault.exe Akira_NEWEST.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Akira_NEWEST.execmd.exedescription pid process target process PID 1064 wrote to memory of 272 1064 Akira_NEWEST.exe cmd.exe PID 1064 wrote to memory of 272 1064 Akira_NEWEST.exe cmd.exe PID 1064 wrote to memory of 272 1064 Akira_NEWEST.exe cmd.exe PID 272 wrote to memory of 1996 272 cmd.exe certutil.exe PID 272 wrote to memory of 1996 272 cmd.exe certutil.exe PID 272 wrote to memory of 1996 272 cmd.exe certutil.exe PID 272 wrote to memory of 1288 272 cmd.exe find.exe PID 272 wrote to memory of 1288 272 cmd.exe find.exe PID 272 wrote to memory of 1288 272 cmd.exe find.exe PID 272 wrote to memory of 300 272 cmd.exe find.exe PID 272 wrote to memory of 300 272 cmd.exe find.exe PID 272 wrote to memory of 300 272 cmd.exe find.exe PID 1064 wrote to memory of 968 1064 Akira_NEWEST.exe WerFault.exe PID 1064 wrote to memory of 968 1064 Akira_NEWEST.exe WerFault.exe PID 1064 wrote to memory of 968 1064 Akira_NEWEST.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Akira_NEWEST.exe"C:\Users\Admin\AppData\Local\Temp\Akira_NEWEST.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Akira_NEWEST.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Akira_NEWEST.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1064 -s 4802⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1064-54-0x000000013FDD0000-0x0000000140975000-memory.dmpFilesize
11.6MB
-
memory/1064-55-0x000000013FDD0000-0x0000000140975000-memory.dmpFilesize
11.6MB
-
memory/1064-56-0x000000013FDD0000-0x0000000140975000-memory.dmpFilesize
11.6MB
-
memory/1064-57-0x000000013FDD0000-0x0000000140975000-memory.dmpFilesize
11.6MB
-
memory/1064-59-0x000000013FDD0000-0x0000000140975000-memory.dmpFilesize
11.6MB
-
memory/1064-58-0x000000013FDD0000-0x0000000140975000-memory.dmpFilesize
11.6MB
-
memory/1064-60-0x000000013FDD0000-0x0000000140975000-memory.dmpFilesize
11.6MB
-
memory/1064-61-0x000000013FDD0000-0x0000000140975000-memory.dmpFilesize
11.6MB
-
memory/1064-62-0x000000013FDD0000-0x0000000140975000-memory.dmpFilesize
11.6MB