7d317343ffac1b8811eb2f88ea4739083f68616a1032ef3aaa6342b3d79f0455

Resubmissions

04/07/2024, 06:16

240704-g1qtaa1ajb 7

04/07/2024, 06:12

240704-gymc3szhkg 7

04/07/2024, 06:04

240704-gspk9axgln 7

Analysis

max time kernel
48s
max time network
50s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 06:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Akrien_exe.exe
Size

7.7MB
MD5

83d1fec1d36ae907018f59de843cae9f
SHA1

377e21f001fa53e3cf1d5a1f8738442ba78721ab
SHA256

7d317343ffac1b8811eb2f88ea4739083f68616a1032ef3aaa6342b3d79f0455
SHA512

9134740fa8b52a91cd3c4f4d37aa97f05be362c2cff10f3fdb4ebb65de40121651c537efedaca262e733c5ea44d608ddd7cef867dcd1c28a1b8296de8e1464e7
SSDEEP

196608:5Nn0h+sp0v0k5bp62RwanCxjU5x+baJhgK70HfXkqVgur:X0h+sypbM2RwanCx45Y+H+JV

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 12 IoCs

pid	Process
1916	Akrien_exe.exe
1916	Akrien_exe.exe
1916	Akrien_exe.exe
1916	Akrien_exe.exe
1916	Akrien_exe.exe
1916	Akrien_exe.exe
1916	Akrien_exe.exe
1916	Akrien_exe.exe
1916	Akrien_exe.exe
1916	Akrien_exe.exe
1916	Akrien_exe.exe
1916	Akrien_exe.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1916	Akrien_exe.exe
1916	Akrien_exe.exe

Detected Akrien Game Cheat
Akrien.wtf is a cheat program for a selection of online PC games.

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Akrien_exe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Akrien_exe.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1916	Akrien_exe.exe
1916	Akrien_exe.exe
1916	Akrien_exe.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2680	1916	Akrien_exe.exe	29
PID 1916 wrote to memory of 2680	1916	Akrien_exe.exe	29
PID 1916 wrote to memory of 2680	1916	Akrien_exe.exe	29
PID 1916 wrote to memory of 1952	1916	Akrien_exe.exe	31
PID 1916 wrote to memory of 1952	1916	Akrien_exe.exe	31
PID 1916 wrote to memory of 1952	1916	Akrien_exe.exe	31
PID 1916 wrote to memory of 780	1916	Akrien_exe.exe	32
PID 1916 wrote to memory of 780	1916	Akrien_exe.exe	32
PID 1916 wrote to memory of 780	1916	Akrien_exe.exe	32
PID 1916 wrote to memory of 1048	1916	Akrien_exe.exe	33
PID 1916 wrote to memory of 1048	1916	Akrien_exe.exe	33
PID 1916 wrote to memory of 1048	1916	Akrien_exe.exe	33
PID 1916 wrote to memory of 568	1916	Akrien_exe.exe	34
PID 1916 wrote to memory of 568	1916	Akrien_exe.exe	34
PID 1916 wrote to memory of 568	1916	Akrien_exe.exe	34

C:\Users\Admin\AppData\Local\Temp\Akrien_exe.exe
"C:\Users\Admin\AppData\Local\Temp\Akrien_exe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FY3LN490\assets[1].htm

Filesize
167B

MD5
0104c301c5e02bd6148b8703d19b3a73

SHA1
7436e0b4b1f8c222c38069890b75fa2baf9ca620

SHA256
446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f

SHA512
84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1B11.tmp

Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1CCD.tmp

Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit
\AkrienAntiLeak\java\bin\awt.dll

Filesize
1.4MB

MD5
8034610b3e92f99e739acc9a33725fa9

SHA1
94b0b8b4698b6b98483b5b655dca2dd4f77d50e2

SHA256
698841b130cb9b135f4111d09daaa6693aa9a8528adeadd08523374bc4047e36

SHA512
ba34813903d0c9abae0f9be1b1eb0b5581e9d0eb011d43adccb06f97cea063d9a5f81fc9e6ba239ab76d801224f0c3411c45a3eee62357b1610f282cecb887fa

Download Submit
\AkrienAntiLeak\java\bin\java.dll

Filesize
148KB

MD5
a516863257644db008e4170f56edd85d

SHA1
6f330cc533262de0e8715669630b9bec6830f5db

SHA256
575f3a3144f4b13347d859acbc9e5cc45bc5aeb20e93159066f4ddb7634f1df4

SHA512
ec59ec515a2c5ad6fec8b15cf5b6d9ae4bc18e869a6258aeb9dce4afc7c5ef1502b07d368ee90856d5e4489a0b70117e93db3d7164359a7dbf87f52c8ec80046

Download Submit
\AkrienAntiLeak\java\bin\management.dll

Filesize
30KB

MD5
35a75985bbcbda81ebdb4b846d9e81d8

SHA1
dd2304697c8494b90c6e1f455e3e69de27afc376

SHA256
5d086fbad6335425663a203b9aa3641b65d5c1ca0ceb1cd9e5e7851c036c7a19

SHA512
68dc557280b566b3b5aef3d7a2e438ba388d1178bf8fdfc79772be9e66318679072ac95d9366af1360f146d2cd746a4f8d8f4d93104fd5f14105aab5a5d3ab17

Download Submit
\AkrienAntiLeak\java\bin\msvcr100.dll

Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\AkrienAntiLeak\java\bin\net.dll

Filesize
89KB

MD5
71d2ae9fe0d5d708797ff32652c1e50a

SHA1
aa753edeaee6ab15d489d467dd14ec31bc67594c

SHA256
e4a52e6011b0e5831c4048a3f3e5462bb15fe6ea874007652397e524c8293fb4

SHA512
8d4fcb38700bcbc10a5f2b684a4ea116d8435a6d3febe949608e5fd5a7b91d165ad934667498209201c39098f1f2e0ac2d23e7f809efba1d86685d40751b17e4

Download Submit
\AkrienAntiLeak\java\bin\nio.dll

Filesize
53KB

MD5
411e7b5bceaced72ddb7dc552ebd4ce1

SHA1
f6c54c95886d754045e633e720303998181c23f5

SHA256
13eb467938a6ac9d4cc5df46e0aa371604ee38d9c4652c8c6c22176bb4586078

SHA512
24cbf0e6b79284c8c279a5c9420e5f9ccef2dcde2d316ed44c7a96e7704bf8387309633cf89f6af859a380e1f67b3c740ac660ffb01e295fc7be1209c14449e5

Download Submit
\AkrienAntiLeak\java\bin\server\jvm.dll

Filesize
8.8MB

MD5
e11b672fab7e7a25f3c45d80980e915d

SHA1
4d733814c684295013ccf6bd7531414d7702908a

SHA256
0b560a12128eedaa374b60e1dad15900d07982bcbf5648485a4c253a44bf2570

SHA512
f1df78178e3a0fecead8cfa5d115aab607b8c2bbe405c7e99020bd0e3a83274d660c37436c4a29d76923e170cd577885c2747e90e65c2350ece66169644bfd17

Download Submit
\AkrienAntiLeak\java\bin\sunec.dll

Filesize
126KB

MD5
17dde0f1cbe235168ffd86bb819f1aaa

SHA1
ddb5ec92f786d143665a597d06fba89e9036dfd6

SHA256
209663ba3570359809d187864b835554e7c1d0f97ade41ed71d90c8ec9973dc4

SHA512
356f45a6ecde6fc86ae6401af967074b9e7124587e2dfef3957db3b08ca5b93cfe34c9150b55267b5dad1527006943afa9235914c7677098b63e40316c4fd4f5

Download Submit
\AkrienAntiLeak\java\bin\sunmscapi.dll

Filesize
26KB

MD5
5c17a6c12518e6a0d81c3bcec574f11a

SHA1
a366c13fe01c1aee3589c5f3b1a8155c5402c4dd

SHA256
9bbf13754b4e3f8a8fce93729170ad9587cfe40b9577e599eb75daaf73174983

SHA512
34b12b0614e955ef8217ec381858d0ec41854054b8fd4d529d660b251e06d3f9483c5240764d263ed673497bf2f3971dd659a6c2018136da2c0e23b2f293db2e

Download Submit
\AkrienAntiLeak\java\bin\verify.dll

Filesize
41KB

MD5
b3bdcdf717264334359b320a51c7b3f9

SHA1
3f4ab81565978c03e442c50e89537295e3afc545

SHA256
a179b80c32724970fb158e8a35b77c66d5e4532780bdd1a0b632562168486aef

SHA512
979cb4e5a89a10de793bf1b572ed20a7ce6cd48837cb89c325b99df9131f3dc568c7a7c052d7193de5bd110360a805f2d0052a8592d4ed2e09ddc934fc4254ef

Download Submit
\AkrienAntiLeak\java\bin\zip.dll

Filesize
70KB

MD5
65f9ddc334ce5ba48374cecd54cb6492

SHA1
592f5c22a24870140c10736f409f106ffb19e50f

SHA256
7a8ca42553987632c5b8a03cb6bb17ec43629505282af325ccb2c63783d37cad

SHA512
a7b67f5bf8d286882479587bb4ee8197228a5651ff8c521edb26e3029154ca28ccdb36ced08d6243cc950d8cb4cf0a5b6e875cf1460928b3e6ca47edd6fd4f15

Download Submit
\AkrienAntiLeak\libs\natives\lwjgl64.dll

Filesize
310KB

MD5
0b9fcfbd6d44e4d83605cc35171668c8

SHA1
f4013116d6750829851370ed19a9eaf8251ad6e1

SHA256
ebdcedbc3e24b911aacd7bb666ab426397ca7d7883a8d4e3cf28946041c95425

SHA512
e920e284f47f888d10cac45ec8775e58481f5a8c2316d3fa01ff1e7b1bb63c64d2d0850b2da8fd040727b969d3b3f9b85afbd86b6cbfaecca580b853a1499f59

Download Submit
memory/1916-2466-0x00000000778E0000-0x00000000778E2000-memory.dmp

Filesize
8KB

Download
memory/1916-2545-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/1916-2463-0x00000000778D0000-0x00000000778D2000-memory.dmp

Filesize
8KB

Download
memory/1916-2465-0x00000000778D0000-0x00000000778D2000-memory.dmp

Filesize
8KB

Download
memory/1916-2471-0x00000000728D0000-0x0000000073CD6000-memory.dmp

Filesize
20.0MB

Download
memory/1916-15-0x0000000140000000-0x0000000141127000-memory.dmp

Filesize
17.2MB

Download
memory/1916-6-0x00000000778B0000-0x00000000778B2000-memory.dmp

Filesize
8KB

Download
memory/1916-0-0x0000000140442000-0x000000014097E000-memory.dmp

Filesize
5.2MB

Download
memory/1916-2491-0x0000000140000000-0x0000000141127000-memory.dmp

Filesize
17.2MB

Download
memory/1916-2470-0x00000000778E0000-0x00000000778E2000-memory.dmp

Filesize
8KB

Download
memory/1916-8-0x00000000778B0000-0x00000000778B2000-memory.dmp

Filesize
8KB

Download
memory/1916-2468-0x00000000778E0000-0x00000000778E2000-memory.dmp

Filesize
8KB

Download
memory/1916-238-0x0000000140000000-0x0000000141127000-memory.dmp

Filesize
17.2MB

Download
memory/1916-2461-0x00000000778D0000-0x00000000778D2000-memory.dmp

Filesize
8KB

Download
memory/1916-2460-0x0000000140000000-0x0000000141127000-memory.dmp

Filesize
17.2MB

Download
memory/1916-10-0x00000000778B0000-0x00000000778B2000-memory.dmp

Filesize
8KB

Download
memory/1916-2508-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/1916-1-0x00000000778A0000-0x00000000778A2000-memory.dmp

Filesize
8KB

Download
memory/1916-2532-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/1916-13-0x0000000140000000-0x0000000141127000-memory.dmp

Filesize
17.2MB

Download
memory/1916-2552-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/1916-2603-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/1916-3-0x00000000778A0000-0x00000000778A2000-memory.dmp

Filesize
8KB

Download
memory/1916-237-0x0000000140442000-0x000000014097E000-memory.dmp

Filesize
5.2MB

Download
memory/1916-5-0x00000000778A0000-0x00000000778A2000-memory.dmp

Filesize
8KB

Download
memory/1916-2652-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/1916-2658-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/1916-3171-0x0000000140442000-0x000000014097E000-memory.dmp

Filesize
5.2MB

Download
memory/1916-3172-0x0000000140000000-0x0000000141127000-memory.dmp

Filesize
17.2MB

Download