General
-
Target
2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.zip
-
Size
432KB
-
Sample
240903-zdv4lawfkp
-
MD5
fb4c2f11588ed6d8fd98ad8b85b9bcba
-
SHA1
f88e9ebaea6f6bd199dcfdc4e2a92ebb9a8bc3cb
-
SHA256
9667b999dd4f2c2839ab0e364c345c79f8915543fe31a51c75d22dcaba8d2d0e
-
SHA512
ee780591bd891eb59c8885c3286c058430763e485857c3533116f9b39aa83fb162dc8316a05119a7b702cbac3dfacc0bcaac18894b37f06cdf0878fa1a9b29ee
-
SSDEEP
12288:DDax52tGBKG/anmiqzl+tcxaVc7iAPRC2Jmz0u:DDax5KGBKoYtcEVc7iO/o
Static task
static1
Behavioral task
behavioral1
Sample
2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
Resource
win11-20240802-en
Malware Config
Extracted
C:\PerfLogs\akira_readme.txt
akira
https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion
https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion
Targets
-
-
Target
2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
-
Size
879KB
-
MD5
2a7a76cde7e970c06316e3ae4feadbe3
-
SHA1
89d195f59bba9c3b43635607f9f1c3051645332c
-
SHA256
2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77
-
SHA512
834f76c0de678d26507fa1a3446cf6336952d36bd2857113f1bbaddf0d33132d4c579bfd232194868c8dc4ddefa66a9c589610e74f4a808787b8edf36f3d5b4f
-
SSDEEP
24576:dpN2CMwVhLcqnB+c9z2Va31qIU2p1GA3zaIJYj9+M+C6vU1KKoPAFGG+TR3aZX:UC5Uqn4c9z2Vu1qIU2pAA3rM+C6vZJAp
-
Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Renames multiple (9654) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell
Run Powershell command to delete shadowcopy.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1