b129e97f69d29879931e00f9b7cc1827292ef5c1b8d9d368f26ecf0a8508effe

Analysis

max time kernel
144s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
16-10-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Open AI Sora 4.0_Setup_Version 5.96.exe
Size

349KB
MD5

ceb804d5dcb9e543549fdf842611dcc3
SHA1

630b4a55ec6ea4acb163422c1938ddb389340af7
SHA256

92a304e64a65bbab9a45b6cb0d3f701fe0803616d23f5f9b860d3b00488f2482
SHA512

9c380596001d7ed1ba18b826b13ac28fd9b3fed16a87fa1ed648f4534431e3dc756e3179ad5e5c12f1778ebe028446fb05597d3fc347221a6611f7af88998d82
SSDEEP

3072:sV/GaFJJZ+Qima9IjVe9+L+xZ2N4OCSPQwZkXkAy5vHOQXQWXUjzBW2HwbvWUhIj:6Bmm+aVecLuK0uPZQk4QU9Wew7G

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe"	Open AI Sora 4.0_Setup_Version 5.96.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io
1	ipinfo.io

Executes dropped EXE 1 IoCs

pid	Process
1608	Chrome Service.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chrome Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Open AI Sora 4.0_Setup_Version 5.96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3984	Open AI Sora 4.0_Setup_Version 5.96.exe
3984	Open AI Sora 4.0_Setup_Version 5.96.exe
4632	powershell.exe
4632	powershell.exe
4632	powershell.exe
3984	Open AI Sora 4.0_Setup_Version 5.96.exe
3984	Open AI Sora 4.0_Setup_Version 5.96.exe
4788	powershell.exe
4788	powershell.exe
4788	powershell.exe
3984	Open AI Sora 4.0_Setup_Version 5.96.exe
3984	Open AI Sora 4.0_Setup_Version 5.96.exe
1512	powershell.exe
1512	powershell.exe
1512	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 3984	1144	Open AI Sora 4.0_Setup_Version 5.96.exe	77
PID 1144 wrote to memory of 3984	1144	Open AI Sora 4.0_Setup_Version 5.96.exe	77
PID 1144 wrote to memory of 3984	1144	Open AI Sora 4.0_Setup_Version 5.96.exe	77
PID 3984 wrote to memory of 4632	3984	Open AI Sora 4.0_Setup_Version 5.96.exe	79
PID 3984 wrote to memory of 4632	3984	Open AI Sora 4.0_Setup_Version 5.96.exe	79
PID 3984 wrote to memory of 4632	3984	Open AI Sora 4.0_Setup_Version 5.96.exe	79
PID 3984 wrote to memory of 4788	3984	Open AI Sora 4.0_Setup_Version 5.96.exe	81
PID 3984 wrote to memory of 4788	3984	Open AI Sora 4.0_Setup_Version 5.96.exe	81
PID 3984 wrote to memory of 4788	3984	Open AI Sora 4.0_Setup_Version 5.96.exe	81
PID 3984 wrote to memory of 1512	3984	Open AI Sora 4.0_Setup_Version 5.96.exe	83
PID 3984 wrote to memory of 1512	3984	Open AI Sora 4.0_Setup_Version 5.96.exe	83
PID 3984 wrote to memory of 1512	3984	Open AI Sora 4.0_Setup_Version 5.96.exe	83
PID 3984 wrote to memory of 1608	3984	Open AI Sora 4.0_Setup_Version 5.96.exe	85
PID 3984 wrote to memory of 1608	3984	Open AI Sora 4.0_Setup_Version 5.96.exe	85
PID 3984 wrote to memory of 1608	3984	Open AI Sora 4.0_Setup_Version 5.96.exe	85

C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0_Setup_Version 5.96.exe
"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0_Setup_Version 5.96.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe
  "C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Stop-Process -Name "msedge"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Stop-Process -Name "firefox"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4788
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Stop-Process -Name "firefox"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
    "C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
e080d58e6387c9fd87434a502e1a902e

SHA1
ae76ce6a2a39d79226c343cfe4745d48c7c1a91a

SHA256
6fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425

SHA512
6c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
8683c67a0f306c5c3bba913e966f9dde

SHA1
733ff88904f3c8468dd476d5492d81c47e09c3cc

SHA256
721ce43c50deca4c994d2007a9ba62eccc4ed78371b28c7541f082e3bfb988cf

SHA512
ad8aeaf0cf614c54f65daa5c2e8c86ffc5ff739ab781ae17e2a454da0178d309cf4237906a1106487aa25b9b1306d2ffaff9a86c20a228ab9e2d77d6853b3f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
0f63d814ee5c76cdc0371b974be0d5f9

SHA1
a0e2d9509b2b4e6739580d7ef5d858b1855b3c2f

SHA256
96aea05db7d88bf649163c586773aff4a163399bfd0a19209241d2c0394af735

SHA512
1458c791c3a72186376595d0737e75840ec729855017383c47e6fe2c0bf9b3b01539f73b3c9e0c8e478f3d7f604f1b2b298aa34e939f7a7c6d8fb2e010751b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aj4kpkwk.uhh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1512-195-0x0000000006260000-0x00000000065B7000-memory.dmp

Filesize
3.3MB

Download
memory/3984-32-0x000000002FC10000-0x000000002FCB5000-memory.dmp

Filesize
660KB

Download
memory/3984-44-0x000000002FD50000-0x000000002FDC5000-memory.dmp

Filesize
468KB

Download
memory/3984-25-0x000000002FEC0000-0x0000000030216000-memory.dmp

Filesize
3.3MB

Download
memory/3984-12-0x0000000006A10000-0x0000000006A2D000-memory.dmp

Filesize
116KB

Download
memory/3984-16-0x0000000006A60000-0x0000000006A88000-memory.dmp

Filesize
160KB

Download
memory/3984-13-0x0000000006A60000-0x0000000006A88000-memory.dmp

Filesize
160KB

Download
memory/3984-9-0x0000000006A10000-0x0000000006A2D000-memory.dmp

Filesize
116KB

Download
memory/3984-17-0x000000002F9D0000-0x000000002FB5E000-memory.dmp

Filesize
1.6MB

Download
memory/3984-21-0x0000000006F70000-0x0000000006FA0000-memory.dmp

Filesize
192KB

Download
memory/3984-52-0x00000000302C0000-0x0000000030356000-memory.dmp

Filesize
600KB

Download
memory/3984-60-0x000000002FD10000-0x000000002FD4C000-memory.dmp

Filesize
240KB

Download
memory/3984-57-0x000000002FD10000-0x000000002FD4C000-memory.dmp

Filesize
240KB

Download
memory/3984-56-0x000000002FE30000-0x000000002FEAA000-memory.dmp

Filesize
488KB

Download
memory/3984-53-0x000000002FE30000-0x000000002FEAA000-memory.dmp

Filesize
488KB

Download
memory/3984-49-0x00000000302C0000-0x0000000030356000-memory.dmp

Filesize
600KB

Download
memory/3984-48-0x000000002FDD0000-0x000000002FE24000-memory.dmp

Filesize
336KB

Download
memory/3984-45-0x000000002FDD0000-0x000000002FE24000-memory.dmp

Filesize
336KB

Download
memory/3984-24-0x0000000006F70000-0x0000000006FA0000-memory.dmp

Filesize
192KB

Download
memory/3984-41-0x000000002FD50000-0x000000002FDC5000-memory.dmp

Filesize
468KB

Download
memory/3984-40-0x000000002FBE0000-0x000000002FBF1000-memory.dmp

Filesize
68KB

Download
memory/3984-37-0x000000002FBE0000-0x000000002FBF1000-memory.dmp

Filesize
68KB

Download
memory/3984-36-0x0000000007080000-0x0000000007095000-memory.dmp

Filesize
84KB

Download
memory/3984-33-0x0000000007080000-0x0000000007095000-memory.dmp

Filesize
84KB

Download
memory/3984-0-0x00000000070B0000-0x0000000007A39000-memory.dmp

Filesize
9.5MB

Download
memory/3984-29-0x000000002FC10000-0x000000002FCB5000-memory.dmp

Filesize
660KB

Download
memory/3984-28-0x000000002FEC0000-0x0000000030216000-memory.dmp

Filesize
3.3MB

Download
memory/3984-3-0x00000000070B0000-0x0000000007A39000-memory.dmp

Filesize
9.5MB

Download
memory/3984-20-0x000000002F9D0000-0x000000002FB5E000-memory.dmp

Filesize
1.6MB

Download
memory/3984-4-0x0000000000974000-0x0000000000975000-memory.dmp

Filesize
4KB

Download
memory/3984-8-0x0000000006AC0000-0x0000000006B67000-memory.dmp

Filesize
668KB

Download
memory/3984-5-0x0000000006AC0000-0x0000000006B67000-memory.dmp

Filesize
668KB

Download
memory/3984-64-0x0000000030280000-0x0000000030292000-memory.dmp

Filesize
72KB

Download
memory/3984-61-0x0000000030280000-0x0000000030292000-memory.dmp

Filesize
72KB

Download
memory/4632-164-0x00000000065C0000-0x00000000065E2000-memory.dmp

Filesize
136KB

Download
memory/4632-144-0x0000000002870000-0x00000000028A6000-memory.dmp

Filesize
216KB

Download
memory/4632-145-0x00000000735C0000-0x0000000073D71000-memory.dmp

Filesize
7.7MB

Download
memory/4632-146-0x00000000054A0000-0x0000000005ACA000-memory.dmp

Filesize
6.2MB

Download
memory/4632-147-0x00000000051B0000-0x00000000051D2000-memory.dmp

Filesize
136KB

Download
memory/4632-150-0x00000000735C0000-0x0000000073D71000-memory.dmp

Filesize
7.7MB

Download
memory/4632-148-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/4632-149-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/4632-159-0x0000000005C20000-0x0000000005F77000-memory.dmp

Filesize
3.3MB

Download
memory/4632-160-0x0000000006040000-0x000000000605E000-memory.dmp

Filesize
120KB

Download
memory/4632-161-0x0000000006080000-0x00000000060CC000-memory.dmp

Filesize
304KB

Download
memory/4632-143-0x00000000735CE000-0x00000000735CF000-memory.dmp

Filesize
4KB

Download
memory/4632-163-0x0000000006570000-0x000000000658A000-memory.dmp

Filesize
104KB

Download
memory/4632-165-0x0000000007660000-0x0000000007C06000-memory.dmp

Filesize
5.6MB

Download
memory/4632-162-0x0000000007010000-0x00000000070A6000-memory.dmp

Filesize
600KB

Download
memory/4632-168-0x00000000735C0000-0x0000000073D71000-memory.dmp

Filesize
7.7MB

Download
memory/4788-179-0x00000000735C0000-0x0000000073D71000-memory.dmp

Filesize
7.7MB

Download
memory/4788-181-0x00000000735C0000-0x0000000073D71000-memory.dmp

Filesize
7.7MB

Download
memory/4788-180-0x00000000735C0000-0x0000000073D71000-memory.dmp

Filesize
7.7MB

Download
memory/4788-190-0x00000000054F0000-0x0000000005847000-memory.dmp

Filesize
3.3MB

Download
memory/4788-193-0x00000000735C0000-0x0000000073D71000-memory.dmp

Filesize
7.7MB

Download