Overview

overview

10

Static

static

3

0fe572e7aa...05.exe

windows7-x64

10

0fe572e7aa...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2025, 10:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0fe572e7aad25a38ba9ee9b4600ddc02641e29061de250c525d6828f70326005.exe

  • Size

    1.0MB

  • MD5

    d37594e06b180d71d1612e6fd61e02a2

  • SHA1

    d9d8836f5ed53513401b379d5806501d5b1e000a

  • SHA256

    0fe572e7aad25a38ba9ee9b4600ddc02641e29061de250c525d6828f70326005

  • SHA512

    a2f4bbe84a0d78897604eaf10c18581c0676f23a15e7ab8b95b80d1f84898a49a4132aecb194631d2df4f0c5616d4d2c85959af27fbbfb65f257773b6ebbde29

  • SSDEEP

    12288:nLXeXuANMx17cMW50NY3RuKI5B/N++PP8fACq6EBvxz:LXcuA4cMW50kuKI5B/pP8fACHE

Score
10/10
akiraexecutionransomwareransowmwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\akira_readme.txt

Family

akira

Ransom Note
Hi friends, Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption. Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know: 1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal. 2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help. 3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data. 4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion. 5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us. If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions: 1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/. 2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/1322809546-JOKLE 3. Use this code - 6980-GX-MHHO-DGZR - to log into our chat. Keep in mind that the faster you will get in touch, the less damage we cause.
URLs

https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion

https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/1322809546-JOKLE

Signatures

  • Akira

    Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.

    ransomwareakira
  • Akira family
    akira
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Renames multiple (8658) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell command to delete shadowcopy.

    executionransowmware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 47 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\0fe572e7aad25a38ba9ee9b4600ddc02641e29061de250c525d6828f70326005.exe
    "C:\Users\Admin\AppData\Local\Temp\0fe572e7aad25a38ba9ee9b4600ddc02641e29061de250c525d6828f70326005.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2496
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
    1⤵
    • Process spawned unexpected child process
    • Command and Scripting Interpreter: PowerShell
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1940
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.akira
    Filesize

    28KB

    MD5

    661d7dd8a5c58400a5d80f57eec7312a

    SHA1

    b7c7e99511870d94eccdcf7e86132df3abdc99f4

    SHA256

    ec058db514fbb6a459f26d2d5fc5565d660adc229f7c3e5933b3710b258510bc

    SHA512

    89813706324843211b6c528527d6b7dd35c92831dc17f36639c1faf021869af66964a18093db7e1cf40037bcd58063eee383a9ec1e545103d8098540f846ee01

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.akira
    Filesize

    12KB

    MD5

    23c4b03984872611ebf6880fa071f840

    SHA1

    e925a6e6a684eba133d1a69acb417e958a426e5a

    SHA256

    7e23ef660c70bf20feedc3426e7ce18810f45e8abe47a5b89b352d7c5899d7ea

    SHA512

    0b06827c60b274ec531e645e4eededd924e98fcd94722d10802f894ff14a07ba2e3b9287740a95097df62866ce5bbcd664cc12e540af47b01dcb16176bd7dd9f

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.akira
    Filesize

    9KB

    MD5

    3b084ddf3e348b8bbe3c3dfc5e204931

    SHA1

    b5a9a10831892da14e6674d3e3e49374f88a3216

    SHA256

    85dd248f383629ec6debdce6e972169057e8d988b0d8954e51ae3097ab45f9c3

    SHA512

    fde8fe95876ec6fd4568a2e674c027ae2ae3b089176e1509c8421f4fbdd9d78c6d69eb24ef7586e1f0938ba5265e67e8c3128745fae619ddc490a18ee65868c2

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.akira
    Filesize

    8KB

    MD5

    8621ff1e245bb9a1b11bc73bca8750d3

    SHA1

    851b8039927215b30da150af51169657e54f81cc

    SHA256

    8287d822629b07862cee7fc3626affdfc1f2241716d94fa25fa72d26f6c323c4

    SHA512

    5225a190a230d9b9cd408f1f06f43b3cfd1a8fe07bf7a396b2c11a9097196582793918eb213e716b8fe78bdcc8bf7643fdc325630564e8ebf9766ee85320ae42

    Download Submit

  • C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo.akira
    Filesize

    831KB

    MD5

    b92b5b6aa5aee1ee43ec70e8720136fd

    SHA1

    3255761ce089e33a9ac38ebd83c2d207dce4bdda

    SHA256

    0f0502946966da884fce6752713b8f8305202469ba439c7c0e3decedc3949524

    SHA512

    00d577d24a9d11078b4944702c944a9cfa57f06db9555896d4d47afde51c5aca1de623b285feb1d36fbf14fd21fb8df71c7827862e40e7f64ae908a7247ffb88

    Download Submit

  • C:\Program Files\akira_readme.txt
    Filesize

    2KB

    MD5

    a561d1700a57e4963efaabfcc181db8e

    SHA1

    087d67f93165893562cafbe17708f0a6b10b9ea3

    SHA256

    f03b00913b35c006a8709060c9be4b8e28946abecc0bb14df0e2df4bc2c45a94

    SHA512

    75f2d29c2f86219b722761122c4dcd59db23893e6a0449eec22e62d5cfa8eb62d0099c4ff8b74bad26028d72643f8477af619740ffd0c03ee9f592464ccbdc45

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.akira
    Filesize

    28KB

    MD5

    1acaa0359880d44697f782eb571a79c3

    SHA1

    b431239fcbb7ad9fb99becf808044db0c492a4d8

    SHA256

    a91d003f85986c3009e85081b4185711e0441425108b58fcccbd98825af9b010

    SHA512

    f7a1f30fb09fcabb609c18cb37280ddd943b557a8b9e347d7ed790c920b7c36e2b6e099079f6bbbdedc3008448ec4cc355e5a1e0e6c118620d15153f22009c8f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.akira
    Filesize

    48KB

    MD5

    fb5b0b9e5ea7ca1f469a118e1a612880

    SHA1

    f43988f3dcbaf5217853548270e942a602aafbe9

    SHA256

    4f6130e4800192797ae7aaf8dc1bf93117dde277edeb2dbeda398f5e7bff4738

    SHA512

    65928d9f7384449e38edc2830b592f955710d3beabec6aa715035fdebd5bc765f323925e9bd1f82c7db64a323dc8c1f878211c56bcfe0b3e9c0ba17d91636f36

    Download Submit

  • memory/1940-4-0x000007FEF5C1E000-0x000007FEF5C1F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1940-9-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1940-8-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1940-7-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1940-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1940-5-0x000000001B7A0000-0x000000001BA82000-memory.dmp

    Filesize

    2.9MB

    Download