9ecdf63c778837fe391974d12dbda0752ccb58ef8e6241dd2bfc223580b1f536

Analysis

max time kernel
117s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

app-11.4.0/Open AI Sora 4.0 Verison 4.89.exe
Size

717.9MB
MD5

4ca74930fb928138ef72335d06cc39db
SHA1

14ea9754494af1beb429224911b2ec2f43d3a802
SHA256

86f1e1adb0542298fede2316612d6a90ab655a2774d5bc766c4eb77e0bd25e70
SHA512

7aaa890c51d012eced7d1f565b61a9d3dc2480945e4ef1509806763cd48fa016ee4c9c44bde44bc10da34b00aee3e897038f200b19b9e136cb98788a6977bee2
SSDEEP

3145728:lnOvz6yqIkFIkFIkFIkFIkFIkFIkFIkYZzwJgFos:eGIkFIkFIkFIkFIkFIkFIkFIk5m6s

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
820	Chrome Service.exe

Loads dropped DLL 1 IoCs

pid	Process
796	Open AI Sora 4.0 Verison 4.89.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe"	Open AI Sora 4.0 Verison 4.89.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Open AI Sora 4.0 Verison 4.89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chrome Service.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Open AI Sora 4.0 Verison 4.89.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Open AI Sora 4.0 Verison 4.89.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
796	Open AI Sora 4.0 Verison 4.89.exe
796	Open AI Sora 4.0 Verison 4.89.exe
2248	powershell.exe
2248	powershell.exe
796	Open AI Sora 4.0 Verison 4.89.exe
796	Open AI Sora 4.0 Verison 4.89.exe
1932	powershell.exe
1932	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 2248	796	Open AI Sora 4.0 Verison 4.89.exe	29
PID 796 wrote to memory of 2248	796	Open AI Sora 4.0 Verison 4.89.exe	29
PID 796 wrote to memory of 2248	796	Open AI Sora 4.0 Verison 4.89.exe	29
PID 796 wrote to memory of 2248	796	Open AI Sora 4.0 Verison 4.89.exe	29
PID 796 wrote to memory of 1932	796	Open AI Sora 4.0 Verison 4.89.exe	31
PID 796 wrote to memory of 1932	796	Open AI Sora 4.0 Verison 4.89.exe	31
PID 796 wrote to memory of 1932	796	Open AI Sora 4.0 Verison 4.89.exe	31
PID 796 wrote to memory of 1932	796	Open AI Sora 4.0 Verison 4.89.exe	31
PID 796 wrote to memory of 820	796	Open AI Sora 4.0 Verison 4.89.exe	33
PID 796 wrote to memory of 820	796	Open AI Sora 4.0 Verison 4.89.exe	33
PID 796 wrote to memory of 820	796	Open AI Sora 4.0 Verison 4.89.exe	33
PID 796 wrote to memory of 820	796	Open AI Sora 4.0 Verison 4.89.exe	33

C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Stop-Process -Name "firefox"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Stop-Process -Name "firefox"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
  "C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
daf0ab18f186644483b6483025f12369

SHA1
b827f9ad4e9af95d96692b9df024dd6517ce330b

SHA256
e085c3bc1a309c41f788447846b2bef887ce6f32861f5737c154d14409ca0f28

SHA512
0e5e8b6d0606692197176be6f522e8c0b046f66245dd96a9681024694b4bed24392d047223f3c248162d6dddd8a018b20343d9e1fca70dd8c3e39d96f5ae791d

Download Submit
memory/796-48-0x00000000061F0000-0x0000000006244000-memory.dmp

Filesize
336KB

Download
memory/796-28-0x000000002C4A0000-0x000000002C7F6000-memory.dmp

Filesize
3.3MB

Download
memory/796-8-0x0000000000CE0000-0x0000000000D87000-memory.dmp

Filesize
668KB

Download
memory/796-5-0x0000000000CE0000-0x0000000000D87000-memory.dmp

Filesize
668KB

Download
memory/796-4-0x0000000001274000-0x0000000001275000-memory.dmp

Filesize
4KB

Download
memory/796-3-0x0000000006810000-0x0000000007199000-memory.dmp

Filesize
9.5MB

Download
memory/796-16-0x00000000029E0000-0x0000000002A08000-memory.dmp

Filesize
160KB

Download
memory/796-13-0x00000000029E0000-0x0000000002A08000-memory.dmp

Filesize
160KB

Download
memory/796-64-0x00000000061B0000-0x00000000061C2000-memory.dmp

Filesize
72KB

Download
memory/796-20-0x000000002BFB0000-0x000000002C13E000-memory.dmp

Filesize
1.6MB

Download
memory/796-32-0x000000002C140000-0x000000002C1E5000-memory.dmp

Filesize
660KB

Download
memory/796-52-0x000000002C1F0000-0x000000002C286000-memory.dmp

Filesize
600KB

Download
memory/796-60-0x0000000006250000-0x000000000628C000-memory.dmp

Filesize
240KB

Download
memory/796-57-0x0000000006250000-0x000000000628C000-memory.dmp

Filesize
240KB

Download
memory/796-56-0x00000000066D0000-0x000000000674A000-memory.dmp

Filesize
488KB

Download
memory/796-53-0x00000000066D0000-0x000000000674A000-memory.dmp

Filesize
488KB

Download
memory/796-49-0x000000002C1F0000-0x000000002C286000-memory.dmp

Filesize
600KB

Download
memory/796-1-0x0000000006810000-0x0000000007199000-memory.dmp

Filesize
9.5MB

Download
memory/796-17-0x000000002BFB0000-0x000000002C13E000-memory.dmp

Filesize
1.6MB

Download
memory/796-12-0x00000000029C0000-0x00000000029DD000-memory.dmp

Filesize
116KB

Download
memory/796-36-0x0000000005F80000-0x0000000005F95000-memory.dmp

Filesize
84KB

Download
memory/796-44-0x0000000006750000-0x00000000067C5000-memory.dmp

Filesize
468KB

Download
memory/796-41-0x0000000006750000-0x00000000067C5000-memory.dmp

Filesize
468KB

Download
memory/796-40-0x0000000005FA0000-0x0000000005FB1000-memory.dmp

Filesize
68KB

Download
memory/796-37-0x0000000005FA0000-0x0000000005FB1000-memory.dmp

Filesize
68KB

Download
memory/796-45-0x00000000061F0000-0x0000000006244000-memory.dmp

Filesize
336KB

Download
memory/796-33-0x0000000005F80000-0x0000000005F95000-memory.dmp

Filesize
84KB

Download
memory/796-29-0x000000002C140000-0x000000002C1E5000-memory.dmp

Filesize
660KB

Download
memory/796-9-0x00000000029C0000-0x00000000029DD000-memory.dmp

Filesize
116KB

Download
memory/796-25-0x000000002C4A0000-0x000000002C7F6000-memory.dmp

Filesize
3.3MB

Download
memory/796-24-0x0000000005C40000-0x0000000005C70000-memory.dmp

Filesize
192KB

Download
memory/796-21-0x0000000005C40000-0x0000000005C70000-memory.dmp

Filesize
192KB

Download
memory/796-61-0x00000000061B0000-0x00000000061C2000-memory.dmp

Filesize
72KB

Download
memory/2248-149-0x00000000730F0000-0x000000007369B000-memory.dmp

Filesize
5.7MB

Download
memory/2248-150-0x00000000730F0000-0x000000007369B000-memory.dmp

Filesize
5.7MB

Download
memory/2248-151-0x00000000730F0000-0x000000007369B000-memory.dmp

Filesize
5.7MB

Download
memory/2248-148-0x00000000730F1000-0x00000000730F2000-memory.dmp

Filesize
4KB

Download
memory/2248-152-0x00000000730F0000-0x000000007369B000-memory.dmp

Filesize
5.7MB

Download