Loading ...

Play interactive tourEdit tour

Analysis Report Akhirah Technologies Inc. Qakbot (2)

Overview

General Information

Sample Name:Akhirah Technologies Inc. Qakbot (2) (renamed file extension from Qakbot (2) to exe)
Analysis ID:278341
MD5:a24a144da3f27d0060cb8961dc9169dd
SHA1:79cb3718548421d6880fda8722ce44d31da0cc8c
SHA256:f953b103ae09065e639890aa4e133f54ac9a2a5f5eb519d970b2b8d40d251626

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries device information via Setup API
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Akhirah Technologies Inc.exe (PID: 6688 cmdline: 'C:\Users\user\Desktop\Akhirah Technologies Inc.exe' MD5: A24A144DA3F27D0060CB8961DC9169DD)
    • Akhirah Technologies Inc.exe (PID: 6716 cmdline: 'C:\Users\user\Desktop\Akhirah Technologies Inc.exe' /C MD5: A24A144DA3F27D0060CB8961DC9169DD)
    • besos.exe (PID: 7044 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe MD5: A24A144DA3F27D0060CB8961DC9169DD)
      • besos.exe (PID: 5852 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe /C MD5: A24A144DA3F27D0060CB8961DC9169DD)
      • explorer.exe (PID: 1560 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
    • schtasks.exe (PID: 7104 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn picieuc /tr '\'C:\Users\user\Desktop\Akhirah Technologies Inc.exe\' /I picieuc' /SC ONCE /Z /ST 03:06 /ET 03:18 MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Akhirah Technologies Inc.exe (PID: 7144 cmdline: 'C:\Users\user\Desktop\Akhirah Technologies Inc.exe' /I picieuc MD5: A24A144DA3F27D0060CB8961DC9169DD)
  • Akhirah Technologies Inc.exe (PID: 5380 cmdline: 'C:\Users\user\Desktop\Akhirah Technologies Inc.exe' /I picieuc MD5: A24A144DA3F27D0060CB8961DC9169DD)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: Akhirah Technologies Inc.exeAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeAvira: detection malicious, Label: TR/Crypt.Agent.kdzty
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeVirustotal: Detection: 62%Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeReversingLabs: Detection: 75%
Multi AV Scanner detection for submitted fileShow sources
Source: Akhirah Technologies Inc.exeVirustotal: Detection: 62%Perma Link
Source: Akhirah Technologies Inc.exeReversingLabs: Detection: 75%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: Akhirah Technologies Inc.exeJoe Sandbox ML: detected
Source: 4.2.besos.exe.2310000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 2.2.Akhirah Technologies Inc.exe.2480000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 1.2.Akhirah Technologies Inc.exe.2310000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 7.2.Akhirah Technologies Inc.exe.1110000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 9.2.besos.exe.2310000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 24.2.Akhirah Technologies Inc.exe.1150000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BAAB48 strncpy,strncmp,QueryPerformanceFrequency,QueryPerformanceCounter,CryptAcquireContextA,11_2_04BAAB48
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BAF2B1 FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,11_2_04BAF2B1
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BB4D1F __WSAFDIsSet,recv,WSAGetLastError,closesocket,11_2_04BB4D1F
Source: Akhirah Technologies Inc.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Akhirah Technologies Inc.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Akhirah Technologies Inc.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Akhirah Technologies Inc.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Akhirah Technologies Inc.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: Akhirah Technologies Inc.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: Akhirah Technologies Inc.exe, 00000001.00000003.211461368.0000000002527000.00000004.00000040.sdmp, explorer.exeString found in binary or memory: http://www.ip-adress.com
Source: Akhirah Technologies Inc.exe, 00000001.00000003.211461368.0000000002527000.00000004.00000040.sdmp, explorer.exe, 0000000B.00000002.461141641.0000000004BA0000.00000040.00000001.sdmpString found in binary or memory: http://www.ip-adress.com?
Source: Akhirah Technologies Inc.exeString found in binary or memory: https://sectigo.com/CPS0
Source: besos.exe, 00000004.00000002.269314574.000000000097A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_004013AC PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,1_2_004013AC
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 2_2_004013AC PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,2_2_004013AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 4_2_004044DA NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,memcpy,lstrlenA,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,NtClose,4_2_004044DA
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 4_2_004048A5 memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,FreeLibrary,DeleteFileW,4_2_004048A5
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 4_2_004013AC PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,4_2_004013AC
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 7_2_004013AC PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,7_2_004013AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 9_2_004013AC PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,9_2_004013AC
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_009513AC PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,11_2_009513AC
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_009548A5 memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,FreeLibrary,DeleteFileW,11_2_009548A5
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_009544DA NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,memcpy,lstrlenA,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,NtClose,11_2_009544DA
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 24_2_004013AC PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,24_2_004013AC
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_004050D4 GetLastError,lstrlenA,EqualSid,memset,memset,CreateProcessAsUserW,CloseHandle,1_2_004050D4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_004100101_2_00410010
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_004100F41_2_004100F4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_004100B81_2_004100B8
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_0041015D1_2_0041015D
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_004101781_2_00410178
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_00404D1C1_2_00404D1C
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 2_2_004100102_2_00410010
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 2_2_004100F42_2_004100F4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 2_2_004100B82_2_004100B8
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 2_2_0041015D2_2_0041015D
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 2_2_004101782_2_00410178
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 2_2_00404D1C2_2_00404D1C
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 4_2_0041000C4_2_0041000C
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 4_2_004100104_2_00410010
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 4_2_004100F44_2_004100F4
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 4_2_004100B84_2_004100B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 4_2_0041015D4_2_0041015D
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 4_2_004101784_2_00410178
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 4_2_00404D1C4_2_00404D1C
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 7_2_004100107_2_00410010
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 7_2_004100F47_2_004100F4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 7_2_004100B87_2_004100B8
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 7_2_0041015D7_2_0041015D
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 7_2_004101787_2_00410178
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 7_2_00404D1C7_2_00404D1C
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 9_2_004100109_2_00410010
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 9_2_004100F49_2_004100F4
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 9_2_004100B89_2_004100B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 9_2_0041015D9_2_0041015D
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 9_2_004101789_2_00410178
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 9_2_00404D1C9_2_00404D1C
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00954D1C11_2_00954D1C
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BAA4EA11_2_04BAA4EA
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BAA00211_2_04BAA002
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BAD5ED11_2_04BAD5ED
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BBB22F11_2_04BBB22F
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BABA1811_2_04BABA18
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BBAA0F11_2_04BBAA0F
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BB666E11_2_04BB666E
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BB57A611_2_04BB57A6
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BAAFE811_2_04BAAFE8
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BA9BE511_2_04BA9BE5
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BAB30D11_2_04BAB30D
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BB637411_2_04BB6374
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BB6F6411_2_04BB6F64
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 24_2_0041001024_2_00410010
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 24_2_004100F424_2_004100F4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 24_2_004100B824_2_004100B8
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 24_2_0041015D24_2_0041015D
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 24_2_0041017824_2_00410178
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 24_2_00404D1C24_2_00404D1C
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: String function: 004020BC appears 44 times
Source: Akhirah Technologies Inc.exeStatic PE information: invalid certificate
Source: classification engineClassification label: mal100.evad.winEXE@14/4@0/0
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_0040503F CreateToolhelp32Snapshot,memset,Process32First,CloseHandle,Process32Next,FindCloseChangeNotification,1_2_0040503F
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_00407699 CoCreateInstance,1_2_00407699
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_00404096 FindResourceA,SizeofResource,LoadResource,1_2_00404096
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_00401071 StartServiceCtrlDispatcherA,1_2_00401071
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_00401071 StartServiceCtrlDispatcherA,1_2_00401071
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 2_2_00401071 StartServiceCtrlDispatcherA,2_2_00401071
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 4_2_00401071 StartServiceCtrlDispatcherA,4_2_00401071
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 7_2_00401071 StartServiceCtrlDispatcherA,7_2_00401071
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 9_2_00401071 StartServiceCtrlDispatcherA,9_2_00401071
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00951071 StartServiceCtrlDispatcherA,11_2_00951071
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 24_2_00401071 StartServiceCtrlDispatcherA,24_2_00401071
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\RoouuhJump to behavior
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeMutant created: \Sessions\1\BaseNamedObjects\hydvgap
Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{4B51853F-AA46-42B2-AE5E-C00DE858F865}
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{D6BB79AE-1669-4F75-932B-F781A0D506FC}
Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{B03C8747-1698-4412-9D7C-2D6146F92C17}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\~besos.tmpJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: Akhirah Technologies Inc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Akhirah Technologies Inc.exeVirustotal: Detection: 62%
Source: Akhirah Technologies Inc.exeReversingLabs: Detection: 75%
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeFile read: C:\Users\user\Desktop\Akhirah Technologies Inc.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Akhirah Technologies Inc.exe 'C:\Users\user\Desktop\Akhirah Technologies Inc.exe'
Source: unknownProcess created: C:\Users\user\Desktop\Akhirah Technologies Inc.exe 'C:\Users\user\Desktop\Akhirah Technologies Inc.exe' /C
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn picieuc /tr '\'C:\Users\user\Desktop\Akhirah Technologies Inc.exe\' /I picieuc' /SC ONCE /Z /ST 03:06 /ET 03:18
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\Desktop\Akhirah Technologies Inc.exe 'C:\Users\user\Desktop\Akhirah Technologies Inc.exe' /I picieuc
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe /C
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Users\user\Desktop\Akhirah Technologies Inc.exe 'C:\Users\user\Desktop\Akhirah Technologies Inc.exe' /I picieuc
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeProcess created: C:\Users\user\Desktop\Akhirah Technologies Inc.exe 'C:\Users\user\Desktop\Akhirah Technologies Inc.exe' /CJump to behavior
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeJump to behavior
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn picieuc /tr '\'C:\Users\user\Desktop\Akhirah Technologies Inc.exe\' /I picieuc' /SC ONCE /Z /ST 03:06 /ET 03:18Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe /CJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: Akhirah Technologies Inc.exeStatic file information: File size 2804696 > 1048576
Source: Akhirah Technologies Inc.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2a8800

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeUnpacked PE file: 1.2.Akhirah Technologies Inc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeUnpacked PE file: 2.2.Akhirah Technologies Inc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeUnpacked PE file: 4.2.besos.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeUnpacked PE file: 7.2.Akhirah Technologies Inc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeUnpacked PE file: 9.2.besos.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeUnpacked PE file: 24.2.Akhirah Technologies Inc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeUnpacked PE file: 1.2.Akhirah Technologies Inc.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeUnpacked PE file: 2.2.Akhirah Technologies Inc.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeUnpacked PE file: 4.2.besos.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeUnpacked PE file: 7.2.Akhirah Technologies Inc.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeUnpacked PE file: 9.2.besos.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeUnpacked PE file: 24.2.Akhirah Technologies Inc.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_004051E1 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,1_2_004051E1
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_02303BD0 push edx; ret 1_2_02303D5E
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_022D2C02 push eax; ret 1_2_022D2C31
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_02303A80 push edx; ret 1_2_02303A8B
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_022D18C0 push 00000018h; ret 1_2_022D18C4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_022D1589 push cs; ret 1_2_022D158A
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 7_2_01103BD0 push edx; ret 7_2_01103D5E
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 7_2_010D31A2 push eax; ret 7_2_010D31B4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 7_2_010D18C0 push 00000018h; ret 7_2_010D18C4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 7_2_010D4B33 push edi; ret 7_2_010D4B34
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 7_2_010D1589 push cs; ret 7_2_010D158A
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 7_2_010D2C02 push eax; ret 7_2_010D2C31
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 9_2_02303BD0 push edx; ret 9_2_02303D5E
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 9_2_022D4B33 push edi; ret 9_2_022D4B34
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 9_2_022D18C0 push 00000018h; ret 9_2_022D18C4
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 9_2_022D31A2 push eax; ret 9_2_022D31B4
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 9_2_022D2C02 push eax; ret 9_2_022D2C31
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: 9_2_022D1589 push cs; ret 9_2_022D158A
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BBEC66 push cs; iretd 11_2_04BBEC3A
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BC105D push 0000006Ah; retf 11_2_04BC10CC
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BC105B push 0000006Ah; retf 11_2_04BC10CC
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BBEE16 push ebx; ret 11_2_04BBEE17
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BC0FF3 push 0000006Ah; retf 11_2_04BC10CC
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BC7733 push esp; ret 11_2_04BC7734
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BBEB64 push cs; iretd 11_2_04BBEC3A
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 24_2_01143BD0 push edx; ret 24_2_01143D5E
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 24_2_011131A2 push eax; ret 24_2_011131B4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 24_2_011118C0 push 00000018h; ret 24_2_011118C4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 24_2_01114B33 push edi; ret 24_2_01114B34
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 24_2_01111589 push cs; ret 24_2_0111158A
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 24_2_01112C02 push eax; ret 24_2_01112C31
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn picieuc /tr '\'C:\Users\user\Desktop\Akhirah Technologies Inc.exe\' /I picieuc' /SC ONCE /Z /ST 03:06 /ET 03:18
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_00401071 StartServiceCtrlDispatcherA,1_2_00401071

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeMemory written: PID: 1560 base: C3F380 value: E9 70 22 D1 FF Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to compare user and computer (likely to detect sandboxes)Show sources
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,1_2_00403D67
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,2_2_00403D67
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,4_2_00403D67
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,7_2_00403D67
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,9_2_00403D67
Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,11_2_00953D67
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,24_2_00403D67
Contains functionality to detect virtual machines (IN, VMware)Show sources
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_0040343D in eax, dx1_2_0040343D
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: besos.exe, 00000009.00000002.248721333.0000000002426000.00000004.00000040.sdmpBinary or memory string: FIDDLER.EXE;SAMP1E.EXE;SAMPLE.EXE;RUNSAMPLE.EXE;LORDPE.EXE;REGSHOT.EXE;AUTORUNS.EXE;DSNIFF.EXE;VBOXTRAY.EXE;HASHMYFILES.EXE;PROCESSHACKER.EXE;PROCMON.EXE;PROCMON64.EXE;NETMON.EXE;VMTOOLSD.EXE;VM3DSERVICE.EXE;VGAUTHSERVICE.EXE;PR0C3XP.EXE;PROCESSHACKER.EXE;CFF EXPLORER.EXE;DUMPCAP.EXE;WIRESHARK.EXE;IDAQ.EXE;IDAQ64.EXE;TPAUTOCONNECT.EXE;RESOURCEHACKER.EXE;VMACTHLP.EXE;OLLYDBG.EXE;WINDBG.EXE;BDS-VISION-AGENT-NAI.EXE;BDS-VISION-APIS.EXE;BDS-VISION-AGENT-APP.EXE;MULTIANALYSIS_V1.0.294.EXE;X32DBG.EXE;VBOXTRAY.EXE;VBOXSERVICE.EXE;TCPVIEW.EXE
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_00403C24 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Module32First,StrStrIA,Module32Next,CloseHandle,1_2_00403C24
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_0040356D SetupDiGetDeviceRegistryPropertyA,GetLastError,1_2_0040356D
Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 774Jump to behavior
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe TID: 6692Thread sleep count: 114 > 30Jump to behavior
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe TID: 6720Thread sleep count: 114 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe TID: 7048Thread sleep count: 115 > 30Jump to behavior
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe TID: 7148Thread sleep count: 117 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe TID: 1748Thread sleep count: 117 > 30Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6356Thread sleep time: -23220000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6356Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe TID: 5464Thread sleep count: 114 > 30Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BAF2B1 FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,11_2_04BAF2B1
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_004056D9 memset,GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,KiUserCallbackDispatcher,GetModuleFileNameW,lstrcpynW,lstrlenW,lstrlenW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenA,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,GetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableA,SetEnvironmentVariableA,GetComputerNameW,lstrlenA,1_2_004056D9
Source: besos.exe, 00000009.00000002.248721333.0000000002426000.00000004.00000040.sdmpBinary or memory string: Fiddler.exe;samp1e.exe;sample.exe;runsample.exe;lordpe.exe;regshot.exe;Autoruns.exe;dsniff.exe;VBoxTray.exe;HashMyFiles.exe;ProcessHacker.exe;Procmon.exe;Procmon64.exe;netmon.exe;vmtoolsd.exe;vm3dservice.exe;VGAuthService.exe;pr0c3xp.exe;ProcessHacker.exe;CFF Explorer.exe;dumpcap.exe;Wireshark.exe;idaq.exe;idaq64.exe;TPAutoConnect.exe;ResourceHacker.exe;vmacthlp.exe;OLLYDBG.EXE;windbg.exe;bds-vision-agent-nai.exe;bds-vision-apis.exe;bds-vision-agent-app.exe;MultiAnalysis_v1.0.294.exe;x32dbg.exe;VBoxTray.exe;VBoxService.exe;Tcpview.exe
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00956484 SetLastError,GetLastError,GetCurrentThread,LdrInitializeThunk,11_2_00956484
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_00403C24 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Module32First,StrStrIA,Module32Next,CloseHandle,1_2_00403C24
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_004051E1 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,1_2_004051E1
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BA98F3 GetProcessHeap,HeapAlloc,11_2_04BA98F3
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeMemory protected: page execute read | page execute and read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeMemory written: PID: 1560 base: C3F380 value: E9Jump to behavior
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: C3F380Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exeCode function: OpenProcessToken,CloseHandle,FindCloseChangeNotification, C:\Windows\SysWOW64\explorer.exe11_2_04BB0B7B
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_00401A5B EntryPoint,GetCommandLineW,VirtualAllocEx,HeapCreate,GetModuleHandleA,lstrcmpiW,CoInitializeEx,GetForegroundWindow,ShellExecuteW,Sleep,ExitProcess,1_2_00401A5B
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_00407DF6 AllocateAndInitializeSid,AllocateAndInitializeSid,SetEntriesInAclA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,FreeSid,FreeSid,LocalFree,LocalFree,FreeSid,FreeSid,1_2_00407DF6
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_00407C58 GetModuleFileNameW,AllocateAndInitializeSid,EqualSid,FreeSid,FindCloseChangeNotification,1_2_00407C58
Source: explorer.exe, 0000000B.00000002.461081918.0000000003690000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: explorer.exe, 0000000B.00000002.461081918.0000000003690000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000002.461081918.0000000003690000.00000002.00000001.sdmpBinary or memory string: Progman
Source: explorer.exe, 0000000B.00000002.461081918.0000000003690000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_0040334B cpuid 1_2_0040334B
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_0040356D SetupDiGetDeviceRegistryPropertyA,GetLastError,1_2_0040356D
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_04BA3510 CreateNamedPipeA,11_2_04BA3510
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_00409277 memset,GetLocalTime,memset,GetLocalTime,DeleteFileW,1_2_00409277
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_00407F64 LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,1_2_00407F64
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exeCode function: 1_2_004056D9 memset,GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,KiUserCallbackDispatcher,GetModuleFileNameW,lstrcpynW,lstrlenW,lstrlenW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenA,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,GetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableA,SetEnvironmentVariableA,GetComputerNameW,lstrlenA,1_2_004056D9
Source: C:\Windows\SysWOW64\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Native API1Valid Accounts1Exploitation for Privilege Escalation1Disable or Modify Tools1Credential API Hooking1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/Job1Windows Service3Valid Accounts1Deobfuscate/Decode Files or Information1Input Capture1Account Discovery1Remote Desktop ProtocolCredential API Hooking1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsService Execution2Scheduled Task/Job1Access Token Manipulation1Obfuscated Files or Information2Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesInput Capture1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Windows Service3Software Packing21NTDSSystem Information Discovery35Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptProcess Injection323Masquerading1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonScheduled Task/Job1Valid Accounts1Cached Domain CredentialsSecurity Software Discovery321VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion11DCSyncVirtualization/Sandbox Evasion11Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemProcess Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection323/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 278341 Sample: Akhirah Technologies Inc.  ... Startdate: 27/08/2020 Architecture: WINDOWS Score: 100 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Detected unpacking (changes PE section rights) 2->36 38 6 other signatures 2->38 7 Akhirah Technologies Inc.exe 4 2->7         started        10 Akhirah Technologies Inc.exe 2->10         started        12 Akhirah Technologies Inc.exe 2->12         started        process3 file4 28 C:\Users\user\AppData\Roaming\...\besos.exe, PE32 7->28 dropped 30 C:\Users\user\...\besos.exe:Zone.Identifier, ASCII 7->30 dropped 14 besos.exe 7->14         started        17 schtasks.exe 1 7->17         started        19 Akhirah Technologies Inc.exe 7->19         started        process5 signatures6 42 Antivirus detection for dropped file 14->42 44 Multi AV Scanner detection for dropped file 14->44 46 Detected unpacking (changes PE section rights) 14->46 48 7 other signatures 14->48 21 explorer.exe 1 14->21         started        24 besos.exe 14->24         started        26 conhost.exe 17->26         started        process7 signatures8 40 Contains functionality to compare user and computer (likely to detect sandboxes) 21->40

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.