General
-
Target
topaz video enhance ai crack windows.zip
-
Size
20.9MB
-
Sample
240923-t983fatbnp
-
MD5
bbfafd0f772d95b9bcbc2cfa7002d9a1
-
SHA1
dcd705932d93fc28b012947b49cd5f35ea32a80b
-
SHA256
e32c38d9ba28bfaeef79fc362d72fdb016321d93efe19428d99daba9ed33c88b
-
SHA512
fcd88a4b91133652732dd0abd6b3dc129ea60693a16bfbb110f891734e00719587e9653e718f45c8ca4ed4523215d5597dd3cc7d3b5bb36e77f5cd9245467240
-
SSDEEP
393216:7IRxSHPw/04e9wAYK8SjYKAAXxuBHzgI5kMPM7nPOB3g1lAoIO5gPKRT6:SyYwwrEYKXIBHzgI5NAnGBw1+o3Gil6
Malware Config
Targets
-
-
Target
topaz video enhance ai crack windows/topaz video enhance ai crack windows.exe
-
Size
816.4MB
-
MD5
0ed473ad80f4539c46f043e7d14d4e85
-
SHA1
112d4a25c16a12190e8bc8d5c35346d0eb47acb8
-
SHA256
a903f61b3327529f59ef005efa7b41bdd91ce259b8f4422e1c9c13e5267b2117
-
SHA512
47ef94feb19a7d8de63ae45949369c37624e801afcaed80f31556f700389f8ec02d0546de3a5eda7ae83d2724e8860d7b5b8882ccbdb7e0be766cd280ea8c320
-
SSDEEP
393216:TAVchpPmaXtrAPxE3DjM16vbuo6EigC/Reiaqakjaz8BTwZeJkjoboj:ucFtkPxlqKo6T3Rtg8hv0
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
3Accessibility Features
1Change Default File Association
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
3Accessibility Features
1Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1