Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2024 11:24
Behavioral task
behavioral1
Sample
Open AI Sora Vesion 5.42.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Open AI Sora Vesion 5.42.exe
Resource
win10v2004-20240709-en
General
-
Target
Open AI Sora Vesion 5.42.exe
-
Size
157.9MB
-
MD5
167af794837fe9de07ee83acdb74343e
-
SHA1
a3f718d502a0f9e8382d12da9704433b96ea53ed
-
SHA256
06c81d76f89cd374efcf4140b1f8239f30a89b1132608c3696e64199c9d9bd0c
-
SHA512
8e78779a4d43604e705335c45569137ddc0b8b5448d15c44c1bb0fae59c95457dfa896bb3671aec79a0082f104ffa61182453218f759669320b9cba909c0d588
-
SSDEEP
1572864:FHMlnmXXHfarJ2MH6rd07/eGpQvyLxCi70QzyhpPc2qfF4SagVnhqODQA86:NInmXXHfatH6dg/eiZzwJgFo
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Open AI Sora Vesion 5.42.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation Open AI Sora Vesion 5.42.exe -
Executes dropped EXE 1 IoCs
Processes:
Chrome Service.exepid process 1368 Chrome Service.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Open AI Sora Vesion 5.42.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" Open AI Sora Vesion 5.42.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 ipinfo.io 25 ipinfo.io -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Open AI Sora Vesion 5.42.exepowershell.exepowershell.exepowershell.exeChrome Service.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Open AI Sora Vesion 5.42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome Service.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 2196 powershell.exe 2196 powershell.exe 2196 powershell.exe 3484 powershell.exe 3484 powershell.exe 3484 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 2196 powershell.exe Token: SeDebugPrivilege 3484 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Open AI Sora Vesion 5.42.exedescription pid process target process PID 4748 wrote to memory of 1600 4748 Open AI Sora Vesion 5.42.exe powershell.exe PID 4748 wrote to memory of 1600 4748 Open AI Sora Vesion 5.42.exe powershell.exe PID 4748 wrote to memory of 1600 4748 Open AI Sora Vesion 5.42.exe powershell.exe PID 4748 wrote to memory of 2196 4748 Open AI Sora Vesion 5.42.exe powershell.exe PID 4748 wrote to memory of 2196 4748 Open AI Sora Vesion 5.42.exe powershell.exe PID 4748 wrote to memory of 2196 4748 Open AI Sora Vesion 5.42.exe powershell.exe PID 4748 wrote to memory of 3484 4748 Open AI Sora Vesion 5.42.exe powershell.exe PID 4748 wrote to memory of 3484 4748 Open AI Sora Vesion 5.42.exe powershell.exe PID 4748 wrote to memory of 3484 4748 Open AI Sora Vesion 5.42.exe powershell.exe PID 4748 wrote to memory of 1368 4748 Open AI Sora Vesion 5.42.exe Chrome Service.exe PID 4748 wrote to memory of 1368 4748 Open AI Sora Vesion 5.42.exe Chrome Service.exe PID 4748 wrote to memory of 1368 4748 Open AI Sora Vesion 5.42.exe Chrome Service.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe"C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "msedge"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "firefox"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "firefox"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484 -
C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1368
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
17KB
MD5bd409c78af485e1e0347567024dda573
SHA1ac7ebb3f847a0b9b8699a4a75eb6ea2f2ce6f1c6
SHA256ded875cddba54eb29b2a0700099bb822cf07573ce5b06b5ac4d3ee82c5cb1a38
SHA51211db467333f3c9b51c900276b48d4b0faeace71414f5151b14077ee5e363cfb5f2a8f6f1df5ab6a2b42ce7d7ac46fe96eb25a9c6af4114dd47df6145af4f32f6
-
Filesize
17KB
MD55508e39271fc8fae521ff3fb4f136e85
SHA1346a33409c9c3fa891fe70ff45e6b1d7b5abfbec
SHA256fb20c6a359073fc0287ecbecbfcb8f71d7b37b4dfe1635dfbf5091bd2639ab0e
SHA5123a2e08a3570797516290c254b0cd58ecffeaf09373e004bf34a82b708c040aecc832a3aef5cdc926225b5628c877ff67c3086cccdf7d7c0278d9831442611f1a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82