Overview
overview
10Static
static
10Open AI So...89.exe
windows7-x64
6Open AI So...89.exe
windows10-2004-x64
6app-11.4.0...ls.dll
windows7-x64
1app-11.4.0...ls.dll
windows10-2004-x64
1app-11.4.0...ld.dll
windows7-x64
1app-11.4.0...ld.dll
windows10-2004-x64
1app-11.4.0...89.exe
windows7-x64
7app-11.4.0...89.exe
windows10-2004-x64
7app-11.4.0...ls.dll
windows7-x64
1app-11.4.0...ls.dll
windows10-2004-x64
1app-11.4.0...gs.dll
windows7-x64
1app-11.4.0...gs.dll
windows10-2004-x64
1app-11.4.0...s2.dll
windows7-x64
1app-11.4.0...s2.dll
windows10-2004-x64
1app-11.4.0...ls.dll
windows7-x64
1app-11.4.0...ls.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0..._1.dll
windows7-x64
1app-11.4.0..._1.dll
windows10-2004-x64
1app-11.4.0...ds.dll
windows7-x64
1app-11.4.0...ds.dll
windows10-2004-x64
1Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2024 21:44
Behavioral task
behavioral1
Sample
Open AI Sora 4.0 Verison 4.89.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Open AI Sora 4.0 Verison 4.89.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
app-11.4.0/EMUtils.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
app-11.4.0/EMUtils.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
app-11.4.0/EMUtilsOld.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
app-11.4.0/EMUtilsOld.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
app-11.4.0/Open AI Sora 4.0 Verison 4.89.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
app-11.4.0/Open AI Sora 4.0 Verison 4.89.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
app-11.4.0/Qt6LabsQmlModels.dll
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
app-11.4.0/Qt6LabsQmlModels.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
app-11.4.0/Qt6LabsSettings.dll
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
app-11.4.0/Qt6LabsSettings.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
app-11.4.0/Qt6QuickControls2.dll
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
app-11.4.0/Qt6QuickControls2.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
app-11.4.0/Qt6QuickDialogs2Utils.dll
Resource
win7-20240729-en
Behavioral task
behavioral16
Sample
app-11.4.0/Qt6QuickDialogs2Utils.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
app-11.4.0/api-ms-win-crt-convert-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
app-11.4.0/api-ms-win-crt-environment-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
app-11.4.0/api-ms-win-crt-filesystem-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
app-11.4.0/api-ms-win-crt-heap-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
app-11.4.0/api-ms-win-crt-locale-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
app-11.4.0/api-ms-win-crt-math-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
app-11.4.0/api-ms-win-crt-multibyte-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
app-11.4.0/api-ms-win-crt-private-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
app-11.4.0/api-ms-win-crt-process-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
app-11.4.0/api-ms-win-crt-runtime-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
app-11.4.0/api-ms-win-crt-stdio-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
app-11.4.0/api-ms-win-crt-string-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
app-11.4.0/msvcp140_1.dll
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
app-11.4.0/msvcp140_1.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
app-11.4.0/msvcp140_codecvt_ids.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
app-11.4.0/msvcp140_codecvt_ids.dll
Resource
win10v2004-20241007-en
General
-
Target
Open AI Sora 4.0 Verison 4.89.exe
-
Size
365KB
-
MD5
4aca9457933a530c0bf576f7f537694a
-
SHA1
f39053f92e86885a3cd52ff5630bcbc1cbe4cadf
-
SHA256
f8380479fe4558dfe5f787f73daa412b7386c045b7d5e8f39d3cb73b5b204569
-
SHA512
87ddd3fded58ce0d01acad9f6992bd14400c1acb3c29519370b9b628d2fbfd49accb177171649aa39018d05f5fe1f759c78f0c012c9834306efae4e08f0cd9b2
-
SSDEEP
3072:C5I+ERABhR3JqnP8I+McS9MESlGW1AgCBMNBNsYoh+buYJoY46ZFaVLMxKawbvWw:r/3nvX19MtlGW1AgGO+hqohPaxbw7W
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Open AI Sora 4.0 Verison 4.89.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" Open AI Sora 4.0 Verison 4.89.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 ipinfo.io 20 ipinfo.io -
Executes dropped EXE 1 IoCs
Processes:
Chrome Service.exepid process 3016 Chrome Service.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exepowershell.exeChrome Service.exeOpen AI Sora 4.0 Verison 4.89.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome Service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Open AI Sora 4.0 Verison 4.89.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Open AI Sora 4.0 Verison 4.89.exepowershell.exepowershell.exepowershell.exepid process 2484 Open AI Sora 4.0 Verison 4.89.exe 2484 Open AI Sora 4.0 Verison 4.89.exe 1508 powershell.exe 1508 powershell.exe 1508 powershell.exe 2484 Open AI Sora 4.0 Verison 4.89.exe 2484 Open AI Sora 4.0 Verison 4.89.exe 716 powershell.exe 716 powershell.exe 716 powershell.exe 2484 Open AI Sora 4.0 Verison 4.89.exe 2484 Open AI Sora 4.0 Verison 4.89.exe 2492 powershell.exe 2492 powershell.exe 2492 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 716 powershell.exe Token: SeDebugPrivilege 2492 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Open AI Sora 4.0 Verison 4.89.exeOpen AI Sora 4.0 Verison 4.89.exedescription pid process target process PID 1016 wrote to memory of 2484 1016 Open AI Sora 4.0 Verison 4.89.exe Open AI Sora 4.0 Verison 4.89.exe PID 1016 wrote to memory of 2484 1016 Open AI Sora 4.0 Verison 4.89.exe Open AI Sora 4.0 Verison 4.89.exe PID 1016 wrote to memory of 2484 1016 Open AI Sora 4.0 Verison 4.89.exe Open AI Sora 4.0 Verison 4.89.exe PID 2484 wrote to memory of 1508 2484 Open AI Sora 4.0 Verison 4.89.exe powershell.exe PID 2484 wrote to memory of 1508 2484 Open AI Sora 4.0 Verison 4.89.exe powershell.exe PID 2484 wrote to memory of 1508 2484 Open AI Sora 4.0 Verison 4.89.exe powershell.exe PID 2484 wrote to memory of 716 2484 Open AI Sora 4.0 Verison 4.89.exe powershell.exe PID 2484 wrote to memory of 716 2484 Open AI Sora 4.0 Verison 4.89.exe powershell.exe PID 2484 wrote to memory of 716 2484 Open AI Sora 4.0 Verison 4.89.exe powershell.exe PID 2484 wrote to memory of 2492 2484 Open AI Sora 4.0 Verison 4.89.exe powershell.exe PID 2484 wrote to memory of 2492 2484 Open AI Sora 4.0 Verison 4.89.exe powershell.exe PID 2484 wrote to memory of 2492 2484 Open AI Sora 4.0 Verison 4.89.exe powershell.exe PID 2484 wrote to memory of 3016 2484 Open AI Sora 4.0 Verison 4.89.exe Chrome Service.exe PID 2484 wrote to memory of 3016 2484 Open AI Sora 4.0 Verison 4.89.exe Chrome Service.exe PID 2484 wrote to memory of 3016 2484 Open AI Sora 4.0 Verison 4.89.exe Chrome Service.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "msedge"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "firefox"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:716 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "firefox"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492 -
C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
17KB
MD59440f316533f70e7b4d3cdb8df05d743
SHA17a4949aac188063d3f1a207172b0503c088d0c94
SHA256e0a6ef97c0561bf90f0eb7da03f24deb6e98dca78e62f801ab805f77ca71e551
SHA5125dd59e6f01a096afddb99effa84090b87f2a0bdbef26950175b79cb0326b371795f8859d4fe63abe0168d66aa7ba22858ef3ec19e7ed733ccc23737872a62ca0
-
Filesize
17KB
MD57667c3d7a664de4b675fd1f790f84ffa
SHA187e4b175a4e52737dc21a1e40df44c6a665197ac
SHA2561e7492aa72914f144ed015350595ad0e8887e19a966d76eebb73722851fa77f4
SHA5122c1cd7bc55616e27d7562727898f93df931a6fb0037c36d28eec55b2816de534603184429f30be8c06dad462f39775ebbdbcc4459447ed701eb2245a64af9f02
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82