39f2614e343b7a2f507e71ab706ab6d83f5016401598d6464f43a38065947f6d

Analysis

max time kernel
121s
max time network
131s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Open AI Sora Vesion 5.42.exe
Size

896.9MB
MD5

e459920c9c583292d687f573200108d0
SHA1

1f0ead1c05d0bf0f72baf949afd1b0b87405f483
SHA256

710c89053b82419e706e9b2798c1870aa1960f9bcff3478c02081d7f977a891a
SHA512

3093a89587e0fe0e9e1f7e7f3fced0fdc1d9c7dd98b9484cfbfaabbca1049e94a01aad5628def96a567caec97782ab0804c1b4b2feb5e3c752a1a49343e713ab
SSDEEP

1572864:FHMlnmXXHfarJ2MH6rd07/eGpQvyLxCi70QzyhpPc2qfF4SagVnhqODQA86:NInmXXHfatH6dg/eiZzwJgFo

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2032	Chrome Service.exe

Loads dropped DLL 1 IoCs

pid	Process
2712	Open AI Sora Vesion 5.42.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe"	Open AI Sora Vesion 5.42.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io
3	ipinfo.io

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Open AI Sora Vesion 5.42.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Open AI Sora Vesion 5.42.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
272	powershell.exe
272	powershell.exe
2280	powershell.exe
2280	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	272	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 272	2712	Open AI Sora Vesion 5.42.exe	31
PID 2712 wrote to memory of 272	2712	Open AI Sora Vesion 5.42.exe	31
PID 2712 wrote to memory of 272	2712	Open AI Sora Vesion 5.42.exe	31
PID 2712 wrote to memory of 272	2712	Open AI Sora Vesion 5.42.exe	31
PID 2712 wrote to memory of 2280	2712	Open AI Sora Vesion 5.42.exe	33
PID 2712 wrote to memory of 2280	2712	Open AI Sora Vesion 5.42.exe	33
PID 2712 wrote to memory of 2280	2712	Open AI Sora Vesion 5.42.exe	33
PID 2712 wrote to memory of 2280	2712	Open AI Sora Vesion 5.42.exe	33
PID 2712 wrote to memory of 2032	2712	Open AI Sora Vesion 5.42.exe	35
PID 2712 wrote to memory of 2032	2712	Open AI Sora Vesion 5.42.exe	35
PID 2712 wrote to memory of 2032	2712	Open AI Sora Vesion 5.42.exe	35
PID 2712 wrote to memory of 2032	2712	Open AI Sora Vesion 5.42.exe	35

C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe
"C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Stop-Process -Name "firefox"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:272
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Stop-Process -Name "firefox"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
  "C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"
  2⤵
  - Executes dropped EXE
  PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c64e6bd139b059a89b7891b71849a8a6

SHA1
1239693fc282a0af76d5bd6dd058d07bd2a006fc

SHA256
3d936475f1f61e16db2337ab1ebc87f64b75cf3a23359c3109bb2cce4bd7d361

SHA512
26432a86b464756742eca563f8e89c877f8e7192bcd219c5be308cfbc65b1fc8ab9057406e275028e33a19a9fe68933b2e6d3e6d1c672a8df068c41159be0923

Download Submit
memory/272-144-0x0000000073791000-0x0000000073792000-memory.dmp

Filesize
4KB

Download
memory/272-148-0x0000000073790000-0x0000000073D3B000-memory.dmp

Filesize
5.7MB

Download
memory/272-147-0x0000000073790000-0x0000000073D3B000-memory.dmp

Filesize
5.7MB

Download
memory/272-146-0x0000000073790000-0x0000000073D3B000-memory.dmp

Filesize
5.7MB

Download
memory/272-145-0x0000000073790000-0x0000000073D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2712-61-0x0000000006130000-0x0000000006142000-memory.dmp

Filesize
72KB

Download
memory/2712-48-0x0000000008EA0000-0x0000000008EF4000-memory.dmp

Filesize
336KB

Download
memory/2712-13-0x00000000028D0000-0x00000000028F8000-memory.dmp

Filesize
160KB

Download
memory/2712-21-0x0000000002B30000-0x0000000002B60000-memory.dmp

Filesize
192KB

Download
memory/2712-24-0x0000000002B30000-0x0000000002B60000-memory.dmp

Filesize
192KB

Download
memory/2712-20-0x0000000008F90000-0x000000000911E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-17-0x0000000008F90000-0x000000000911E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-25-0x0000000009480000-0x00000000097D6000-memory.dmp

Filesize
3.3MB

Download
memory/2712-28-0x0000000009480000-0x00000000097D6000-memory.dmp

Filesize
3.3MB

Download
memory/2712-33-0x0000000002C50000-0x0000000002C65000-memory.dmp

Filesize
84KB

Download
memory/2712-60-0x00000000060F0000-0x000000000612C000-memory.dmp

Filesize
240KB

Download
memory/2712-64-0x0000000006130000-0x0000000006142000-memory.dmp

Filesize
72KB

Download
memory/2712-1-0x0000000006A20000-0x00000000073A9000-memory.dmp

Filesize
9.5MB

Download
memory/2712-57-0x00000000060F0000-0x000000000612C000-memory.dmp

Filesize
240KB

Download
memory/2712-56-0x0000000008F00000-0x0000000008F7A000-memory.dmp

Filesize
488KB

Download
memory/2712-52-0x00000000091D0000-0x0000000009266000-memory.dmp

Filesize
600KB

Download
memory/2712-49-0x00000000091D0000-0x0000000009266000-memory.dmp

Filesize
600KB

Download
memory/2712-16-0x00000000028D0000-0x00000000028F8000-memory.dmp

Filesize
160KB

Download
memory/2712-45-0x0000000008EA0000-0x0000000008EF4000-memory.dmp

Filesize
336KB

Download
memory/2712-44-0x0000000006170000-0x00000000061E5000-memory.dmp

Filesize
468KB

Download
memory/2712-41-0x0000000006170000-0x00000000061E5000-memory.dmp

Filesize
468KB

Download
memory/2712-40-0x0000000002C70000-0x0000000002C81000-memory.dmp

Filesize
68KB

Download
memory/2712-37-0x0000000002C70000-0x0000000002C81000-memory.dmp

Filesize
68KB

Download
memory/2712-36-0x0000000002C50000-0x0000000002C65000-memory.dmp

Filesize
84KB

Download
memory/2712-32-0x0000000008DF0000-0x0000000008E95000-memory.dmp

Filesize
660KB

Download
memory/2712-29-0x0000000008DF0000-0x0000000008E95000-memory.dmp

Filesize
660KB

Download
memory/2712-53-0x0000000008F00000-0x0000000008F7A000-memory.dmp

Filesize
488KB

Download
memory/2712-3-0x0000000006A20000-0x00000000073A9000-memory.dmp

Filesize
9.5MB

Download
memory/2712-4-0x0000000000574000-0x0000000000575000-memory.dmp

Filesize
4KB

Download
memory/2712-5-0x0000000005E10000-0x0000000005EB7000-memory.dmp

Filesize
668KB

Download
memory/2712-8-0x0000000005E10000-0x0000000005EB7000-memory.dmp

Filesize
668KB

Download
memory/2712-9-0x0000000002830000-0x000000000284D000-memory.dmp

Filesize
116KB

Download
memory/2712-12-0x0000000002830000-0x000000000284D000-memory.dmp

Filesize
116KB

Download