65a15af7f6a66238ed04ca56f50114a42ce826d82aceecabf73acffe1becaf04

Analysis

max time kernel
1134s
max time network
1162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2024, 19:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Topaz_Video_AI_3.4.3.exe
Size

406.4MB
MD5

00d3bb3e5a8c127a079b8976c6eb7844
SHA1

e4367d2275b8b37ad1c4f559df7a0878a10280e9
SHA256

65a15af7f6a66238ed04ca56f50114a42ce826d82aceecabf73acffe1becaf04
SHA512

260117149b614923d8e6cd5b2c0bccbc65036676c040459d2392ce3286d51ed89f1af3f311aed17a18649c3a94a4b958c52dbb2c834ec852aaf44001370fdf78
SSDEEP

6291456:o01j2RF9R7ogkthaeWqK1Bs1mbDyyxPV+5wt81GgidZF/iPQ7pqSX5gvQh6isJ2:oO6dahL6SobDJ+St0iAYFqSXDb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	Topaz_Video_AI_3.4.3.exe

Loads dropped DLL 1 IoCs

pid	Process
2548	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	Topaz_Video_AI_3.4.3.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	404	msiexec.exe
Token: SeIncreaseQuotaPrivilege	404	msiexec.exe
Token: SeSecurityPrivilege	1436	msiexec.exe
Token: SeCreateTokenPrivilege	404	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	404	msiexec.exe
Token: SeLockMemoryPrivilege	404	msiexec.exe
Token: SeIncreaseQuotaPrivilege	404	msiexec.exe
Token: SeMachineAccountPrivilege	404	msiexec.exe
Token: SeTcbPrivilege	404	msiexec.exe
Token: SeSecurityPrivilege	404	msiexec.exe
Token: SeTakeOwnershipPrivilege	404	msiexec.exe
Token: SeLoadDriverPrivilege	404	msiexec.exe
Token: SeSystemProfilePrivilege	404	msiexec.exe
Token: SeSystemtimePrivilege	404	msiexec.exe
Token: SeProfSingleProcessPrivilege	404	msiexec.exe
Token: SeIncBasePriorityPrivilege	404	msiexec.exe
Token: SeCreatePagefilePrivilege	404	msiexec.exe
Token: SeCreatePermanentPrivilege	404	msiexec.exe
Token: SeBackupPrivilege	404	msiexec.exe
Token: SeRestorePrivilege	404	msiexec.exe
Token: SeShutdownPrivilege	404	msiexec.exe
Token: SeDebugPrivilege	404	msiexec.exe
Token: SeAuditPrivilege	404	msiexec.exe
Token: SeSystemEnvironmentPrivilege	404	msiexec.exe
Token: SeChangeNotifyPrivilege	404	msiexec.exe
Token: SeRemoteShutdownPrivilege	404	msiexec.exe
Token: SeUndockPrivilege	404	msiexec.exe
Token: SeSyncAgentPrivilege	404	msiexec.exe
Token: SeEnableDelegationPrivilege	404	msiexec.exe
Token: SeManageVolumePrivilege	404	msiexec.exe
Token: SeImpersonatePrivilege	404	msiexec.exe
Token: SeCreateGlobalPrivilege	404	msiexec.exe
Token: SeCreateTokenPrivilege	404	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	404	msiexec.exe
Token: SeLockMemoryPrivilege	404	msiexec.exe
Token: SeIncreaseQuotaPrivilege	404	msiexec.exe
Token: SeMachineAccountPrivilege	404	msiexec.exe
Token: SeTcbPrivilege	404	msiexec.exe
Token: SeSecurityPrivilege	404	msiexec.exe
Token: SeTakeOwnershipPrivilege	404	msiexec.exe
Token: SeLoadDriverPrivilege	404	msiexec.exe
Token: SeSystemProfilePrivilege	404	msiexec.exe
Token: SeSystemtimePrivilege	404	msiexec.exe
Token: SeProfSingleProcessPrivilege	404	msiexec.exe
Token: SeIncBasePriorityPrivilege	404	msiexec.exe
Token: SeCreatePagefilePrivilege	404	msiexec.exe
Token: SeCreatePermanentPrivilege	404	msiexec.exe
Token: SeBackupPrivilege	404	msiexec.exe
Token: SeRestorePrivilege	404	msiexec.exe
Token: SeShutdownPrivilege	404	msiexec.exe
Token: SeDebugPrivilege	404	msiexec.exe
Token: SeAuditPrivilege	404	msiexec.exe
Token: SeSystemEnvironmentPrivilege	404	msiexec.exe
Token: SeChangeNotifyPrivilege	404	msiexec.exe
Token: SeRemoteShutdownPrivilege	404	msiexec.exe
Token: SeUndockPrivilege	404	msiexec.exe
Token: SeSyncAgentPrivilege	404	msiexec.exe
Token: SeEnableDelegationPrivilege	404	msiexec.exe
Token: SeManageVolumePrivilege	404	msiexec.exe
Token: SeImpersonatePrivilege	404	msiexec.exe
Token: SeCreateGlobalPrivilege	404	msiexec.exe
Token: SeCreateTokenPrivilege	404	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	404	msiexec.exe
Token: SeLockMemoryPrivilege	404	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
404	msiexec.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 404	2372	Topaz_Video_AI_3.4.3.exe	96
PID 2372 wrote to memory of 404	2372	Topaz_Video_AI_3.4.3.exe	96
PID 1436 wrote to memory of 2548	1436	msiexec.exe	99
PID 1436 wrote to memory of 2548	1436	msiexec.exe	99

C:\Users\Admin\AppData\Local\Temp\Topaz_Video_AI_3.4.3.exe
"C:\Users\Admin\AppData\Local\Temp\Topaz_Video_AI_3.4.3.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\TopazVideoAI.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:404

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding BCB8C4F1667EB4DF3917DCD4C254E9F7 C
  2⤵
  - Loads dropped DLL
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI5743.tmp

Filesize
1.0MB

MD5
f1259d876672581f45669fb816a09991

SHA1
fe8025d7fb369fc2db2061a7b2b73652cb8a634b

SHA256
e527f37b4b30183fcf33430e16d4d349c0b8be16db84262300ddd0879107c0ce

SHA512
b134d6f94846f731c8db1f06cf7e1ca911bbffc3790f14a057ab5c08f0911a768f2f0f922cbb61c13b5fe45acd70ed4d0eaee8a13563bcbc8a22991777d4e0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PFiles\Topaz Labs LLC\Topaz Video AI\QtQuick\Controls\Universal\ScrollView.qml

Filesize
2KB

MD5
f1e2efb116676f2be55544728a2c801d

SHA1
911007385286892ec1577383d50753614904fff1

SHA256
4b3d36eff8e5e2c8b50b876d5b4c426dd966d7b820412bd4e56d09c1ad17f663

SHA512
f2f0cdc1095dfeeae1c2a4b379c6f09f7a8c1b6f2ce1503cadd5558b2e24ee0f1ae4ad97bdf5d1f8c34954278a00461159e59b2bdca26a413c03e8616dd4da74

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PFiles\Topaz Labs LLC\Topaz Video AI\QtQuick\Controls\Windows\plugins.qmltypes

Filesize
215B

MD5
2006d4b7d0da455aa4c7414653c0018a

SHA1
6685b8360b97799aa4d6b18789bf84a343e9e891

SHA256
a96c7bf5832767bdc9d91e2290a3920aec3abfbf2e3814bce38b49483f16f84a

SHA512
703804e6fab0cf44317b7292c547a1348e2e7395e4b71367c32c3b097bcfb3344d3296179bf4ba33a4c752ae58a3873af57d8cdef35a34564205356bb4e6fd84

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Topaz Labs LLC\Topaz Video AI\models\ahq-11.json

Filesize
18KB

MD5
50177b134dd358cbeaf3cb6f8c0f8ef1

SHA1
765b863c0997f8107642eb5a3d938751c3be3c0f

SHA256
9cb77a23b83090d84fcc24c913ae43750af2b2a7ed507e942938d5d64f0fa139

SHA512
afd7154a8c5312201fdbd5513cd9d3c0f8c54ba7860f3988124a9112ff951ab4b2ae017c8b6f9b73ad2d1fd70b009f531f4818411d650f9b8f9caadafe6ac099

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Topaz Labs LLC\Topaz Video AI\models\alq-13.json

Filesize
17KB

MD5
f9b623d7c730da4094135d912a1de0ee

SHA1
77340190f766d33f56f3cabed07812d66dd76c17

SHA256
47c35bf6f06f9dd9c1d5891fd644a6f429b75d53573b2ba446904ed9bc7cb50f

SHA512
58aeee6b9b7d0e4ab6c522674c047436fe0b02ae42707db9840fdcefa95d6209b01fdf1446c7179db70bd5f50a7f9ea1596848de17dbfb90ab13744fc54380ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Topaz Labs LLC\Topaz Video AI\models\amqs-2.json

Filesize
17KB

MD5
a48a5e8159cd5107bdbc416f2ffadcb0

SHA1
21d76c2b90bcf8d024e5e75dca8c74c40532ba43

SHA256
9421b54479b00c7e92f57cc10682888338d51605e9f468b98406bccb90377a81

SHA512
e33ffa08f3b99d477d01dba899062194c193c8be7c52583c2734f38f2db030eb90f5a9c35c25d72b99a06062e81d38e50058d59848e27098eae4b78cdf1ae6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Topaz Labs LLC\Topaz Video AI\models\apo-7.json

Filesize
7KB

MD5
8f09741fe94fb56985e2c4ab29765ac7

SHA1
d2c00d99b5a3bac2e20d753ffb22eb060accb05c

SHA256
ffd2aa0d3b7f79af0eca1466a6706bd3a48464e044c58be9017cb25bf274c5e2

SHA512
75e2bcff478741479b5e659a3c7d28aad9d5e1aea6e8bf10dc586bebf1bce658d154778335c48a5aa73bab13b467e9b4aab26accef11b283f327f42197b81b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\TopazVideoAI.msi

Filesize
3.0MB

MD5
52ee1538e4227f64c99812f3e139df88

SHA1
dc39887feecf012a539136e34f83744e81d86f5d

SHA256
689b3c5a1417322f3f4b5f6bb6f347fe722f7a2c913ff8a5e34f66d02ca5ce67

SHA512
f78e85bfb544a00c1e5baa1e06ce58e33393a554450f4f607d40eae76505fe9e2e528cd2782a8c3f6cf3258f4447ad270e694c909eecd19984f2d98299344d9b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads