Overview
overview
10Static
static
10AKUMA/__py...10.pyc
windows7-x64
3AKUMA/__py...10.pyc
windows10-2004-x64
3AKUMA/__py...11.pyc
windows7-x64
3AKUMA/__py...11.pyc
windows10-2004-x64
3AKUMA/__py...12.pyc
windows7-x64
3AKUMA/__py...12.pyc
windows10-2004-x64
3AKUMA/__py...11.pyc
windows7-x64
3AKUMA/__py...11.pyc
windows10-2004-x64
3AKUMA/__py...10.pyc
windows7-x64
3AKUMA/__py...10.pyc
windows10-2004-x64
3AKUMA/__py...11.pyc
windows7-x64
3AKUMA/__py...11.pyc
windows10-2004-x64
3AKUMA/__py...12.pyc
windows7-x64
3AKUMA/__py...12.pyc
windows10-2004-x64
3AKUMA/__py...10.pyc
windows7-x64
3AKUMA/__py...10.pyc
windows10-2004-x64
3AKUMA/__py...10.pyc
windows7-x64
3AKUMA/__py...10.pyc
windows10-2004-x64
3AKUMA/__py...11.pyc
windows7-x64
3AKUMA/__py...11.pyc
windows10-2004-x64
3AKUMA/__py...12.pyc
windows7-x64
3AKUMA/__py...12.pyc
windows10-2004-x64
3AKUMA/f.l.e.a.t..exe
windows7-x64
10AKUMA/f.l.e.a.t..exe
windows10-2004-x64
10Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 19:51
Behavioral task
behavioral1
Sample
AKUMA/__pycache__/banner.cpython-310.pyc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
AKUMA/__pycache__/banner.cpython-310.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
AKUMA/__pycache__/banner.cpython-311.pyc
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
AKUMA/__pycache__/banner.cpython-311.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
AKUMA/__pycache__/banner.cpython-312.pyc
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
AKUMA/__pycache__/banner.cpython-312.pyc
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
AKUMA/__pycache__/ddos.cpython-311.pyc
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
AKUMA/__pycache__/ddos.cpython-311.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
AKUMA/__pycache__/deanon.cpython-310.pyc
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
AKUMA/__pycache__/deanon.cpython-310.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
AKUMA/__pycache__/deanon.cpython-311.pyc
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
AKUMA/__pycache__/deanon.cpython-311.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
AKUMA/__pycache__/deanon.cpython-312.pyc
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
AKUMA/__pycache__/deanon.cpython-312.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
AKUMA/__pycache__/get_ip.cpython-310.pyc
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
AKUMA/__pycache__/get_ip.cpython-310.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
AKUMA/__pycache__/mail.cpython-310.pyc
Resource
win7-20240419-en
Behavioral task
behavioral18
Sample
AKUMA/__pycache__/mail.cpython-310.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
AKUMA/__pycache__/mail.cpython-311.pyc
Resource
win7-20240611-en
Behavioral task
behavioral20
Sample
AKUMA/__pycache__/mail.cpython-311.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
AKUMA/__pycache__/mail.cpython-312.pyc
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
AKUMA/__pycache__/mail.cpython-312.pyc
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
AKUMA/f.l.e.a.t..exe
Resource
win7-20240611-en
General
-
Target
AKUMA/__pycache__/banner.cpython-311.pyc
-
Size
2KB
-
MD5
fa9e7570065300ba5fcf466458bcfe99
-
SHA1
bddfeb36f7eea22d68d5881846ead9ff2a3639da
-
SHA256
7c2668dc55f92609c5dbbd1256e43fb7b50cf8a14262aeb9fb853d0a61aa47af
-
SHA512
c5f4b5998f68e224a121a13779daf6a951bf6624212b5e3d3201a46701c69fce03243e061c861682d7d4be704042de9643b2eb78c7e0b2ad10be7134c69217fc
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\ rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1028 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 1028 AcroRd32.exe 1028 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2868 wrote to memory of 2624 2868 cmd.exe rundll32.exe PID 2868 wrote to memory of 2624 2868 cmd.exe rundll32.exe PID 2868 wrote to memory of 2624 2868 cmd.exe rundll32.exe PID 2624 wrote to memory of 1028 2624 rundll32.exe AcroRd32.exe PID 2624 wrote to memory of 1028 2624 rundll32.exe AcroRd32.exe PID 2624 wrote to memory of 1028 2624 rundll32.exe AcroRd32.exe PID 2624 wrote to memory of 1028 2624 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\AKUMA\__pycache__\banner.cpython-311.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AKUMA\__pycache__\banner.cpython-311.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\AKUMA\__pycache__\banner.cpython-311.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5137197bd7a63a2df38a1bd1487270c9c
SHA1e57ee8f943f5ecfb6e2c987db59edfc7f16baa9d
SHA256870bfafa285ccfb913155d0aaa06116360ab4902cd114732af6972789b6775a4
SHA512ab237750bf0f474a86d1edf603c0274a76a4258c57a8c6e965a8ff9ee9ba1254b3a120137a9a0bbb5039fec51ae082ae40a712a38ab792b07ee68f2cc6158daf