Overview
overview
7Static
static
3AK-v1.3.4.exe
windows7-x64
7AK-v1.3.4.exe
windows10-2004-x64
7$FAVORITES...վ.url
windows7-x64
1$FAVORITES...վ.url
windows10-2004-x64
1$PLUGINSDI...se.dll
windows7-x64
3$PLUGINSDI...se.dll
windows10-2004-x64
3$PLUGINSDIR/Math.dll
windows7-x64
3$PLUGINSDIR/Math.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3360Inst.exe
windows7-x64
7360Inst.exe
windows10-2004-x64
7AK.exe
windows7-x64
3AK.exe
windows10-2004-x64
7AKRunXDll.dll
windows7-x64
3AKRunXDll.dll
windows10-2004-x64
3AK_Run.exe
windows7-x64
3AK_Run.exe
windows10-2004-x64
3Json.dll
windows7-x64
3Json.dll
windows10-2004-x64
3Launcher.exe
windows7-x64
3Launcher.exe
windows10-2004-x64
7NetTrans.dll
windows7-x64
3NetTrans.dll
windows10-2004-x64
3akanimation.dll
windows7-x64
3akanimation.dll
windows10-2004-x64
3akui.dll
windows7-x64
3akui.dll
windows10-2004-x64
3akxml.dll
windows7-x64
3akxml.dll
windows10-2004-x64
3Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 20:43
Static task
static1
Behavioral task
behavioral1
Sample
AK-v1.3.4.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
AK-v1.3.4.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$FAVORITES/AKٷվ.url
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
$FAVORITES/AKٷվ.url
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/CustomLicense.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/CustomLicense.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/Math.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/Math.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
360Inst.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral14
Sample
360Inst.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
AK.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral16
Sample
AK.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
AKRunXDll.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
AKRunXDll.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
AK_Run.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral20
Sample
AK_Run.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Json.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral22
Sample
Json.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Launcher.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
Launcher.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
NetTrans.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral26
Sample
NetTrans.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
akanimation.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral28
Sample
akanimation.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
akui.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral30
Sample
akui.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
akxml.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral32
Sample
akxml.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
Launcher.exe
-
Size
62KB
-
MD5
c1e47eaa612074784e611a6d6071e41f
-
SHA1
d4bc79c7f2f50f7cfe301c9da699395789a4f25f
-
SHA256
c7e90a9fe50ecbeeba096af1dd8ed121357341e939ffb3df75e65ea196ad653b
-
SHA512
8ec3381c62c300c29b5e4e2779fbfa0867d0d6c8db442fd463cfacd8cfb7749f3174619306a9913e86ed9af470da9438e5057d7b5046fef6390ab9de800b9121
-
SSDEEP
768:k2UorZ0d7jAp2oBLZm7hcTLZm7hc6j7FbCz:kQrZMQXZ6mZ6Lj7NCz
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Launcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ak_run.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9F3753B-655A-4182-8AA7-4B2FBCFBD5FC}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{309C7313-EE54-47F4-B8F6-CF0C6CF0B005}\TypeLib\Version = "1.0" AK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AKRunXDll.AKCheck regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9EAB774-CB72-4EE8-9D3D-E19738C87C04}\TypeLib\ = "{0349F477-9F4E-4A98-AAD7-5CA12BAEE2F6}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AKRunXDll.AKCheck.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AKRunXDll.AKCheck\ = "AKCheck Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\My178SAnimation.AKAnimation.1\Insertable AK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{309C7313-EE54-47F4-B8F6-CF0C6CF0B005}\ProxyStubClsid32 AK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ak ak_run.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B341296-E404-4F8D-91F9-8CB059DFA35D}\ProxyStubClsid32 AK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\My178SAnimation.AKAnimation\CurVer\ = "My178SAnimation.AKAnimation.1" AK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9C12444B-30AC-409E-8B62-73FE07B34FD6}\1.0\0\win32 AK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B341296-E404-4F8D-91F9-8CB059DFA35D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" AK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9EAB774-CB72-4EE8-9D3D-E19738C87C04} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B9F3753B-655A-4182-8AA7-4B2FBCFBD5FC}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C78E24C9-69A5-4626-B698-B8B2C1A569CB}\ProgID\ = "My178SAnimation.AKAnimation.1" AK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C78E24C9-69A5-4626-B698-B8B2C1A569CB}\MiscStatus\1 AK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ak\URL Protocol ak_run.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B341296-E404-4F8D-91F9-8CB059DFA35D} AK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B341296-E404-4F8D-91F9-8CB059DFA35D}\ = "_IAKAnimationEvents" AK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9EAB774-CB72-4EE8-9D3D-E19738C87C04}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9C12444B-30AC-409E-8B62-73FE07B34FD6} AK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9C12444B-30AC-409E-8B62-73FE07B34FD6}\1.0\FLAGS AK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B341296-E404-4F8D-91F9-8CB059DFA35D} AK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9C12444B-30AC-409E-8B62-73FE07B34FD6}\1.0\HELPDIR AK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0349F477-9F4E-4A98-AAD7-5CA12BAEE2F6}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B9F3753B-655A-4182-8AA7-4B2FBCFBD5FC}\TypeLib\ = "{0349F477-9F4E-4A98-AAD7-5CA12BAEE2F6}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ak\shell\open ak_run.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ak\shell\open\ ak_run.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9F3753B-655A-4182-8AA7-4B2FBCFBD5FC}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\178SAnimation.DLL AK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C78E24C9-69A5-4626-B698-B8B2C1A569CB}\VersionIndependentProgID AK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9C12444B-30AC-409E-8B62-73FE07B34FD6}\1.0\0 AK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9EAB774-CB72-4EE8-9D3D-E19738C87C04}\VersionIndependentProgID\ = "AKRunXDll.AKCheck" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0349F477-9F4E-4A98-AAD7-5CA12BAEE2F6} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ak\shell\open\command ak_run.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AKRunXDll.AKCheck.1\ = "AKCheck Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9EAB774-CB72-4EE8-9D3D-E19738C87C04}\ProgID\ = "AKRunXDll.AKCheck.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\My178SAnimation.AKAnimation.1 AK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B341296-E404-4F8D-91F9-8CB059DFA35D}\TypeLib\ = "{9C12444B-30AC-409E-8B62-73FE07B34FD6}" AK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AKRunXDll.AKCheck.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ak\shell ak_run.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9EAB774-CB72-4EE8-9D3D-E19738C87C04}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\My178SAnimation.AKAnimation\CLSID AK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C78E24C9-69A5-4626-B698-B8B2C1A569CB}\InprocServer32 AK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C78E24C9-69A5-4626-B698-B8B2C1A569CB}\Version\ = "1.0" AK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{309C7313-EE54-47F4-B8F6-CF0C6CF0B005}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" AK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AKRunXDll.AKCheck\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9F3753B-655A-4182-8AA7-4B2FBCFBD5FC} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\My178SAnimation.AKAnimation.1\ = "AKAnimation Class" AK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C78E24C9-69A5-4626-B698-B8B2C1A569CB}\InprocServer32\ThreadingModel = "Apartment" AK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9C12444B-30AC-409E-8B62-73FE07B34FD6}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" AK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C78E24C9-69A5-4626-B698-B8B2C1A569CB}\MiscStatus AK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B341296-E404-4F8D-91F9-8CB059DFA35D}\ProxyStubClsid32 AK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9EAB774-CB72-4EE8-9D3D-E19738C87C04}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AKRunXDll.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\My178SAnimation.AKAnimation\ = "AKAnimation Class" AK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B9F3753B-655A-4182-8AA7-4B2FBCFBD5FC}\ = "IAKCheck" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ak\shell\ = "open" ak_run.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B9F3753B-655A-4182-8AA7-4B2FBCFBD5FC}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C78E24C9-69A5-4626-B698-B8B2C1A569CB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AKAnimation.dll" AK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C78E24C9-69A5-4626-B698-B8B2C1A569CB}\TypeLib\ = "{9C12444B-30AC-409E-8B62-73FE07B34FD6}" AK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{309C7313-EE54-47F4-B8F6-CF0C6CF0B005}\TypeLib\ = "{9C12444B-30AC-409E-8B62-73FE07B34FD6}" AK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9EAB774-CB72-4EE8-9D3D-E19738C87C04}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B9F3753B-655A-4182-8AA7-4B2FBCFBD5FC} regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: 33 788 AK.exe Token: SeIncBasePriorityPrivilege 788 AK.exe Token: 33 788 AK.exe Token: SeIncBasePriorityPrivilege 788 AK.exe Token: 33 788 AK.exe Token: SeIncBasePriorityPrivilege 788 AK.exe Token: 33 788 AK.exe Token: SeIncBasePriorityPrivilege 788 AK.exe Token: 33 788 AK.exe Token: SeIncBasePriorityPrivilege 788 AK.exe Token: 33 788 AK.exe Token: SeIncBasePriorityPrivilege 788 AK.exe Token: 33 788 AK.exe Token: SeIncBasePriorityPrivilege 788 AK.exe Token: 33 788 AK.exe Token: SeIncBasePriorityPrivilege 788 AK.exe Token: 33 788 AK.exe Token: SeIncBasePriorityPrivilege 788 AK.exe Token: 33 788 AK.exe Token: SeIncBasePriorityPrivilege 788 AK.exe Token: 33 788 AK.exe Token: SeIncBasePriorityPrivilege 788 AK.exe Token: 33 788 AK.exe Token: SeIncBasePriorityPrivilege 788 AK.exe Token: 33 788 AK.exe Token: SeIncBasePriorityPrivilege 788 AK.exe Token: 33 788 AK.exe Token: SeIncBasePriorityPrivilege 788 AK.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 788 AK.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 788 AK.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1644 Launcher.exe 2792 ak_run.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1644 wrote to memory of 788 1644 Launcher.exe 30 PID 1644 wrote to memory of 788 1644 Launcher.exe 30 PID 1644 wrote to memory of 788 1644 Launcher.exe 30 PID 1644 wrote to memory of 788 1644 Launcher.exe 30 PID 1644 wrote to memory of 788 1644 Launcher.exe 30 PID 1644 wrote to memory of 788 1644 Launcher.exe 30 PID 1644 wrote to memory of 788 1644 Launcher.exe 30 PID 788 wrote to memory of 2792 788 AK.exe 32 PID 788 wrote to memory of 2792 788 AK.exe 32 PID 788 wrote to memory of 2792 788 AK.exe 32 PID 788 wrote to memory of 2792 788 AK.exe 32 PID 788 wrote to memory of 2792 788 AK.exe 32 PID 788 wrote to memory of 2792 788 AK.exe 32 PID 788 wrote to memory of 2792 788 AK.exe 32 PID 2792 wrote to memory of 2920 2792 ak_run.exe 33 PID 2792 wrote to memory of 2920 2792 ak_run.exe 33 PID 2792 wrote to memory of 2920 2792 ak_run.exe 33 PID 2792 wrote to memory of 2920 2792 ak_run.exe 33 PID 2792 wrote to memory of 2920 2792 ak_run.exe 33 PID 2792 wrote to memory of 2920 2792 ak_run.exe 33 PID 2792 wrote to memory of 2920 2792 ak_run.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\AK.exe"C:\Users\Admin\AppData\Local\Temp\AK.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Users\Admin\AppData\Local\Temp\ak_run.exe"C:\Users\Admin\AppData\Local\Temp\ak_run.exe" -i3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -s "C:\Users\Admin\AppData\Local\Temp\AKRunXDll.dll"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2920
-
-
-