General
-
Target
win_locker.ex_.exe
-
Size
1.0MB
-
Sample
240903-sdblmazdrm
-
MD5
4aecef9ddc8d07b82a6902b27f051f34
-
SHA1
8ad1b4ed98794e8f0a9a9d6fc161697974099d91
-
SHA256
988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42
-
SHA512
605fb600668cbadb0f556589f923209def1cd3c51b123f4ce7a5325722bcca05f6bb3b26bf7a6aa52bffabe6129c508b302e85ee0a120bedd96a71a105eae437
-
SSDEEP
12288:Vpp+QIEmDzuImC01vbUE98pik+2i1NkshdMMK+AX99etq2dTdYf:Vpp+Q+u5bUI8pij1NkshdMf99etb5m
Static task
static1
Behavioral task
behavioral1
Sample
win_locker.ex_.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
win_locker.ex_.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
C:\PerfLogs\Admin\akira_readme.txt
akira
https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion
https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion
Targets
-
-
Target
win_locker.ex_.exe
-
Size
1.0MB
-
MD5
4aecef9ddc8d07b82a6902b27f051f34
-
SHA1
8ad1b4ed98794e8f0a9a9d6fc161697974099d91
-
SHA256
988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42
-
SHA512
605fb600668cbadb0f556589f923209def1cd3c51b123f4ce7a5325722bcca05f6bb3b26bf7a6aa52bffabe6129c508b302e85ee0a120bedd96a71a105eae437
-
SSDEEP
12288:Vpp+QIEmDzuImC01vbUE98pik+2i1NkshdMMK+AX99etq2dTdYf:Vpp+Q+u5bUI8pij1NkshdMf99etb5m
-
Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Renames multiple (8656) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Command and Scripting Interpreter: PowerShell
Run Powershell command to delete shadowcopy.
-
Drops startup file
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-