Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
24/07/2024, 10:39
General
-
Target
Open AI Sora Vesion 5.42.exe
-
Size
157.9MB
-
MD5
167af794837fe9de07ee83acdb74343e
-
SHA1
a3f718d502a0f9e8382d12da9704433b96ea53ed
-
SHA256
06c81d76f89cd374efcf4140b1f8239f30a89b1132608c3696e64199c9d9bd0c
-
SHA512
8e78779a4d43604e705335c45569137ddc0b8b5448d15c44c1bb0fae59c95457dfa896bb3671aec79a0082f104ffa61182453218f759669320b9cba909c0d588
-
SSDEEP
1572864:FHMlnmXXHfarJ2MH6rd07/eGpQvyLxCi70QzyhpPc2qfF4SagVnhqODQA86:NInmXXHfatH6dg/eiZzwJgFo
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe"C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "msedge"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "firefox"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "firefox"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
17KB
MD5153965a65ce1a432d10ce780a2ce101d
SHA1e18b06b1bc727c80024b61dcb2b2d9166f1fe14b
SHA2563b8ef33656fb559ed40c9438a6014c641fb687e1d6cb7541a87771ef47ac2412
SHA512da365d9805bcaa38867442cdedcf9c754bf12f99a0fba60b84321ab815388345c2a6c6ccec1365c75e93e19c2c89b1c43691709958a4f323ab8cbe0d1d685ccc
-
Filesize
17KB
MD5d608a336d648a5ccb7e7283bc43904b6
SHA10446957c799d407dbf6bbc18858efd84cf2be29f
SHA256181b88d495fdbfa6a5d4908fa0cdbaa4d20c8a73b9ec917c4f3627dff6f9bfff
SHA512c500589a8d3c404ad9ff030f8952c5ee4b8b1c54b81a468710e1a2bab6affb70387f79b007adb87dd3db4f5e5eb0256b0b153662e6ab2989d4d0eb464f18a7a4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
660KB
-
Filesize
468KB
-
Filesize
116KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
116KB
-
Filesize
668KB
-
Filesize
1.6MB
-
Filesize
84KB
-
Filesize
1.6MB
-
Filesize
240KB
-
Filesize
488KB
-
Filesize
488KB
-
Filesize
600KB
-
Filesize
600KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
468KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
84KB
-
Filesize
240KB
-
Filesize
660KB
-
Filesize
3.3MB
-
Filesize
9.5MB
-
Filesize
3.3MB
-
Filesize
668KB
-
Filesize
9.5MB
-
Filesize
192KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
600KB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
4KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
7.7MB