Overview

overview

10

Static

static

3

Device/Har...sf.exe

windows7-x64

10

Device/Har...sf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    188s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    17/05/2023, 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Device/HarddiskVolume2/PerfLogs/sf.exe

  • Size

    572KB

  • MD5

    abe06e90aeb9e69647efe1431f6a1a68

  • SHA1

    42c864d9e21ef8539b28e105932a365a145ba1dc

  • SHA256

    5c62626731856fb5e669473b39ac3deb0052b32981863f8cf697ae01c80512e5

  • SHA512

    36859bf2732ef40a917492e14aed1f3e818afe8334094d37b18eebd4a0d861ec401fe14de303ea7f8ca2d6f941f041ca7d591a048a200c7d98078cce88a08eff

  • SSDEEP

    6144:PvkQV0yspOdsQp8ecldEWuc9bPu1Y2GRxqTQXh2ikXdPLovfyT5QohoKhFlQ4on:nkQSysOJErU1cqMrkXWyT5QoOX

Score
10/10
ransomwarespywarestealer

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Renames multiple (8528) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 47 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\PerfLogs\sf.exe
    "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\PerfLogs\sf.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1148
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
    1⤵
    • Process spawned unexpected child process
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:676
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1764
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x54c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:568

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\akira_readme.txt
    Filesize

    2KB

    MD5

    9422b212d00490a1ce1b1983ddad68fb

    SHA1

    990f072cb8834265773a41c836d5721d3686029f

    SHA256

    6f517fe12d942c4397fe7a8ef50e339afff362f6a7c10d2216d5984c35604661

    SHA512

    df04489a939b361a3bfb51f73edbf77a94f559699adbaada84e7a5c4a9211a60864f1ce2a621e85a4852f9e187ced7ad39f412b7d16b6dd23de201f043160800

    Download Submit

  • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.akira
    Filesize

    28KB

    MD5

    066017ec78a83d5292acfbab0121c987

    SHA1

    4a8b86a5d68362cfe107d980c90a03c0b46cf6ca

    SHA256

    839b1a9e4bcf89d560b29e58d49bb000a3c0de2d5a04e9f04dd7e4a716c7380c

    SHA512

    0a3bc7e59534d417cdc8985e932c9ae2d39ed6c7104739b2acaf019aaf004577c3b9efcdd74c58ca5976382ba3e1af52671ad8625a414ffeea3ff56085a984aa

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.akira
    Filesize

    875B

    MD5

    232e55ddd4218663ab62be44cfe34f3e

    SHA1

    edd392f308287b9029f22dd03a8feeeac036a6d5

    SHA256

    ece6a44270dee4c0517df065d75fae790c18b46579e0e91ca534705290350665

    SHA512

    c1186fcb531056a227d68a384f546aca9a5b463364a074ee5d4e29db3a44246950ec03e96bfa49bc6234e6fef480d4dcb6ca932d9723bd60ee86eaf045a42212

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.akira
    Filesize

    756B

    MD5

    9a61254cc41d712628d5bb31aad1fe67

    SHA1

    dc7198a33e9d475867db3191909ecfe2304a8ba3

    SHA256

    8762ffb259bb113579ec798bc9bd3a911d8b9d7f4f24ea8b17916fe9220bc920

    SHA512

    d4e57835cae7d869e395b6f873f9cc199c28624f4d8680dd0904f9dbc84fdd1053f28dce82bd9756e1414d8926fe9dea0637671913e5ea3e3f2ed52716a8e152

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.akira
    Filesize

    648B

    MD5

    e9dc456c2937702096704e8af5fcc413

    SHA1

    833fd33125530fa20c981b223dda9c9b3ae230f6

    SHA256

    4bc167b836581860435fb708125bdafc9d77460fdde5423d3baad50473a38167

    SHA512

    127286a4e91c059be0d7af173efaee0411bc9adb161ffae70e10c9aa76814c686d3e797dc97c57358b796899e68a06510a66eb6b71091b01faf31c2828aeef69

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.akira
    Filesize

    647B

    MD5

    e1949a031f0a5d97bb85539b97da44d5

    SHA1

    a00035f263a2af8e88ccb2ca421d751c5f1b4e71

    SHA256

    19cfc930c9b6a63c90b615910851b3ce30210d7ef7efcb02b61801035a1b8b52

    SHA512

    8fe8bc3e60b310888d32d59335e846d8cfa2b60b86d405e805f46ce10ee38f05c5898ae1a83209ec546980a942e7d2b6be979b444b6509bfc71c27aea4eac2e8

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.akira
    Filesize

    719B

    MD5

    faae8714fa3a8c7d6104845fb8d980c4

    SHA1

    a38deb928d0585fb8d003d6308ffd5624f0870f7

    SHA256

    d776dae3940b073b647b2117aa59cd5a10f07fc2e9b1eb3dbd4c05df3033da29

    SHA512

    6855cdabf7df20772701c0a4643e37472ab28b92f81bc9923026335be08fe91642383dd87aa1e7535ba7cd20232e5a6ef0668ff0a959c51d78fdcae967148657

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.akira
    Filesize

    1KB

    MD5

    e73a3710bf6038f0a7948b69bd400cee

    SHA1

    73aaeaf4948e766ab84ef0a1c72718c569da076b

    SHA256

    8c59c92b28d80b748aead2a22d4c1cd1f667ad15964fda1324cc60f67656753f

    SHA512

    fb4dd661d1e5706b8658794a85d5e25e2ec4e759cb7651a7be354a808d18b1fc7bc381e44515c1086bac22a28365c86cda23d3f3790617be7309df54062f6b74

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.akira
    Filesize

    1KB

    MD5

    7c6b10802b4eaa845eeaf193b6df7034

    SHA1

    ba8c56b89c98b60b0ac76f1f0e079beb34cd87ae

    SHA256

    5b1f290e3c0610d781b757d90c88a06c565b7286fc84cbea92ef57f4e6abc6ae

    SHA512

    0767b97794a73c2fd52e091f5118978eeccfc329778f910455dff07966838a7d2bddff610ab6d556304c1efbe369bd59d007d0bad47b75309d18df1032dc7ad2

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.akira
    Filesize

    1KB

    MD5

    0213a57342c2e00969d4ddc4c75306e3

    SHA1

    12c862d4a1db9382fa8118f4ae0f5cfff2c3e9fd

    SHA256

    9d00b2e5157df184796f5e35b93bf052d37160dd040a428ca8e7ea569eb6bf6d

    SHA512

    a8ae3d644478195cababccba8d26005af5fc0ed1b5c4a2edcb08f8ea1ecfa5d0a8848e41a44354b670c2f47d32229add04dfb1d11684a70d82c3544a5c167b17

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.akira
    Filesize

    12KB

    MD5

    386afa9f8653e637827709cf60252d63

    SHA1

    40cd8d84e3095e3e165339b34a800b06272aded1

    SHA256

    801a5b47f00fad2eb50b633518963d60aa981042dd209b763dd37c0bcbc72ee2

    SHA512

    9ef016f5c2d51bcb14e408eb108f842c5cc646ef11d9bf1b3507087d01dd377f0ddbd67482c5fa3dec26fee629cf7703e9f295913f38844767e6d65bca6cef6e

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.akira
    Filesize

    9KB

    MD5

    f850f0bc13b6acd22c5c4efadfa6301d

    SHA1

    3760c10ed3af13982e104615b3a2e762400dec93

    SHA256

    bb256b7dc9afe11c8a795113eae4e454f273e23621275344545790914453652e

    SHA512

    6fa68bc1b4db2f96bc6cda065e1e2e2002e0787ad36e75f6edf926ccdcc4dd0fbaa8e70cbcdd5190ae87b7ddc597ff35a4784fd322048d9e948f9b3cf578d042

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.akira
    Filesize

    591B

    MD5

    a893cf9a8174fbcb8f98e4a16690fe51

    SHA1

    d5034a9df5f151085346b4dc94665d4507e79535

    SHA256

    fee7beaa11d21d4e27da7caa25af00532fd2771e4b9c92f1872e6fac61ed677c

    SHA512

    41b166339cd9f75004dc3c8fa35b788b12925e997283e7a2600b962d5502c742cec530a49b8576529d4d50719405c83fb4642b731ec07e9b8ef8e8f82390a4db

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.akira
    Filesize

    8KB

    MD5

    53b0d5a220d4444c1125303310f05d6e

    SHA1

    c3400f30ca77754c694956c9264aa86300bf1f52

    SHA256

    9d06a0a8c4d884741d22b18e52b8997c4ed11a72ab51ff44c3fb8a57001f7799

    SHA512

    dbed30fd26b7e163e52965238062b4342c5dca4a93d0b9b719a7d202e4df2bc09de40b95c2ea4d4a18a75963c39cd14336053b776de13b0632c3d211ab12c2c4

    Download Submit

  • C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif.akira
    Filesize

    687B

    MD5

    2760f6eb78565a07c9dc2cdc48a08fd8

    SHA1

    0e7bc0fdf6c2d0c1955710b33c482a32c0dca1a7

    SHA256

    5db1a6b8217965742cb9ada635eeb637440ea87e96263690ce90d14fe86034a1

    SHA512

    c7f1b861d60792d16bd7510874414e8073012373f65677b7b8213320d26dbffbf8d61e4219eb824ae627cadbefbea65344739f574854001b2ee498ab19452352

    Download Submit

  • C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5.akira
    Filesize

    561B

    MD5

    2364ab3318849afb4ee46593e70552f0

    SHA1

    dc49dc22533028f0f34bddf7fec23c10fa5189fa

    SHA256

    5ac73b5307877b2266b9f9f33302c34d91e2e7913704230b06cbac6ab68c9a03

    SHA512

    5c6ffbb2756820b0db3606d56c3832f70caddea4ec5ebb74b808f79465529c3e56b50169d312e34f5379a71e51ab2bc21aff8de66d92bf1621693b4ccd9cffb9

    Download Submit

  • C:\Program Files\Java\jre7\lib\zi\Etc\GMT.akira
    Filesize

    561B

    MD5

    0dcffe49072236d76323832bb18877eb

    SHA1

    f7ee9448ff85f136858622e43980ec9b6c925566

    SHA256

    f7ff503be805e1cdbdcc98d80673863244eed94bfeb90d0d3e0a6cb19c6aa77f

    SHA512

    4d56d182fc877ab3f20861a6a11e50b287bdebb2e1750b75287c8e175dc2a993c45fa3bad70be618e35c247e006affb06492f05d94eba092f4a95593e5339f44

    Download Submit

  • C:\Program Files\Java\jre7\lib\zi\HST.akira
    Filesize

    561B

    MD5

    80ceb6609f702e9914489cc4ad636bb2

    SHA1

    d412e23e2e47e9b80f8c47c94b757684e60547cf

    SHA256

    4b43fb251ee399430dad0f18392020d40bc9eb4ad50f43460ee05c871471e661

    SHA512

    6a080839fc0d220bb964d50f856f94058be5696876bd9d47b14fc1a15f5344a906502640a27100635e707b201e7e8f32c8f3151320d46118db6da35c13e3d08b

    Download Submit

  • C:\Program Files\Java\jre7\lib\zi\MST.akira
    Filesize

    561B

    MD5

    028cc5011abe680e1c8e2ff46360262a

    SHA1

    b727eb22df3c87d7a8cfa0a77c0e4187c6b6b390

    SHA256

    4a0954a1d17007717ff30f50f1bbfb958c73c2ebf355e0f8d968538b4c3e9155

    SHA512

    60f990aa13067eb9864a5a584c7b06569ea6d1ee5e6039115b536fc6d818ee558a903d3565c9ff33f5f858017d9ed453547ab40c08ba8f1c744f1acddda7d5b2

    Download Submit

  • C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo.akira
    Filesize

    665KB

    MD5

    271613be55002936dd217c62f3981f87

    SHA1

    152cce21c29636b21e87286661daaec4e60e324f

    SHA256

    62d75eb5fb45bf20872cf2f37a7efdade298735b306ee48b48be20670fe72680

    SHA512

    2bf51c12c8459e5ce7acb66d190c7d99b392dd6f0162921860aa01a78c2fd90f6a0740022b4c4430b71748b5150f795b76528761fda09c24cfcff0c409156636

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\CURRENT.akira
    Filesize

    550B

    MD5

    c42a3ec8056681e87aca6afb65cbadb7

    SHA1

    55f84163454fd87333bf3d4419d6d55218047025

    SHA256

    ab17021586c1f151d4fde600c676a792c091f71c83e02a5eeba3b0b7670ac65e

    SHA512

    9b6a38aa76b01d48174de370cb245f505bcc6b486457cffa1717df8275bf1f53f5faee8b334312bfc5409b490111d182397f780fdb046e6276252f19f155790f

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000002.akira
    Filesize

    584B

    MD5

    77e9953ed83aca6c0bc1d51d4423bf8d

    SHA1

    0f78af60a8de42394a4121a155e70758d80e93ee

    SHA256

    8757dd1cc7ba820a1b5ec2d5064f0719a59132e08a95140092edbd40d71b58a6

    SHA512

    963c82013d08897e032992167c30113bfc4a7528994d07fbfb04086d3b665a340cda8f8b0f3369f4c3a391b876d8188bb3db3a5e9cb5310ce07a8b9e6fae8042

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2.akira
    Filesize

    8KB

    MD5

    750b8a91e371a31a594c134497d5ea7d

    SHA1

    2b78d24724974eeb6659dbf925ef2d78632aafd7

    SHA256

    75586baa9f6edca9fdb20ba1b6eb262b40e032c58ac84d4aade7971c9ccdeb63

    SHA512

    47e540acc415041484ebe4d03c7c682f1631e2be0ee39f47f4b429b8dc3e510e393133892ce97b4f860cb573ec686a664a79ccf00102680522b1d24f08d80227

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XS6M157B\desktop.ini.akira
    Filesize

    601B

    MD5

    53f1fd2495d39e0fda9e81592430bfae

    SHA1

    ba12ec23f2a5fba09e57b1e0b3fec8f6d96bc2bf

    SHA256

    f45c3a804ca3d8dc2504ea94672c6595484784aa3b8d5fc5c5d13d55fcbcc510

    SHA512

    cdfb29300359481de4e6708be47f4f107b00e2659ccbae63bfe22a38cef932095465e528c10f67d0688eaa54fd1c5bff980092bb18d132f96682ae508b2e1675

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms.akira
    Filesize

    28KB

    MD5

    d5292e6358459f2503fc3a8774f8dcba

    SHA1

    ba7843b04984724cd1e8887d30e6d342f597ba5e

    SHA256

    7c5f4a1fb6e6fba195a2818d1a793576b4d5774fb5c7852b8a6c2f4bf00c1568

    SHA512

    31e6973b6214ea6cfab99372157cef19901345b13db7c587b8df76dceb14ff5f283c10570a8636b6bd52b18350bd5cfe7109ae942f585ee4ae6592791f09be28

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r2jq9p33.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.akira
    Filesize

    48KB

    MD5

    76421d6d7d8cfc647dc6a0631384b94e

    SHA1

    701fc6b66dd99d8df57aa088974fc265b48758e3

    SHA256

    073d9923356337af360667d6141e8ff381d860c55c6cac18c7a4688727568a28

    SHA512

    8c7371e7420f35177862c6bce2793dc70602e8500d51a9b51c2104d08108f1f23240ec4fb7c3127fbd3464f13826c4e1670e2b1ffa866b805ca2649c9ccaf434

    Download Submit

  • memory/676-58-0x000000001B040000-0x000000001B322000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/676-59-0x0000000002290000-0x0000000002298000-memory.dmp

    Filesize

    32KB

    Download

  • memory/676-60-0x00000000024E0000-0x0000000002560000-memory.dmp

    Filesize

    512KB

    Download

  • memory/676-61-0x00000000024E0000-0x0000000002560000-memory.dmp

    Filesize

    512KB

    Download

  • memory/676-62-0x00000000024E0000-0x0000000002560000-memory.dmp

    Filesize

    512KB

    Download