4a9d815f284adda187982e2b24da2beaad860739bc4b4cb1cf26408e7c221dd6

Analysis

max time kernel
296s
max time network
289s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
22-03-2024 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CapCut_7267140873131950085_installer.exe
Size

2.2MB
MD5

c91e097550ea6ccedf592d8b83414e0d
SHA1

021f3f26d86f98af28dc987baad8714f64867207
SHA256

4a9d815f284adda187982e2b24da2beaad860739bc4b4cb1cf26408e7c221dd6
SHA512

916898c9850ddfcd2c11da7421eeffc4d48406d9ad4787a4dc572ec17a81a39edd30733aa8cccde8b31450ff8031e3da68be019a8a0eff50c0a17ed4fa0aa3c9
SSDEEP

49152:uGVKq6wrr98ArcTTuVMZCC8GYCNbFLg3dlXI5x8oaigMv3Dh:uGVLprJ8ArnVMZCUPFcNlXID8en1

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

app_package_613538d2f9.exe

pid process

3060 app_package_613538d2f9.exe

pid	process
3060	app_package_613538d2f9.exe

Loads dropped DLL 5 IoCs

Processes:

CapCut_7267140873131950085_installer.exeapp_package_613538d2f9.exe

pid	process
3324	CapCut_7267140873131950085_installer.exe
3324	CapCut_7267140873131950085_installer.exe
3324	CapCut_7267140873131950085_installer.exe
3324	CapCut_7267140873131950085_installer.exe
3060	app_package_613538d2f9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

CapCut_7267140873131950085_installer.exeapp_package_613538d2f9.exe

pid	process
3324	CapCut_7267140873131950085_installer.exe
3324	CapCut_7267140873131950085_installer.exe
3060	app_package_613538d2f9.exe
3060	app_package_613538d2f9.exe
3060	app_package_613538d2f9.exe
3060	app_package_613538d2f9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

app_package_613538d2f9.exe

description pid process

Token: SeDebugPrivilege 3060 app_package_613538d2f9.exe

description	pid	process
Token: SeDebugPrivilege	3060	app_package_613538d2f9.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

CapCut_7267140873131950085_installer.exe

description	pid	process	target process
PID 3324 wrote to memory of 3060	3324	CapCut_7267140873131950085_installer.exe	app_package_613538d2f9.exe
PID 3324 wrote to memory of 3060	3324	CapCut_7267140873131950085_installer.exe	app_package_613538d2f9.exe
PID 3324 wrote to memory of 3060	3324	CapCut_7267140873131950085_installer.exe	app_package_613538d2f9.exe

C:\Users\Admin\AppData\Local\Temp\CapCut_7267140873131950085_installer.exe
"C:\Users\Admin\AppData\Local\Temp\CapCut_7267140873131950085_installer.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3324

C:\Users\Admin\AppData\Local\app_shell_cache_562354\app_package_613538d2f9.exe
"C:\Users\Admin\AppData\Local\app_shell_cache_562354\app_package_613538d2f9.exe" /s /create_desktop=1 /install_path="C:\Users\Admin\AppData\Local\CapCut\Apps"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CapCut\Apps\2024322083136789_1\JYPacket\3.5.0.1268\Resources\image_h5_material_publish\static\css\publish-video.efdeb61f.css

Filesize
10KB

MD5
348a4ed657cc7bb4484bf829f633bfc8

SHA1
5f5f0e3004ada5cb7456c4816e37e1b8573f9e8e

SHA256
f8a1929af639b5381308c1bbef8f76bc1b77132b56f4bca6b1bf7d5cbdfaeaf5

SHA512
e4e05331b72a3e975ca5cf880fd024d64f5df8c9015adca1f4d0c00846b0cf6a9b984060ec7cf7906c5767dc6af4444c06f207f417c09805c76aee3d175f4fdb

Download Submit
C:\Users\Admin\AppData\Local\CapCut\Apps\2024322083136789_1\JYPacket\3.5.0.1268\Resources\image_h5_material_publish\static\js\publish-video.b44e3ef4.js

Filesize
39KB

MD5
e62694090b717e30db3c52fb009fcb9f

SHA1
34248e23e125d1bce1569ec9c589a9742b0ebb3d

SHA256
08488558209a47221955af71831367b2ce99a80bdc4d63c839ad17775fb35b3f

SHA512
44f2fc964c2644c873febf1eabf95dfe50d3403950d7b3954b2d015db9811d5daf45ab11a92038a781fa9a9b85573954099966e49fc05c049d508e4e2955ab65

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9DDA433-AA83-40F3-BEA5-93BAD32DD698\7zip.dll

Filesize
751KB

MD5
2d97c2e0353cb0c63212ecacd326bb17

SHA1
53ac7d8a0f19314158a2e74f3d6f0d17103c1d37

SHA256
fe604c8747171a85f883b08fcaf32a64d59ff7c7ed89e862ad252d366ab66368

SHA512
392fce704b17aa367c6c8a09ccdf7505242aaed552a1772e14b828754d01ea3d1e7eef8936067fb87c7dec645783e80ace16aba8e342501ab09964d0363eefff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv7B2C.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv7B2C.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv7B2C.tmp\downloader_nsis_plugin.dll

Filesize
1.2MB

MD5
f181413906a465fd0dd68cc4a3d98803

SHA1
5aa28be48047dd0b672ab98d5e7cbd8260486b4b

SHA256
e28ff7b8fc4b1eb2d1f394ce15de2fc031cda58db645038c8c07581c31e79dda

SHA512
8d0116bcbc3938b2ebdddf77dec87e4b6c872382d20b555571b0bc3e4a35f88d16bc450004f875a8271165b71bdbae5d4d474a5bfda4c7787da63f4325009c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv7B2C.tmp\shell_downloader.dll

Filesize
2.3MB

MD5
c052c0a2ed833d924b7799625413ac1c

SHA1
bdd08a29f4de283ba0eb3cda4abc26f6e85d4d5e

SHA256
098972cf9ddc9d574130e025a252a99b278de9cc0ae700acfb8c935c24eb1172

SHA512
89e67c29d5d8a401a70a5b572844f24bfde82d5d4259ecc5e6f12be0ddb434995a2e985914fc421973998e3fdc48b133e269e8bb1da513ec66199f01060162f1

Download Submit
C:\Users\Admin\AppData\Local\app_shell_cache_562354\app_package_613538d2f9.exe

Filesize
5.9MB

MD5
d5cdec2685028cf0533f91e65def443e

SHA1
c6d5eb60e430ab679b9830c2cabb52b4711daa5c

SHA256
8c5787d530ac6b4244de20be2770ffd7df9ed14924888faa98ec86f775c9ddc0

SHA512
f82cd892e35ade0cbd158e6783ecb049450e8305428ab3895066b96de8b34835c758f4f3b74406b145692f6c83afc1ebe67aa18f4df98b80509cb4a17734330a

Download Submit
C:\Users\Admin\AppData\Local\app_shell_cache_562354\app_package_613538d2f9.exe

Filesize
7.3MB

MD5
36d1463a6577326c9385808a4c2cd151

SHA1
457fb059c43c34b9ecb167acc0a1ea35433525c6

SHA256
8aa9ab5646b0c564fa33c1771e86586cbca47d4567c5658c8c6399cbf434be5d

SHA512
486abd7b6f9f5284bf1c1f92e575095f633b16194f65360b61ef812b9843fadc32f9271875a99ed239ac0e331cc387443b0d405f7a3b1003ed09eec88ed350e3

Download Submit
C:\Users\Admin\AppData\Local\app_shell_cache_562354\app_package_613538d2f9.exe

Filesize
4.3MB

MD5
003da047b7c81161c92af1a090ed7be6

SHA1
0caeb4d683b470db42d8fc9799e7c96959e254df

SHA256
989d07fa50016b7b8e578952cc55905cee90d0e2d62af2c1305815c2d19eeccf

SHA512
c05f734c43970dcefecfb7a6dacc448c35f6871f6f43d64cdda678949ae733f00f1a58d23295546fc14656225628e758394b3b9bccfd66312fef89a4b91b7fa0

Download Submit