Analysis
-
max time kernel
106s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
05-01-2024 16:14
Behavioral task
behavioral1
Sample
Akrien premium 4.0.exe
Resource
win10v2004-20231215-en
General
-
Target
Akrien premium 4.0.exe
-
Size
4.3MB
-
MD5
58d82461f610bf5234c28a1a67cbd123
-
SHA1
6aac74dd950ee1a9b14adaabb1fea942fc921ac9
-
SHA256
63b24a2fbe28c375ca03f45592b7dcbfdfed9262f1ad51efb6bd544429a885d0
-
SHA512
52d9f2daa360f7e84bc764092076d50216687f6c4c22afd3e3017188f1cb3ab2eafce76b968cd1f6feb412639277cf3439fe613647cdffa216dfa30bf0580ef2
-
SSDEEP
49152:g/5tJDBRnrQkbB1CjaorTkjf5O5rihkRbxdkkYgpX6tkWuiZMh5WEWkwwTMj:ab6SROk7AOkwZ
Malware Config
Signatures
-
Luca Stealer
Info stealer written in Rust first seen in July 2022.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: Akrien premium 4.0.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 58 ip-api.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4364 Akrien premium 4.0.exe 4364 Akrien premium 4.0.exe 836 taskmgr.exe 836 taskmgr.exe 4364 Akrien premium 4.0.exe 4364 Akrien premium 4.0.exe 4364 Akrien premium 4.0.exe 4364 Akrien premium 4.0.exe 4364 Akrien premium 4.0.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 836 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 836 taskmgr.exe Token: SeSystemProfilePrivilege 836 taskmgr.exe Token: SeCreateGlobalPrivilege 836 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe 836 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Akrien premium 4.0.exe"C:\Users\Admin\AppData\Local\Temp\Akrien premium 4.0.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:4364
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f