akira | 0fe572e7aad25a38ba9ee9b4600ddc02641e29061de250c525d6828f70326005

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/03/2025, 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
Size

1.0MB
MD5

d37594e06b180d71d1612e6fd61e02a2
SHA1

d9d8836f5ed53513401b379d5806501d5b1e000a
SHA256

0fe572e7aad25a38ba9ee9b4600ddc02641e29061de250c525d6828f70326005
SHA512

a2f4bbe84a0d78897604eaf10c18581c0676f23a15e7ab8b95b80d1f84898a49a4132aecb194631d2df4f0c5616d4d2c85959af27fbbfb65f257773b6ebbde29
SSDEEP

12288:nLXeXuANMx17cMW50NY3RuKI5B/N++PP8fACq6EBvxz:LXcuA4cMW50kuKI5B/pP8fACHE

Score

10^/10

akira execution ransomware ransowmware spyware stealer

Malware Config

Extracted

Path

C:\PerfLogs\Admin\akira_readme.txt

Family

akira

Ransom Note

Hi friends, Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption. Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know: 1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal. 2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help. 3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data. 4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion. 5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us. If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions: 1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/. 2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/1322809546-JOKLE 3. Use this code - 6980-GX-MHHO-DGZR - to log into our chat. Keep in mind that the faster you will get in touch, the less damage we cause.

URLs

https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion

https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/1322809546-JOKLE

Signatures

Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
ransomware akira
Akira family
akira

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2164	powershell.exe	30

Renames multiple (8616) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell command to delete shadowcopy.

execution ransowmware

PowerShell

T1059.001

pid	Process
1564	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\akira_readme.txt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 47 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\65NE61TJ\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\V50G20NG\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QHWRVUKQ\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BJINZE1S\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\wmplayer.exe.mui	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\akira_readme.txt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\ECLIPSE.INF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Black Tie.xml	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\PYCC.pf	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\slideShow.js	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04134_.WMF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Chisinau	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02280_.WMF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+5	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15273_.GIF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORES.DLL	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15061_.GIF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\StatusDoNotDisturb.ico	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\SpiderSolitaire.exe.mui	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File created	C:\Program Files\Mozilla Firefox\fonts\akira_readme.txt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\settings.js	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\WATER.INF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14754_.GIF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL108.XML	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_down.png	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\flyout.html	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\Keywords.HxK	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\akira_readme.txt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Novosibirsk	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File created	C:\Program Files\Microsoft Games\FreeCell\en-US\akira_readme.txt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\settings.css	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\slideShow.js	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOATINST.WMF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ContactSelector.ico	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Projects.accdt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01044_.WMF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\akira_readme.txt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVELOPE.DPV	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292152.WMF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_TexturedBlue.gif	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
1564	powershell.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2116	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeBackupPrivilege	2248	vssvc.exe
Token: SeRestorePrivilege	2248	vssvc.exe
Token: SeAuditPrivilege	2248	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\akira_readme.txt

Filesize
2KB

MD5
a561d1700a57e4963efaabfcc181db8e

SHA1
087d67f93165893562cafbe17708f0a6b10b9ea3

SHA256
f03b00913b35c006a8709060c9be4b8e28946abecc0bb14df0e2df4bc2c45a94

SHA512
75f2d29c2f86219b722761122c4dcd59db23893e6a0449eec22e62d5cfa8eb62d0099c4ff8b74bad26028d72643f8477af619740ffd0c03ee9f592464ccbdc45

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.akira

Filesize
28KB

MD5
e927f63fc7dc4313b4b6e2320bac057b

SHA1
780c0ab8d35de9697b97b2202598c24842f2d712

SHA256
ef7350758242f1a1356bd6d8f51fc4a3d49ad60cf35443b5ac409a73904300c7

SHA512
209eb9255b3a6cc331b379d3ffee2e79ef2bfd712fbb25a703fd4c8357d938380ffafff4f1e1e3ec4e7769a59f258fb28dd7c2b9ea2b93a159102ed711d1de22

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.akira

Filesize
12KB

MD5
cec1bdb45452af7a3c4153f79ddb1161

SHA1
fdb2330faa9879ccc3797d1fa5f4bc56ee24869b

SHA256
6ff9fb39fd8f4988e22a7211b461d52bb64fa1dfb5b675c70747de6ff76a6541

SHA512
598cd0b2742eac75beddf2c4dcaa2c87c30f686ef1e980400d0cda41a4056b67ed4e0f8219c8371dc37ce2ba1f2f4987ca843ebfe11b0e8f2f9f89932fe320ab

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.akira

Filesize
9KB

MD5
8f5b8cca5b04ef5de83d20bed6be3950

SHA1
4f0a9d7f15a25010c7901f3cf60a5ecb3a711669

SHA256
4772675b469d5c78149ad2ef59951763abc7a1eac282cd7ba1b16e581b927ee0

SHA512
4c98c2b8cb33bac600a7aa2851ec3e231f41f63822fb5791a87e0b9e8aa51aa8b771ea0d1b8fd76ee8c85849bf62c926337e2aad43a75f8896ae8b32fdbbb28c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.akira

Filesize
8KB

MD5
dfe6de09a3d3052464d32a064612fa00

SHA1
d6dedf28e4b8ea19b020f23a86e162656ad03baf

SHA256
27b5701e7bca017d46388e249e9cf8d78b0de80101bdcff2a4f56762a2176436

SHA512
fc81d365efa5a34e3b21a099656f69a6ce931c2b92063bfaec6bb1eb3f14e7384600dfd95021de18b2d09920aa6680fa228e2caea779af081ae1697a06ba5ce2

Download Submit
C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo.akira

Filesize
831KB

MD5
0254db9b50944d84e71d8cc0543e9a5c

SHA1
9d611ab3c2073f2ea6a32575fc7656ab05ffae1e

SHA256
4f6964df038bb8319830c8e6b219261ceb91d580a6511157cbba9110e8f4ec92

SHA512
3ef45b24f43ded2feb1069ffca8f92cd7244bee24300957d02648d89cfac31465fb074c28cdd08c41679d71db49bddf0a51d651dcc9f6d9228c775ab80dc1fdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.akira

Filesize
28KB

MD5
27a5971077ea74398567fb2488f10894

SHA1
28d279eec12ed33e80b64205177a717d85675fc7

SHA256
526ad702d362ec2fdd67f52b4fee3f54e2e87028b3895b66964a5c03f9b0194c

SHA512
501f087782dd18051f56c4b59502383762acc52a38a7a23acc4fb5db4e6ada660b4f764355b5b23d7fc9bc675c8fe6950143eb6c2e8ce91275196f61895e2d5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.akira

Filesize
48KB

MD5
0e1f599c614a2ff879fe52a733c832e1

SHA1
6412e03d0b4aa416004d970736a37973ee2ca126

SHA256
87097a53a9b0f36ceb2081d35725fe91ff77cbe2e03a04862ca62c18c95f074f

SHA512
be4fc59245f7957fd73bacdd13e804570be38d988ab95631c0be8631b030f7ef647de4327039f67d92a212d1cf174c7a8662c7f7303b7768ce4e88d01fe1d7a8

Download Submit
memory/1564-7-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download
memory/1564-8-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download
memory/1564-9-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download
memory/1564-6-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1564-5-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/1564-4-0x000007FEF4F3E000-0x000007FEF4F3F000-memory.dmp

Filesize
4KB

Download