Analysis
-
max time kernel
143s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-10-2024 15:13
Behavioral task
behavioral1
Sample
Open AI Sora 4.0_Setup_Version 5.96.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
Open AI Sora 4.0_Setup_Version 5.96.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
app-5.96.0/Open AI Sora 4.0_Setup_Version 5.96.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
app-5.96.0/Open AI Sora 4.0_Setup_Version 5.96.exe
Resource
win11-20241007-en
General
-
Target
Open AI Sora 4.0_Setup_Version 5.96.exe
-
Size
349KB
-
MD5
ceb804d5dcb9e543549fdf842611dcc3
-
SHA1
630b4a55ec6ea4acb163422c1938ddb389340af7
-
SHA256
92a304e64a65bbab9a45b6cb0d3f701fe0803616d23f5f9b860d3b00488f2482
-
SHA512
9c380596001d7ed1ba18b826b13ac28fd9b3fed16a87fa1ed648f4534431e3dc756e3179ad5e5c12f1778ebe028446fb05597d3fc347221a6611f7af88998d82
-
SSDEEP
3072:sV/GaFJJZ+Qima9IjVe9+L+xZ2N4OCSPQwZkXkAy5vHOQXQWXUjzBW2HwbvWUhIj:6Bmm+aVecLuK0uPZQk4QU9Wew7G
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Open AI Sora 4.0_Setup_Version 5.96.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" Open AI Sora 4.0_Setup_Version 5.96.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 ipinfo.io 22 ipinfo.io -
Executes dropped EXE 1 IoCs
Processes:
Chrome Service.exepid process 1912 Chrome Service.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exeChrome Service.exeOpen AI Sora 4.0_Setup_Version 5.96.exepowershell.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome Service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Open AI Sora 4.0_Setup_Version 5.96.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
Open AI Sora 4.0_Setup_Version 5.96.exepowershell.exepowershell.exepowershell.exepid process 404 Open AI Sora 4.0_Setup_Version 5.96.exe 404 Open AI Sora 4.0_Setup_Version 5.96.exe 2692 powershell.exe 2692 powershell.exe 2692 powershell.exe 404 Open AI Sora 4.0_Setup_Version 5.96.exe 404 Open AI Sora 4.0_Setup_Version 5.96.exe 3212 powershell.exe 3212 powershell.exe 3212 powershell.exe 404 Open AI Sora 4.0_Setup_Version 5.96.exe 404 Open AI Sora 4.0_Setup_Version 5.96.exe 4848 powershell.exe 4848 powershell.exe 4848 powershell.exe 4848 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 3212 powershell.exe Token: SeDebugPrivilege 4848 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Open AI Sora 4.0_Setup_Version 5.96.exeOpen AI Sora 4.0_Setup_Version 5.96.exedescription pid process target process PID 1652 wrote to memory of 404 1652 Open AI Sora 4.0_Setup_Version 5.96.exe Open AI Sora 4.0_Setup_Version 5.96.exe PID 1652 wrote to memory of 404 1652 Open AI Sora 4.0_Setup_Version 5.96.exe Open AI Sora 4.0_Setup_Version 5.96.exe PID 1652 wrote to memory of 404 1652 Open AI Sora 4.0_Setup_Version 5.96.exe Open AI Sora 4.0_Setup_Version 5.96.exe PID 404 wrote to memory of 2692 404 Open AI Sora 4.0_Setup_Version 5.96.exe powershell.exe PID 404 wrote to memory of 2692 404 Open AI Sora 4.0_Setup_Version 5.96.exe powershell.exe PID 404 wrote to memory of 2692 404 Open AI Sora 4.0_Setup_Version 5.96.exe powershell.exe PID 404 wrote to memory of 3212 404 Open AI Sora 4.0_Setup_Version 5.96.exe powershell.exe PID 404 wrote to memory of 3212 404 Open AI Sora 4.0_Setup_Version 5.96.exe powershell.exe PID 404 wrote to memory of 3212 404 Open AI Sora 4.0_Setup_Version 5.96.exe powershell.exe PID 404 wrote to memory of 4848 404 Open AI Sora 4.0_Setup_Version 5.96.exe powershell.exe PID 404 wrote to memory of 4848 404 Open AI Sora 4.0_Setup_Version 5.96.exe powershell.exe PID 404 wrote to memory of 4848 404 Open AI Sora 4.0_Setup_Version 5.96.exe powershell.exe PID 404 wrote to memory of 1912 404 Open AI Sora 4.0_Setup_Version 5.96.exe Chrome Service.exe PID 404 wrote to memory of 1912 404 Open AI Sora 4.0_Setup_Version 5.96.exe Chrome Service.exe PID 404 wrote to memory of 1912 404 Open AI Sora 4.0_Setup_Version 5.96.exe Chrome Service.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0_Setup_Version 5.96.exe"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0_Setup_Version 5.96.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe"C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "msedge"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "firefox"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "firefox"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848 -
C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
17KB
MD592c06fdc8cd72a0b4d1b71a5f051df73
SHA1c322765dd9cc1d277f3538adf7242fc5f10e002c
SHA25647c9490331c4e4a346c45bf60d3426aaaf1eb7271f2c5bc35ccd00ea1676380d
SHA512ee4e4e5e6d3cc3b4b08fd4d62948c6c6f496de1cf02553e625142b6e6f139b941741260722bb6d383ad508f9d97b5388eea35e3510da611f5a4d9f49ff126756
-
Filesize
17KB
MD52aeb6b94e066740e19976cbc02799928
SHA154290ae8e057b86135d1b41212e75cdc46d07b34
SHA256067b9212850f13b0b7747e3c1b77a6098ac9e72f8f3f4323d8c266347ceba8aa
SHA5129476f8db57fd4b93cb74d6d040456d996cafb25421b13f3a2e0b26ea34875d4f9366fa158fa7e2c3656aafdc8fee4fb0291a3a7fdf97f925f04a9e7736536ab8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82