63b24a2fbe28c375ca03f45592b7dcbfdfed9262f1ad51efb6bd544429a885d0

General

Target

Akrien premium 4.0.exe
Size

4.3MB
MD5

58d82461f610bf5234c28a1a67cbd123
SHA1

6aac74dd950ee1a9b14adaabb1fea942fc921ac9
SHA256

63b24a2fbe28c375ca03f45592b7dcbfdfed9262f1ad51efb6bd544429a885d0
SHA512

52d9f2daa360f7e84bc764092076d50216687f6c4c22afd3e3017188f1cb3ab2eafce76b968cd1f6feb412639277cf3439fe613647cdffa216dfa30bf0580ef2
SSDEEP

49152:g/5tJDBRnrQkbB1CjaorTkjf5O5rihkRbxdkkYgpX6tkWuiZMh5WEWkwwTMj:ab6SROk7AOkwZ

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	Akrien premium 4.0.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{28C55659-19DB-4FCD-8481-A3BFDEF7844F}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3604	484	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
484	Akrien premium 4.0.exe
484	Akrien premium 4.0.exe
484	Akrien premium 4.0.exe
484	Akrien premium 4.0.exe
484	Akrien premium 4.0.exe
484	Akrien premium 4.0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4176	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Akrien premium 4.0.exe
"C:\Users\Admin\AppData\Local\Temp\Akrien premium 4.0.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:484
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 484 -s 1368
  2⤵
  - Program crash
  PID:3604

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 484 -ip 484
1⤵
PID:2392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:3508

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsu9FCA.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
3cb5afc73bcea9616f2298a1e7e0bf67

SHA1
fb30003afaffb6ca3a983829732af7d145d06ffb

SHA256
de9eb730266be5eed70972476b9082c7553e6a9d07fb45a2a7c68748844b9821

SHA512
68fd467cdb0b5ebeb06b3ada329398e30d29716819c796194c92161ccdd0c1f58ff101e2ef73febbd6714570ff7c75a9f5fb76efebc395927dc220dfd040e8d9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
eccdc343a6f0edbb64738fded20f3a55

SHA1
943f15ed201a93199c25cd75a897457b33618b42

SHA256
198d3ba9529bd9ebb8733bb3adf13410112c71d23164918630677977e194398a

SHA512
3840349c13d9677f4eed1194001d557341291552c4e0ae9c30d791a2c7fea4989978edf85cd21fb604b71c9851c65ac4ccdded5f1040f1bc549beab14a940fdb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
7a29a1af3b3e9ef2c4f01fb47e5e5d9d

SHA1
87f3a4a74335bf054363ac7dbcd5bfc5828dbeab

SHA256
90aa32112d428b736d17f02e0c3ebdeed676fe411872292abe1c97e940cc6666

SHA512
e68096fc628c200947a7801db59f544ccd253d0bf2469aea62671518d868ea44b8ff26300a9477909248abd35b782c927d5cf87a5b00d58f3bb135d6106a125d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
33fc58601f225556ddc961ce6c376c84

SHA1
2c71fc39953c0ae3388e80c74353111f25edf5d9

SHA256
8b8b7fb0e682b94f61da826ca4ddb6b3bc6b24e1c16f3505531cf0a0a7f3be18

SHA512
8cb554dcdd827e9e37b2ed9ee2660f76dc7cd8423bbea6f11e6e650ec63db0716a50786e533f98da87ab4073a48419925f5485ce55ce9eb6bcfc1b8191bd9c1a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
3fbdb895c17147e7a3ac014e78b9ad99

SHA1
aa45ee34cd4b4ef6811036926bbff751e7f875e9

SHA256
5fdf84a278677f5913711c77c0145b0d5acf419093bfbc0ca472d6550a2a1855

SHA512
452f725ff3c3d093ebf91c2fac04c3a87a301e1407096cab57e027a2604b2ba57e0dd9f6766587fe88461ae59ffe1ef2b32c51ef4c3eb8577787017535f51485

Download Submit
memory/4176-382-0x0000018AF30B0000-0x0000018AF30C0000-memory.dmp

Filesize
64KB

Download
memory/4176-401-0x0000018AF31B0000-0x0000018AF31C0000-memory.dmp

Filesize
64KB

Download
memory/4176-417-0x0000018AFB520000-0x0000018AFB521000-memory.dmp

Filesize
4KB

Download
memory/4176-419-0x0000018AFB550000-0x0000018AFB551000-memory.dmp

Filesize
4KB

Download
memory/4176-420-0x0000018AFB550000-0x0000018AFB551000-memory.dmp

Filesize
4KB

Download
memory/4176-421-0x0000018AFB660000-0x0000018AFB661000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing