4a9d815f284adda187982e2b24da2beaad860739bc4b4cb1cf26408e7c221dd6

Analysis

max time kernel
149s
max time network
137s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02-08-2024 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CapCut_7376279456815792134_installer.exe
Size

2.2MB
MD5

c91e097550ea6ccedf592d8b83414e0d
SHA1

021f3f26d86f98af28dc987baad8714f64867207
SHA256

4a9d815f284adda187982e2b24da2beaad860739bc4b4cb1cf26408e7c221dd6
SHA512

916898c9850ddfcd2c11da7421eeffc4d48406d9ad4787a4dc572ec17a81a39edd30733aa8cccde8b31450ff8031e3da68be019a8a0eff50c0a17ed4fa0aa3c9
SSDEEP

49152:uGVKq6wrr98ArcTTuVMZCC8GYCNbFLg3dlXI5x8oaigMv3Dh:uGVLprJ8ArnVMZCUPFcNlXID8en1

Score

6^/10

discovery evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

app_package_6504ad5a3e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	app_package_6504ad5a3e.exe

Executes dropped EXE 1 IoCs

Processes:

app_package_6504ad5a3e.exe

pid process

2312 app_package_6504ad5a3e.exe

pid	process
2312	app_package_6504ad5a3e.exe

Loads dropped DLL 6 IoCs

Processes:

CapCut_7376279456815792134_installer.exeapp_package_6504ad5a3e.exe

pid	process
2356	CapCut_7376279456815792134_installer.exe
2356	CapCut_7376279456815792134_installer.exe
2356	CapCut_7376279456815792134_installer.exe
2356	CapCut_7376279456815792134_installer.exe
2356	CapCut_7376279456815792134_installer.exe
2312	app_package_6504ad5a3e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

CapCut_7376279456815792134_installer.exeapp_package_6504ad5a3e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CapCut_7376279456815792134_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app_package_6504ad5a3e.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

CapCut_7376279456815792134_installer.exeapp_package_6504ad5a3e.exe

pid process

2356 CapCut_7376279456815792134_installer.exe
2312 app_package_6504ad5a3e.exe
2312 app_package_6504ad5a3e.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

app_package_6504ad5a3e.exe

description pid process

Token: SeDebugPrivilege 2312 app_package_6504ad5a3e.exe

description	pid	process
Token: SeDebugPrivilege	2312	app_package_6504ad5a3e.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

CapCut_7376279456815792134_installer.exe

description	pid	process	target process
PID 2356 wrote to memory of 2312	2356	CapCut_7376279456815792134_installer.exe	app_package_6504ad5a3e.exe
PID 2356 wrote to memory of 2312	2356	CapCut_7376279456815792134_installer.exe	app_package_6504ad5a3e.exe
PID 2356 wrote to memory of 2312	2356	CapCut_7376279456815792134_installer.exe	app_package_6504ad5a3e.exe
PID 2356 wrote to memory of 2312	2356	CapCut_7376279456815792134_installer.exe	app_package_6504ad5a3e.exe

C:\Users\Admin\AppData\Local\Temp\CapCut_7376279456815792134_installer.exe
"C:\Users\Admin\AppData\Local\Temp\CapCut_7376279456815792134_installer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\app_shell_cache_562354\app_package_6504ad5a3e.exe
"C:\Users\Admin\AppData\Local\app_shell_cache_562354\app_package_6504ad5a3e.exe" /s /create_desktop=1 /install_path="C:\Users\Admin\AppData\Local\CapCut\Apps"
2⤵
- Checks whether UAC is enabled
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CapCut\Apps\202482235215359_1\JYPacket\4.1.0.1647\Resources\DefaultAdjustBundle\highlight\amazingfeature\scene.config
Filesize
284B

MD5
77e51012d23d27cd7dfb762fb2f22366

SHA1
faa1a6848a92f2eba5c6094659efee0eaf289e49

SHA256
5b405fa29439f5853937c9714c794f10a01ed033f81866ba52f7f8ea5312b41e

SHA512
efa87d35d3b2360809f5de98b7d681c3cdbee6144c1065e7144d098b56126f794b83a7aa692325d532271e7016556d1c9ac2f9eaf2fb480314bbedb951bda2d3

Download Submit
C:\Users\Admin\AppData\Local\CapCut\Apps\202482235215359_1\JYPacket\4.1.0.1647\Resources\DefaultAdjustBundle\saturation\amazingfeature\Transform.lua
Filesize
743B

MD5
55f8219de11fd1bab55e136d97f34add

SHA1
d728bdc21b7c73165f7c767300c004afd02958e3

SHA256
f5ae7d270c41dc064723acb52c96339337d142f327ed98591ebb52c9518a2a78

SHA512
5ec44128343bc3cf4b0dffb318ec46e906e247ed4cb9a6839bb514f753b14fcda61070271b81538a9a67605641719119bdc2ad0d33eca614ee732eccdeccbf6c

Download Submit
C:\Users\Admin\AppData\Local\CapCut\Apps\202482235215359_1\JYPacket\4.1.0.1647\Resources\DefaultAdjustBundle\saturation\amazingfeature\sticker.config
Filesize
243B

MD5
a6370133cd32ad029749c4c30bdb80c6

SHA1
4ae8d816fb891657589f35f1bddd617e721ac379

SHA256
6f8d212c18569ba0e1c3b1bc89c8c4b2a16377d94cc26d1d78df1bb920efe379

SHA512
b410873382913c3a16a64390b1bd12978c639568c4cac1efbbcecbdd0852926991a9fd00aac60bdc94a489531c656f59b64559976a88c67bf35ddaffa0a9861d

Download Submit
C:\Users\Admin\AppData\Local\CapCut\Apps\202482235215359_1\JYPacket\4.1.0.1647\Resources\DefaultAdjustBundle\shadow_highlight_v2_gles3\AmazingFeature\LuaRTTI.MarkGen.lua
Filesize
222B

MD5
5dac156aac6bffd08cb0f8c1637f5e5c

SHA1
40e6585e5de8648725243517781e4d3330caffcb

SHA256
cf4f8b5ff1a50eff88236aba7f9bb48e696d337b779d98e911d00f6876800503

SHA512
0999fd224c54882d28aa8067e20ee7877b509591901f801d400b613a4fd95af5948d6c512b01d1f7b3aad2203a80f8a3adfec1dd03b6dd3329de87e8583145a3

Download Submit
C:\Users\Admin\AppData\Local\CapCut\Apps\202482235215359_1\JYPacket\4.1.0.1647\Resources\DefaultAdjustBundle\temperature_tone_v3\AmazingFeature\sticker.config
Filesize
276B

MD5
02b91a98d687f65158c5d30123166da6

SHA1
a9e91db1e43f923942cb58cd242af527a5d9b158

SHA256
c3de42b569951c70e76d4adb756b424c0ddaeaea6c1a0b61bf1935b7b7b1ee66

SHA512
fe9f10abf7275af089e4cfa8e7a9c83b8b0a2f2763d481f25cb746f5122dedb4250f4a3fe3c0aa4b361e6194233cf31c2e8045baff108489daf4c2e3def04d10

Download Submit
C:\Users\Admin\AppData\Local\CapCut\Apps\202482235215359_1\JYPacket\4.1.0.1647\Resources\DefaultAdjustBundle\tone_v1\amazingfeature\sticker.config
Filesize
258B

MD5
6238b4cd638d16c1136c78c3d84b61ea

SHA1
03683ded62e4e602b25bdb6ee445dfe760e22b6c

SHA256
9c9ba3ebe0c06582ce05df7831d4754061d2ed7c7e3ad6acaaaa563f7bbf7d2f

SHA512
6339227384501243997f6f93d8da38ea673c86e6b39de2e2f8c8f46e1e388fc3d4ab4d916246bebb4238524af6d8323a86cb139467849148291551cd63514d1c

Download Submit
C:\Users\Admin\AppData\Local\CapCut\Apps\202482235215359_1\JYPacket\4.1.0.1647\Resources\DefaultAdjustBundle\vignetting\amazingfeature\Transform.lua
Filesize
716B

MD5
99b4753a045f720a4c6a1bcb875bd72c

SHA1
4afc8b19876ead7a7ad903f13521c2b443de1496

SHA256
4e4b7c19259ebab2fbe29d179122a20584b783f12632bfc2d214d82e522c303b

SHA512
15a857fa869f37dd777f261821947bbc27214d5993a6a7431fdecd88468cdd81c59a876534c0459c46f33cd7a6b03aa827160014ae729f16fbde19dfce3afb73

Download Submit
C:\Users\Admin\AppData\Local\CapCut\Apps\202482235215359_1\JYPacket\4.1.0.1647\Resources\DefaultAdjustBundle\vignetting_v1\AmazingFeature\js-meta.json
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\CapCut\Apps\202482235215359_1\JYPacket\4.1.0.1647\Resources\LogWheel\log_wheel_v1\Wheel\scene.config
Filesize
363B

MD5
8d61b3b6f3944a129228b01ab04a3a86

SHA1
dd2a509da1175dd99095748b029c3b868d6f67c7

SHA256
468a132a03b8569130faf2c5d8e0f05f3f7602a336b0510534026c11a73ab460

SHA512
abd1ac6afff2b3ea5e8e454d4aa86dab711d8686ebaacfe66b141ec25755abc512b6252f8c786eff44ffc49f8483942a6c66c703bb2602f6f9b1a576b66f121f

Download Submit
C:\Users\Admin\AppData\Local\CapCut\Apps\202482235215359_1\JYPacket\4.1.0.1647\Resources\MixMode\840ca85a1a33e6fc3ea78bbdb2db8f60\blend.material
Filesize
552B

MD5
7cdae2b4822bcd006e9d2ffce3e84453

SHA1
720111dacf341b7ce908bd282058169a62239154

SHA256
e8986f58f72446435468272d8d4e7c95a4fce58b3ad4838ed634b999196d3736

SHA512
0ae64df166e18d7770a28c317565d5238b578202cb6c7bd2c9db55e185a61f79ae03f0530955f748dc387889c73f01479e23f7d21cb3dcbe44f2107905131a91

Download Submit
C:\Users\Admin\AppData\Local\CapCut\Apps\202482235215359_1\JYPacket\4.1.0.1647\Resources\MixMode\840ca85a1a33e6fc3ea78bbdb2db8f60\config.json
Filesize
64B

MD5
c1b0a3e521b261389e09efaf5f6fa2d9

SHA1
976b181838ba45780eb4b2f9b629a1f7d1cf763d

SHA256
07232ba6befad39df9079b18e7c66235a11b2b375626c80cabd0b46f9b7d948f

SHA512
57d70636ebcbb3c0521da860d4cbbe9516a91e1b7b529e7e12781aa534c8c3a7c2d8f31c8c5fabb0acfbd6c81eedc292b3cbb8d0f01d306f12c249417a205a94

Download Submit
C:\Users\Admin\AppData\Local\CapCut\Apps\202482235215359_1\JYPacket\4.1.0.1647\Resources\MixMode\840ca85a1a33e6fc3ea78bbdb2db8f60\content.json
Filesize
65B

MD5
77af16e6914627f13e1ffb90509cace4

SHA1
329bafa669c548a0b9cc2ed266de24b0ec8608df

SHA256
424c068d0f0e848d3b8f25ec1a55f1086df3c87ad95eca13fe6b265c46400fc0

SHA512
4e96216696d5f8e43fbb5ba951dfeb5e32ad1d48fe0737c3725c5c4d4f2531bba18afa1b82d694f2a0029a1a0f37dd24236eaac8ba0d296b6e0fddd70ec60790

Download Submit
C:\Users\Admin\AppData\Local\CapCut\Apps\202482235215359_1\JYPacket\4.1.0.1647\Resources\PrimaryWheel\primary_wheel_v0\algorithmConfig.json
Filesize
382B

MD5
2742644266425cbe36e1517602961e99

SHA1
9ac55196393e328a65f4cf6e5872822060f9ce5e

SHA256
28251cedc501cb7285fe4c06af3714af3ec068834cc15c1ddcd913f91572ace0

SHA512
e308c625a22b625631f81cfa4c9fc20e92efd082c5a6a0dc0aaf58b3b4924c21e40fe1da2faa0506e06f8c3e1bd4411b972dae5470b5424f77554ea48003f56c

Download Submit
C:\Users\Admin\AppData\Local\CapCut\Apps\202482235215359_1\JYPacket\4.1.0.1647\Resources\PrimaryWheel\primary_wheel_v1\Wheel\sticker.config
Filesize
276B

MD5
ceeafc08b27c8bf1264a372e6572b243

SHA1
a2b1c88dab2b2fa57adc0ce4863edf269654dc70

SHA256
8695d8d1cd532f86c340a46ff20f6c96f25f842d6c6f2d3c67b29e3c8d706fb0

SHA512
e14ded5b310ffcf969f94f3248e7f95f1a078616a05b90f47918581bbc983951c54e8d6d61538817a2d9e5ed868bf53e9623c0a19586ea8cebfbfdb6f81d29c9

Download Submit
C:\Users\Admin\AppData\Local\CapCut\Apps\202482235215359_1\JYPacket\4.1.0.1647\Resources\image_h5_sticker_publish\static\css\sticker-publish-collection.bbaa332b.css
Filesize
15KB

MD5
78a39c78f36f0305b75b659171e894f6

SHA1
99cbb2d17670acc33e0b7030369b46ff16ddf62e

SHA256
bc4db337419452015714560742969469ce9b78150d2d481c45eaa71b47c7a8f1

SHA512
39b8748a47680f157394ac16fdae233a8b0d154d9c4f722988f484dceb22832d751e62b739eacc99e2a4a15fb31252b85dbc5d3df58717957b587e1851fdffd5

Download Submit
\Users\Admin\AppData\Local\Temp\E9DDA433-AA83-40F3-BEA5-93BAD32DD698\7zip.dll
Filesize
751KB

MD5
2d97c2e0353cb0c63212ecacd326bb17

SHA1
53ac7d8a0f19314158a2e74f3d6f0d17103c1d37

SHA256
fe604c8747171a85f883b08fcaf32a64d59ff7c7ed89e862ad252d366ab66368

SHA512
392fce704b17aa367c6c8a09ccdf7505242aaed552a1772e14b828754d01ea3d1e7eef8936067fb87c7dec645783e80ace16aba8e342501ab09964d0363eefff

Download Submit
\Users\Admin\AppData\Local\Temp\nso26D3.tmp\BgWorker.dll
Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
\Users\Admin\AppData\Local\Temp\nso26D3.tmp\System.dll
Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nso26D3.tmp\downloader_nsis_plugin.dll
Filesize
1.2MB

MD5
f181413906a465fd0dd68cc4a3d98803

SHA1
5aa28be48047dd0b672ab98d5e7cbd8260486b4b

SHA256
e28ff7b8fc4b1eb2d1f394ce15de2fc031cda58db645038c8c07581c31e79dda

SHA512
8d0116bcbc3938b2ebdddf77dec87e4b6c872382d20b555571b0bc3e4a35f88d16bc450004f875a8271165b71bdbae5d4d474a5bfda4c7787da63f4325009c25

Download Submit
\Users\Admin\AppData\Local\Temp\nso26D3.tmp\shell_downloader.dll
Filesize
2.3MB

MD5
c052c0a2ed833d924b7799625413ac1c

SHA1
bdd08a29f4de283ba0eb3cda4abc26f6e85d4d5e

SHA256
098972cf9ddc9d574130e025a252a99b278de9cc0ae700acfb8c935c24eb1172

SHA512
89e67c29d5d8a401a70a5b572844f24bfde82d5d4259ecc5e6f12be0ddb434995a2e985914fc421973998e3fdc48b133e269e8bb1da513ec66199f01060162f1

Download Submit