Analysis
-
max time kernel
95s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2024 12:03
Static task
static1
Behavioral task
behavioral1
Sample
win.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
win.exe
Resource
win10v2004-20240709-en
General
-
Target
win.exe
-
Size
1005KB
-
MD5
773fcd0432808e74bfb863489799dd05
-
SHA1
c8008c0d50ddf9757c2e11b11d94dae0c5307915
-
SHA256
2bfe3fba2e94b1a4f8ae0ea767b64084390155bb4d57cc39e13c15b181f8d377
-
SHA512
7714265c16c7bfd5786eb423583a3ab8f71daec5d6ace00d7613522aaa26b8fcea28c63bc294e99a84e8131896d6ca425abde4c354b2d78059fb5075b42adb45
-
SSDEEP
12288:wbWIqB/A1gv9XQ7ZNlZDV3LEWI+Xx+uBW6y4qNmhE:wbyxv9XQ7B3oWI+XHW6y48
Malware Config
Extracted
C:\Program Files\7-Zip\akira_readme.txt
akira
https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion
https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion
Signatures
-
Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4732 620 powershell.exe -
Renames multiple (8411) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell command to delete shadowcopy.
-
Drops startup file 1 IoCs
Processes:
win.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\akira_readme.txt win.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 31 IoCs
Processes:
win.exedescription ioc process File opened for modification C:\Program Files (x86)\desktop.ini win.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini win.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini win.exe File opened for modification C:\Users\Admin\Music\desktop.ini win.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini win.exe File opened for modification C:\Users\Public\Downloads\desktop.ini win.exe File opened for modification C:\Users\Public\Pictures\desktop.ini win.exe File opened for modification C:\Users\Admin\Documents\desktop.ini win.exe File opened for modification C:\Users\Admin\Links\desktop.ini win.exe File opened for modification C:\Users\Public\Documents\desktop.ini win.exe File opened for modification C:\Users\Public\Videos\desktop.ini win.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini win.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini win.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini win.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini win.exe File opened for modification C:\Users\Admin\Searches\desktop.ini win.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini win.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini win.exe File opened for modification C:\Users\Public\Desktop\desktop.ini win.exe File opened for modification C:\Users\Public\desktop.ini win.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI win.exe File opened for modification C:\Program Files\desktop.ini win.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini win.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini win.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini win.exe File opened for modification C:\Users\Public\Music\desktop.ini win.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini win.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini win.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini win.exe File opened for modification C:\Users\Admin\Videos\desktop.ini win.exe File opened for modification C:\Users\Public\Libraries\desktop.ini win.exe -
Drops file in Program Files directory 64 IoCs
Processes:
win.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\akira_readme.txt win.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\ui-strings.js win.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML win.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Wide310x150Logo.scale-200.png win.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\SlowMotionController.xbf win.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-200.png win.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\akira_readme.txt win.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\tr-tr\akira_readme.txt win.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sl_get.svg win.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ddfa332af06cdcab2c9b9b51fadc27ac.arika win.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\189.png win.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-72_altform-colorize.png win.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlCone.png win.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\akira_readme.txt win.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML win.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\AssetLibrary.ico win.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\THMBNAIL.PNG win.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-72.png win.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\akira_readme.txt win.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\akira_readme.txt win.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\akira_readme.txt win.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteMediumTile.scale-200.png win.exe File created C:\Program Files\Java\jdk-1.8\include\win32\akira_readme.txt win.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\nb-no\akira_readme.txt win.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_de_135x40.svg win.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msador28.tlb win.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_sk.json win.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png win.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\custom_poster.png win.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RICHED20.DLL win.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\akira_readme.txt win.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\WideTile.scale-200.png win.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\akira_readme.txt win.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\SmartSelect\Magic_Select_add_tool.mp4 win.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-IN\en-IN_female_TTS\common.lua win.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\ui-strings.js win.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\akira_readme.txt win.exe File created C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\akira_readme.txt win.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionMedTile.scale-400.png win.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-lightunplated.png win.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\akira_readme.txt win.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\akira_readme.txt win.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx win.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\de-de\ui-strings.js win.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms win.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling.ort win.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\ui-strings.js win.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\akira_readme.txt win.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-400.png win.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml win.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\Error.svg win.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONFILTER.DLL win.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\akira_readme.txt win.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\SplashScreen.scale-200.png win.exe File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\akira_readme.txt win.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-150_contrast-black.png win.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCacheMini.scale-200.png win.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-tool-view.js win.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms win.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms win.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\akira_readme.txt win.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOS.TTF win.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml win.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-150.png win.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
win.exepowershell.exepid process 4796 win.exe 4796 win.exe 4732 powershell.exe 4732 powershell.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe 4796 win.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 4732 powershell.exe Token: SeBackupPrivilege 4676 vssvc.exe Token: SeRestorePrivilege 4676 vssvc.exe Token: SeAuditPrivilege 4676 vssvc.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\win.exe"C:\Users\Admin\AppData\Local\Temp\win.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\akira_readme.txtFilesize
2KB
MD5a88c166459b4ea3be8cd01ceb6154444
SHA1c7784fea209117fab94b1c6d6ac032ad52beb1d6
SHA25661c11e3aba48570c779457d1833c2c7c2a50048f80af59a81c1b9668ba32c13d
SHA512c71e39364c909549a51fd1c48bc2adae9ee1573d0c37d3b89870b10e51e6a646e12fde5d290d9d700fb28b98652e48bb5aa72adee2b246e5142a169a182bbd0c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD505c109cb855e74a49a383e54e5fbbc85
SHA13ed5689a28ea30d900b3bb47a32bc4441a173186
SHA256c5a9d496b4ecf07ba1d6daeb3064f13cba3d8f1b2f3bcd835dac09ef90874579
SHA5129f74a85de04d0a05151b12cbdebdcf5562d60026b4af94dd8a56f5abd1a42cca4acff9051f58fef5f1a58b5234c96bb0726288579b3cf697440bd30c5d34bbcb
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yjsfa032.q5o.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/4732-2-0x00007FF8D2070000-0x00007FF8D2265000-memory.dmpFilesize
2.0MB
-
memory/4732-1-0x00007FF8D2070000-0x00007FF8D2265000-memory.dmpFilesize
2.0MB
-
memory/4732-0-0x00007FF8D2070000-0x00007FF8D2265000-memory.dmpFilesize
2.0MB
-
memory/4732-3-0x0000023BDCC10000-0x0000023BDCC32000-memory.dmpFilesize
136KB
-
memory/4732-15-0x00007FF8D2070000-0x00007FF8D2265000-memory.dmpFilesize
2.0MB