3839137c0450ca36256d511bc12c2a94fe35156908967784353a2839cd7182d3

Analysis

max time kernel
217s
max time network
224s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 12:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AkrienBetaLoader.exe
Size

14.9MB
MD5

68a83efe554d24837a9f652f57d0d989
SHA1

ec4cc4c812e817fed751565707c08e7f9cbb6b39
SHA256

3839137c0450ca36256d511bc12c2a94fe35156908967784353a2839cd7182d3
SHA512

a785fdd177aebb55516435c892630a7e1ec832f2d37f4b1b0af457f4c697498620ba52d4837601fcd5cd90da67ab4d08cc319a7979c31a782b40a65a60571f34
SSDEEP

196608:NjmOIB5vCgkg9s2xW5NjVAhP+Zdruaz+hzxWquxBJ7jmmEHSWwP2LDYJ1o3cz3mG:N5IB5vCgkLKgVA+Run2zJ7ZCO3m9t

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	AkrienBetaLoader.exe

Loads dropped DLL 9 IoCs

pid	Process
4152	AkrienBetaLoader.exe
4152	AkrienBetaLoader.exe
4152	AkrienBetaLoader.exe
4152	AkrienBetaLoader.exe
4152	AkrienBetaLoader.exe
4152	AkrienBetaLoader.exe
4152	AkrienBetaLoader.exe
4152	AkrienBetaLoader.exe
4152	AkrienBetaLoader.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM32\ucrtbase.pdb	AkrienBetaLoader.exe
File opened for modification	C:\Windows\SYSTEM32\DLL\kernel32.pdb	AkrienBetaLoader.exe
File opened for modification	C:\Windows\SYSTEM32\symbols\DLL\kernel32.pdb	AkrienBetaLoader.exe
File opened for modification	C:\Windows\SYSTEM32\dll\ucrtbase.pdb	AkrienBetaLoader.exe
File opened for modification	C:\Windows\SYSTEM32\symbols\dll\ucrtbase.pdb	AkrienBetaLoader.exe
File opened for modification	C:\Windows\SYSTEM32\kernel32.pdb	AkrienBetaLoader.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.pdb	AkrienBetaLoader.exe
File opened for modification	C:\Windows\SYSTEM32\dll\ntdll.pdb	AkrienBetaLoader.exe
File opened for modification	C:\Windows\SYSTEM32\symbols\dll\ntdll.pdb	AkrienBetaLoader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4152	AkrienBetaLoader.exe
4152	AkrienBetaLoader.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4152-1-0x00007FF77D540000-0x00007FF77E430000-memory.dmp	upx
behavioral2/memory/4152-5-0x00007FF77D540000-0x00007FF77E430000-memory.dmp	upx
behavioral2/memory/4152-13-0x00007FF77D540000-0x00007FF77E430000-memory.dmp	upx
behavioral2/memory/4152-3836-0x00007FF77D540000-0x00007FF77E430000-memory.dmp	upx
behavioral2/memory/4152-3849-0x00007FF77D540000-0x00007FF77E430000-memory.dmp	upx
behavioral2/memory/4152-4001-0x00007FF77D540000-0x00007FF77E430000-memory.dmp	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\symbols\DLL\kernel32.pdb	AkrienBetaLoader.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ucrtbase.pdb	AkrienBetaLoader.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\symbols\dll\ucrtbase.pdb	AkrienBetaLoader.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DLL\kernel32.pdb	AkrienBetaLoader.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ntdll.pdb	AkrienBetaLoader.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dll\ntdll.pdb	AkrienBetaLoader.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\symbols\dll\ntdll.pdb	AkrienBetaLoader.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dll\ucrtbase.pdb	AkrienBetaLoader.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\kernel32.pdb	AkrienBetaLoader.exe

Detected Akrien Game Cheat
Akrien.wtf is a cheat program for a selection of online PC games.

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AkrienBetaLoader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AkrienBetaLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	AkrienBetaLoader.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4152	AkrienBetaLoader.exe
4152	AkrienBetaLoader.exe
4152	AkrienBetaLoader.exe
4152	AkrienBetaLoader.exe
4152	AkrienBetaLoader.exe
4152	AkrienBetaLoader.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 3992	4152	AkrienBetaLoader.exe	83
PID 4152 wrote to memory of 3992	4152	AkrienBetaLoader.exe	83

C:\Users\Admin\AppData\Local\Temp\AkrienBetaLoader.exe
"C:\Users\Admin\AppData\Local\Temp\AkrienBetaLoader.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AkrienAntiLeak\beta\java\bin\java.dll

Filesize
147KB

MD5
7c5dc82d23b5e4f56f5cf08a042d381f

SHA1
84342fac8ad5b5e8cb478df6d95e6606608b20a7

SHA256
f145bbeec0a0570b3f12c97dcba6f7cb698e0f0b8818daf0b72db5ed14908bfb

SHA512
90510512827f4ee4920b8fe23b061624696b5883e5e664e451979219be110374b0248471d83e8fe750695a325fe7afb22cf32446362cfa29265edfd99acec349

Download Submit
C:\AkrienAntiLeak\beta\java\bin\jimage.dll

Filesize
23KB

MD5
a877adc3cc28680af0f7d85bc06ec0c2

SHA1
05e9bb414e9801bc138282ebdfcc73764e594a65

SHA256
b411d0d447ba25b4b69cbf302e6e2a7342c58b45a04b2dea5dec2b4bf139c40d

SHA512
5bf24d3fdd851fa7a79aa256bef27e754834cd114c3fc4f7835c1b076938eb3876031ad7eae43ebb9efaee64f590f9f3bff7eb7697b04f0d54bcf88ee974ad8e

Download Submit
C:\AkrienAntiLeak\beta\java\bin\management.dll

Filesize
18KB

MD5
afcc14a944ac2b49581186e511905296

SHA1
842468621d3f08c9022610b1ca4de4d7c7999443

SHA256
f94a69eadb651a310ccece5ec60629ffd147f550f778d1ce1d481e9c396e51e3

SHA512
f69aab473868aaa7cf13937fa9d5d0ba628fdfa960f84f87b72f273032f1b7def53f9ce6aad5e3a42163a0e1ee981376f2dadd138bf69edd7c32be1ccf995ee4

Download Submit
C:\AkrienAntiLeak\beta\java\bin\management_ext.dll

Filesize
27KB

MD5
cef252896f68c4990adbe1a82a02b5d4

SHA1
a37855ff3aaeefc31cca3b14f1c279298f778daf

SHA256
a0cc2524f6b7b1b8b4dfff2916fe5ced1bfddb210ac4dc0092d13f74e5704dda

SHA512
78e8a42fdd80b23c0ab2ab4ad063a83219332e5282e1b96e7ce53eed6e36cdb3bd50c7f54c09284c53d466d7c9484f30f28379381e761f300946118963134a35

Download Submit
C:\AkrienAntiLeak\beta\java\bin\net.dll

Filesize
91KB

MD5
9eae1444ac0bab3a74ac99c4622dd2a5

SHA1
55593019633b0a56f97aff0dc07f028b7ca7facd

SHA256
6cef00e1f9d26fc21a8d75cceccacf616813f7b7927755d3cd47ce9a19dc92a3

SHA512
b17e268892409e984677b912929cd70b568ad092ac2304676ad2ec56153d0fbc5e0034da53d9bfbbe2df33894f98b39c2de8151edecdf05681c8c1981d5a59ed

Download Submit
C:\AkrienAntiLeak\beta\java\bin\nio.dll

Filesize
63KB

MD5
af2f7f5775d97e9d971cad36bc39bf6e

SHA1
725391e22d7793282ec8481b6f24907b500e3c43

SHA256
75a2897e45a6ffff9b3586b87b42b8af57eb0691e8dcbe87c7d7c37364748695

SHA512
3d29529b77b9ec276a9d8e1ed61e443a6b8934b1c8134d1a55919cb994efbb3b9fa812f86b0acb2a34699317cac51ea2939d3064644e77e9122f3af37e0c2755

Download Submit
C:\AkrienAntiLeak\beta\java\bin\server\jvm.dll

Filesize
9.6MB

MD5
7e010545a2640db175d239e3d72168f1

SHA1
d425a23abc83584376788e9c64dd760ea93babb7

SHA256
e485d77969d660ec6485a21b4b00f222e3bac35c2335846953a211abd667525c

SHA512
d19fc9e5b7a3f94231de569c6e223a70d13fce147da199bbebb23ce96b962fa7779bba6f385caa4960f1ff55a81cbebb98f981cb7dcdf73cba1716de86bb0a26

Download Submit
C:\AkrienAntiLeak\beta\java\bin\sunmscapi.dll

Filesize
36KB

MD5
cc257e19a802064c8ef5115d95d42933

SHA1
94c548178fd22c14e1aefd8c51429814fa43ef0a

SHA256
f34fc80d553ca33369fb99dd1b27436fbc99a6fd6aec51211053c8210a0b9922

SHA512
0d99df66b007a4578368adf09b569c14f1d81dff324f5afcd57418614c226408983ea2e3c9ed88aa111c57e3d4cf96d38ad96f1de2c2cd964de6324bd608e41b

Download Submit
C:\AkrienAntiLeak\beta\java\bin\zip.dll

Filesize
81KB

MD5
0ae350dea4985e5d3898737650019952

SHA1
db2bdc33b910bbe8874cc4e467e914f351e78c36

SHA256
763c41eb212f2d729c8023d251aad3932c97db5254f75b9935e2f1a4990155ef

SHA512
a49c7163540dfb1f74f4f49af050af6f1f097d05597bca37333fd7f3d307831dc07a4a8872fd75a6d2fc407b170dafd41d4fa878b811c64d1f3ac99848c7a5c4

Download Submit
memory/4152-3836-0x00007FF77D540000-0x00007FF77E430000-memory.dmp

Filesize
14.9MB

Download
memory/4152-12-0x00007FF77D579000-0x00007FF77DED7000-memory.dmp

Filesize
9.4MB

Download
memory/4152-5-0x00007FF77D540000-0x00007FF77E430000-memory.dmp

Filesize
14.9MB

Download
memory/4152-13-0x00007FF77D540000-0x00007FF77E430000-memory.dmp

Filesize
14.9MB

Download
memory/4152-3849-0x00007FF77D540000-0x00007FF77E430000-memory.dmp

Filesize
14.9MB

Download
memory/4152-2-0x00007FF8CC0B0000-0x00007FF8CC0B2000-memory.dmp

Filesize
8KB

Download
memory/4152-0-0x00007FF77D579000-0x00007FF77DED7000-memory.dmp

Filesize
9.4MB

Download
memory/4152-3830-0x00007FF8ACBB0000-0x00007FF8AE23F000-memory.dmp

Filesize
22.6MB

Download
memory/4152-3829-0x00007FF8CC0D0000-0x00007FF8CC0D2000-memory.dmp

Filesize
8KB

Download
memory/4152-3-0x00007FF8CC0C0000-0x00007FF8CC0C2000-memory.dmp

Filesize
8KB

Download
memory/4152-1-0x00007FF77D540000-0x00007FF77E430000-memory.dmp

Filesize
14.9MB

Download
memory/4152-4001-0x00007FF77D540000-0x00007FF77E430000-memory.dmp

Filesize
14.9MB

Download