akira | 0fe572e7aad25a38ba9ee9b4600ddc02641e29061de250c525d6828f70326005

Analysis

max time kernel
31s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/03/2025, 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
Size

1.0MB
MD5

d37594e06b180d71d1612e6fd61e02a2
SHA1

d9d8836f5ed53513401b379d5806501d5b1e000a
SHA256

0fe572e7aad25a38ba9ee9b4600ddc02641e29061de250c525d6828f70326005
SHA512

a2f4bbe84a0d78897604eaf10c18581c0676f23a15e7ab8b95b80d1f84898a49a4132aecb194631d2df4f0c5616d4d2c85959af27fbbfb65f257773b6ebbde29
SSDEEP

12288:nLXeXuANMx17cMW50NY3RuKI5B/N++PP8fACq6EBvxz:LXcuA4cMW50kuKI5B/pP8fACHE

Score

10^/10

akira execution ransomware ransowmware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\akira_readme.txt

Family

akira

Ransom Note

Hi friends, Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption. Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know: 1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal. 2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help. 3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data. 4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion. 5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us. If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions: 1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/. 2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/1322809546-JOKLE 3. Use this code - 6980-GX-MHHO-DGZR - to log into our chat. Keep in mind that the faster you will get in touch, the less damage we cause.

URLs

https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion

https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/1322809546-JOKLE

Signatures

Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
ransomware akira
Akira family
akira

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2952	powershell.exe	29

Renames multiple (8602) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell command to delete shadowcopy.

execution ransowmware

PowerShell

T1059.001

pid	Process
2804	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\akira_readme.txt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 47 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\25UY7HZX\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CBCNU6WZ\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RTJA0BV0\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JMFEWY8E\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00426_.WMF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_COL.HXC	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\aaa8c80efee3d0893711d4ef16970d03.arika	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\akira_readme.txt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_TW.properties	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382970.JPG	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\akira_readme.txt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\BLUEPRNT.INF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216874.WMF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00452_.WMF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00367_.WMF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\16.png	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ta.pak	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105280.WMF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\akira_readme.txt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\akira_readme.txt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDECL.ICO	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImagesMask16x16.bmp	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\akira_readme.txt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105306.WMF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02736G.GIF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR9B.GIF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00231_.WMF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CharSetTable.chr	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_hov.png	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\akira_readme.txt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\akira_readme.txt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188513.WMF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103812.WMF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14538_.GIF	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLR.SAM	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Top.accdt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\akira_readme.txt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\drag.png	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\WMPDMC.exe.mui	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\akira_readme.txt	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvmstat.jar	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Toronto	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2804	powershell.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
2124	2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeBackupPrivilege	2668	vssvc.exe
Token: SeRestorePrivilege	2668	vssvc.exe
Token: SeAuditPrivilege	2668	vssvc.exe
Token: 33	2060	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2060	AUDIODG.EXE
Token: 33	2060	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2060	AUDIODG.EXE

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-19_d37594e06b180d71d1612e6fd61e02a2_akira_cobalt-strike.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x480
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\akira_readme.txt

Filesize
2KB

MD5
a561d1700a57e4963efaabfcc181db8e

SHA1
087d67f93165893562cafbe17708f0a6b10b9ea3

SHA256
f03b00913b35c006a8709060c9be4b8e28946abecc0bb14df0e2df4bc2c45a94

SHA512
75f2d29c2f86219b722761122c4dcd59db23893e6a0449eec22e62d5cfa8eb62d0099c4ff8b74bad26028d72643f8477af619740ffd0c03ee9f592464ccbdc45

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt.akira

Filesize
28KB

MD5
4d012c080451a0137bf95c82c686f4e1

SHA1
09eb2608e75f6f68614a4a0c707d2186cba10030

SHA256
e5c79ed005f6b11f1289983c76eaa837d2cde08823ba50844f9c0d140a742994

SHA512
a8763913deabcb9faf85e7d0a95619bf28088cd7a23e64c76a2aa6eed2650487e3d0426e7e71aba2b5eff1005dc988ca1b121392b56153a8838d64a727234ba0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.akira

Filesize
12KB

MD5
8080e9e685fe35b528dec79012f5758d

SHA1
1f86c81e8935a0b134da6e3662f244f524fc5bb5

SHA256
a30d822b3523b2d06d1ad892c7fdbafd4a64dc239213d43a00b27f0081345a34

SHA512
56d50464da444c2fce6306dd7998c341e939f6bb09e1716f44dfe6b4590000939563dad395f6783494d7cf5a0ff635517be7ef9b296735215f809d896779e39f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.akira

Filesize
9KB

MD5
fd9fecac69c81b8953cc2ca68ce5f10f

SHA1
8420e87b2ffc0d1595e42cabf3dda7c00dfe0249

SHA256
3648102a8cb4824a1fae99ae6e713536ba5850fadf9b98057cd06660043b6a05

SHA512
74cbf6d8be341c3e0b075c44331c6c1f59699e7ca7f65ede66387c5e56e0f08dbf32fe299737a7828e4f8cc5628dc83a2ea387e9dbdaeadf3475f7d302167e56

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.akira

Filesize
8KB

MD5
77af267aeba8fd76fd075aac083c08c4

SHA1
cf09136f7980fa7033f5ceb94aba07e7d37dc141

SHA256
77a0f7b3b445e0e09f6131f870298dd0ca902adab5cf6c0e14e0cb46a56286ac

SHA512
74827f16713348ca353cc8557534c23c3b1d27710096c8610cbd54365f79c2fbc01df9104ab9ff06f18ab5ee89ab46988b04232a3b4abba36826e8b8b800dd39

Download Submit
C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo.akira

Filesize
831KB

MD5
b2ba29b1f60fa12789db69df24a2c9dd

SHA1
ba383ac1821d50fc07bcd6af2105643dc6de253f

SHA256
4bb0e2dbf33f1b69a0efbd98ffc7bb054055960a7dd201a3d4bb7e03a71e9aeb

SHA512
8a46357d78df26d1b95451dd8fcc2f4717b27dc98e385247d62509cac50eb061cc310d77633bf9d9e90d6d03f0d6657a363f55105ab5c30e176bf7e262d8df06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2.akira

Filesize
8KB

MD5
d931218fc967608fbf3f5b5bf80c102d

SHA1
5b9c50e9c0f734c1e335620a44b1a836c38bae8b

SHA256
7863de76a5e8c712c79f98b53893cd5532111024431277a3cacbde8450f5c277

SHA512
8fc7695081589ba658663618f5178d96a427110a4a95aa5508d0f096b321c244a01b7feb4c3e0b6eb92fdf23e97d725b778cb0ae1b23f7906893d913a408d8b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.akira

Filesize
28KB

MD5
c3aea58130b46dcacb38e4ea056fb790

SHA1
7fd02055327ce41965618950f18bc99790df1e14

SHA256
ae5dbd8010aedf809f296cfa57dd8df0b3736d2ea4d0528282d28e03309c5e90

SHA512
6dc356bc03cf7e34999bbe4658293f61a5a89f742e739ad844f6be1237db52990975525cc179f94d82dd55b6d0959b4101061771a861240eee98884f37120eb7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.akira

Filesize
48KB

MD5
87f80a3f127570fe541867d0e4068ecf

SHA1
56c808d8b9c51d8daa45ce7371cc7373e2af860f

SHA256
399841459877e46be1c7952f33e152c0fd76ba08afac53fd3c085f3d538a2eda

SHA512
e41a85472ed68f3d6a56c20e702455f03f92852a0a4c762dae2c472b2091d66b1e31597111862c6470d6331a5f321a7e933b76b5ccd07676ebd9eef6026568ac

Download Submit
memory/2804-8-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-9-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-7-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2804-5-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2804-4-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp

Filesize
4KB

Download