53285fb142e48bd1a568509c8997067370ac4578b3c92d8c3bc75ecdebc2915f

General

Target

Akira_NEWEST.exe
Size

5.1MB
MD5

47feab24e4a7a088fcac9a7067cbf318
SHA1

bbe0dcbe7eb3d0fa19b4afb5edff51b7066ec45d
SHA256

53285fb142e48bd1a568509c8997067370ac4578b3c92d8c3bc75ecdebc2915f
SHA512

6b3b0e289d06839cfd32327dfa1795368601a789c3dc2a0db9f0cce01001a28a584d5c26ce4e46e9002626a1f3ba318e038578e86f00cff489956aace8b419aa
SSDEEP

98304:KxNeg5VPsVXSfJHbM+A+PoudLZ1uRhkuoxa4kReiX2+jli:TgTZhHbFddNZ1kroxacUbBi

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Akira_NEWEST.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Akira_NEWEST.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Akira_NEWEST.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Akira_NEWEST.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Akira_NEWEST.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Akira_NEWEST.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1064-54-0x000000013FDD0000-0x0000000140975000-memory.dmp	themida
behavioral1/memory/1064-55-0x000000013FDD0000-0x0000000140975000-memory.dmp	themida
behavioral1/memory/1064-56-0x000000013FDD0000-0x0000000140975000-memory.dmp	themida
behavioral1/memory/1064-57-0x000000013FDD0000-0x0000000140975000-memory.dmp	themida
behavioral1/memory/1064-59-0x000000013FDD0000-0x0000000140975000-memory.dmp	themida
behavioral1/memory/1064-58-0x000000013FDD0000-0x0000000140975000-memory.dmp	themida
behavioral1/memory/1064-60-0x000000013FDD0000-0x0000000140975000-memory.dmp	themida
behavioral1/memory/1064-61-0x000000013FDD0000-0x0000000140975000-memory.dmp	themida
behavioral1/memory/1064-62-0x000000013FDD0000-0x0000000140975000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Akira_NEWEST.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Akira_NEWEST.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

968 1064 WerFault.exe Akira_NEWEST.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Akira_NEWEST.exe

pid	pid_target	process	target process
968	1064	WerFault.exe	Akira_NEWEST.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Akira_NEWEST.execmd.exe

description	pid	process	target process
PID 1064 wrote to memory of 272	1064	Akira_NEWEST.exe	cmd.exe
PID 1064 wrote to memory of 272	1064	Akira_NEWEST.exe	cmd.exe
PID 1064 wrote to memory of 272	1064	Akira_NEWEST.exe	cmd.exe
PID 272 wrote to memory of 1996	272	cmd.exe	certutil.exe
PID 272 wrote to memory of 1996	272	cmd.exe	certutil.exe
PID 272 wrote to memory of 1996	272	cmd.exe	certutil.exe
PID 272 wrote to memory of 1288	272	cmd.exe	find.exe
PID 272 wrote to memory of 1288	272	cmd.exe	find.exe
PID 272 wrote to memory of 1288	272	cmd.exe	find.exe
PID 272 wrote to memory of 300	272	cmd.exe	find.exe
PID 272 wrote to memory of 300	272	cmd.exe	find.exe
PID 272 wrote to memory of 300	272	cmd.exe	find.exe
PID 1064 wrote to memory of 968	1064	Akira_NEWEST.exe	WerFault.exe
PID 1064 wrote to memory of 968	1064	Akira_NEWEST.exe	WerFault.exe
PID 1064 wrote to memory of 968	1064	Akira_NEWEST.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Akira_NEWEST.exe
"C:\Users\Admin\AppData\Local\Temp\Akira_NEWEST.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Akira_NEWEST.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
2⤵
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Akira_NEWEST.exe" MD5
3⤵
PID:1996

C:\Windows\system32\find.exe
find /i /v "md5"
3⤵
PID:1288

C:\Windows\system32\find.exe
find /i /v "certutil"
3⤵
PID:300

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1064 -s 480
2⤵
- Program crash
PID:968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1064-54-0x000000013FDD0000-0x0000000140975000-memory.dmp

Filesize
11.6MB

Download
memory/1064-55-0x000000013FDD0000-0x0000000140975000-memory.dmp

Filesize
11.6MB

Download
memory/1064-56-0x000000013FDD0000-0x0000000140975000-memory.dmp

Filesize
11.6MB

Download
memory/1064-57-0x000000013FDD0000-0x0000000140975000-memory.dmp

Filesize
11.6MB

Download
memory/1064-59-0x000000013FDD0000-0x0000000140975000-memory.dmp

Filesize
11.6MB

Download
memory/1064-58-0x000000013FDD0000-0x0000000140975000-memory.dmp

Filesize
11.6MB

Download
memory/1064-60-0x000000013FDD0000-0x0000000140975000-memory.dmp

Filesize
11.6MB

Download
memory/1064-61-0x000000013FDD0000-0x0000000140975000-memory.dmp

Filesize
11.6MB

Download
memory/1064-62-0x000000013FDD0000-0x0000000140975000-memory.dmp

Filesize
11.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads