4a9d815f284adda187982e2b24da2beaad860739bc4b4cb1cf26408e7c221dd6

Analysis

max time kernel
145s
max time network
164s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
07-03-2024 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

capcut_capcutpc_0_1.2.6_installer.exe
Size

2.2MB
MD5

c91e097550ea6ccedf592d8b83414e0d
SHA1

021f3f26d86f98af28dc987baad8714f64867207
SHA256

4a9d815f284adda187982e2b24da2beaad860739bc4b4cb1cf26408e7c221dd6
SHA512

916898c9850ddfcd2c11da7421eeffc4d48406d9ad4787a4dc572ec17a81a39edd30733aa8cccde8b31450ff8031e3da68be019a8a0eff50c0a17ed4fa0aa3c9
SSDEEP

49152:uGVKq6wrr98ArcTTuVMZCC8GYCNbFLg3dlXI5x8oaigMv3Dh:uGVLprJ8ArnVMZCUPFcNlXID8en1

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

app_package_613538d2f9.exe

pid process

4600 app_package_613538d2f9.exe

pid	process
4600	app_package_613538d2f9.exe

Loads dropped DLL 5 IoCs

Processes:

capcut_capcutpc_0_1.2.6_installer.exeapp_package_613538d2f9.exe

pid	process
452	capcut_capcutpc_0_1.2.6_installer.exe
452	capcut_capcutpc_0_1.2.6_installer.exe
452	capcut_capcutpc_0_1.2.6_installer.exe
452	capcut_capcutpc_0_1.2.6_installer.exe
4600	app_package_613538d2f9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

capcut_capcutpc_0_1.2.6_installer.exeapp_package_613538d2f9.exe

pid	process
452	capcut_capcutpc_0_1.2.6_installer.exe
452	capcut_capcutpc_0_1.2.6_installer.exe
4600	app_package_613538d2f9.exe
4600	app_package_613538d2f9.exe
4600	app_package_613538d2f9.exe
4600	app_package_613538d2f9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

app_package_613538d2f9.exe

description pid process

Token: SeDebugPrivilege 4600 app_package_613538d2f9.exe

description	pid	process
Token: SeDebugPrivilege	4600	app_package_613538d2f9.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

capcut_capcutpc_0_1.2.6_installer.exe

description	pid	process	target process
PID 452 wrote to memory of 4600	452	capcut_capcutpc_0_1.2.6_installer.exe	app_package_613538d2f9.exe
PID 452 wrote to memory of 4600	452	capcut_capcutpc_0_1.2.6_installer.exe	app_package_613538d2f9.exe
PID 452 wrote to memory of 4600	452	capcut_capcutpc_0_1.2.6_installer.exe	app_package_613538d2f9.exe

C:\Users\Admin\AppData\Local\Temp\capcut_capcutpc_0_1.2.6_installer.exe
"C:\Users\Admin\AppData\Local\Temp\capcut_capcutpc_0_1.2.6_installer.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:452

C:\Users\Admin\AppData\Local\app_shell_cache_562354\app_package_613538d2f9.exe
"C:\Users\Admin\AppData\Local\app_shell_cache_562354\app_package_613538d2f9.exe" /s /create_desktop=1 /install_path="C:\Users\Admin\AppData\Local\CapCut\Apps"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CapCut\Apps\202437175807309_1\JYPacket\3.5.0.1268\Resources\image_h5_material_publish\static\css\publish-video.efdeb61f.css
Filesize
10KB

MD5
348a4ed657cc7bb4484bf829f633bfc8

SHA1
5f5f0e3004ada5cb7456c4816e37e1b8573f9e8e

SHA256
f8a1929af639b5381308c1bbef8f76bc1b77132b56f4bca6b1bf7d5cbdfaeaf5

SHA512
e4e05331b72a3e975ca5cf880fd024d64f5df8c9015adca1f4d0c00846b0cf6a9b984060ec7cf7906c5767dc6af4444c06f207f417c09805c76aee3d175f4fdb

Download Submit
C:\Users\Admin\AppData\Local\CapCut\Apps\202437175807309_1\JYPacket\3.5.0.1268\Resources\image_h5_material_publish\static\js\publish-video.b44e3ef4.js
Filesize
39KB

MD5
e62694090b717e30db3c52fb009fcb9f

SHA1
34248e23e125d1bce1569ec9c589a9742b0ebb3d

SHA256
08488558209a47221955af71831367b2ce99a80bdc4d63c839ad17775fb35b3f

SHA512
44f2fc964c2644c873febf1eabf95dfe50d3403950d7b3954b2d015db9811d5daf45ab11a92038a781fa9a9b85573954099966e49fc05c049d508e4e2955ab65

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9DDA433-AA83-40F3-BEA5-93BAD32DD698\7zip.dll
Filesize
751KB

MD5
2d97c2e0353cb0c63212ecacd326bb17

SHA1
53ac7d8a0f19314158a2e74f3d6f0d17103c1d37

SHA256
fe604c8747171a85f883b08fcaf32a64d59ff7c7ed89e862ad252d366ab66368

SHA512
392fce704b17aa367c6c8a09ccdf7505242aaed552a1772e14b828754d01ea3d1e7eef8936067fb87c7dec645783e80ace16aba8e342501ab09964d0363eefff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz8454.tmp\BgWorker.dll
Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz8454.tmp\System.dll
Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz8454.tmp\downloader_nsis_plugin.dll
Filesize
1.2MB

MD5
f181413906a465fd0dd68cc4a3d98803

SHA1
5aa28be48047dd0b672ab98d5e7cbd8260486b4b

SHA256
e28ff7b8fc4b1eb2d1f394ce15de2fc031cda58db645038c8c07581c31e79dda

SHA512
8d0116bcbc3938b2ebdddf77dec87e4b6c872382d20b555571b0bc3e4a35f88d16bc450004f875a8271165b71bdbae5d4d474a5bfda4c7787da63f4325009c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz8454.tmp\shell_downloader.dll
Filesize
2.3MB

MD5
c052c0a2ed833d924b7799625413ac1c

SHA1
bdd08a29f4de283ba0eb3cda4abc26f6e85d4d5e

SHA256
098972cf9ddc9d574130e025a252a99b278de9cc0ae700acfb8c935c24eb1172

SHA512
89e67c29d5d8a401a70a5b572844f24bfde82d5d4259ecc5e6f12be0ddb434995a2e985914fc421973998e3fdc48b133e269e8bb1da513ec66199f01060162f1

Download Submit
C:\Users\Admin\AppData\Local\app_shell_cache_562354\app_package_613538d2f9.exe
Filesize
41.7MB

MD5
3b2ac907fc241c93749a3b558753e11a

SHA1
e04c6c13ce5218c83a5b4a13f3ea21ce996e6d28

SHA256
a6013d758788c29f8038351a25e576eca2804a179b8e01dbecd18919065e5848

SHA512
e2e146a188b188278460ae7b73b1be7e7deb9604977eada22029694504921ecf90bd26ac688849c3f18d13bd18257b48dfc82ae9d7f261be83e91f482dd89c2e

Download Submit
C:\Users\Admin\AppData\Local\app_shell_cache_562354\app_package_613538d2f9.exe
Filesize
4.1MB

MD5
5568f670ff28058913e00af6c39251c2

SHA1
a4c38525f99326f2994ca3853848a2356b343175

SHA256
6fdfcfae75c814b1c0bea82167c20f5311eff501137476c4a7a845d30c826aec

SHA512
d424c43cb4ab3c501a1c21355ad498c463867b00db26734cea312051f6bf9f7bf48026135cba92fd256e7d2fe2f35d70791c1cad8d109c6b62acecf6ec04650a

Download Submit