Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
16-10-2024 15:13
Behavioral task
behavioral1
Sample
Open AI Sora 4.0_Setup_Version 5.96.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
Open AI Sora 4.0_Setup_Version 5.96.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
app-5.96.0/Open AI Sora 4.0_Setup_Version 5.96.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
app-5.96.0/Open AI Sora 4.0_Setup_Version 5.96.exe
Resource
win11-20241007-en
General
-
Target
app-5.96.0/Open AI Sora 4.0_Setup_Version 5.96.exe
-
Size
744.1MB
-
MD5
33e4c114789665f10c3f11ffea9d2ba3
-
SHA1
5fefd509d0e38b6bed0867fb9780ff1208d5cc6a
-
SHA256
99a4657b318daeec77a6ea8eb8082a16d58dd18c179e5df6f01e687bf99be58b
-
SHA512
c16b9cb968a03f852046919f34b975363eaf8082510c6cc3da119ddaac107d3a65da0d02b5c1906396f8a1abe59cf3dbbdca568eaff106828cf0975c00410781
-
SSDEEP
3145728:/hSx3pv753l36cJoYuuuuuuuvZzwJgFoR:pSnT53hVm6R
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Chrome Service.exepid process 4544 Chrome Service.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Open AI Sora 4.0_Setup_Version 5.96.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" Open AI Sora 4.0_Setup_Version 5.96.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ipinfo.io 2 ipinfo.io -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exepowershell.exepowershell.exeChrome Service.exeOpen AI Sora 4.0_Setup_Version 5.96.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome Service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Open AI Sora 4.0_Setup_Version 5.96.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Open AI Sora 4.0_Setup_Version 5.96.exepowershell.exepowershell.exepowershell.exepid process 3376 Open AI Sora 4.0_Setup_Version 5.96.exe 3376 Open AI Sora 4.0_Setup_Version 5.96.exe 1304 powershell.exe 1304 powershell.exe 1304 powershell.exe 3376 Open AI Sora 4.0_Setup_Version 5.96.exe 3376 Open AI Sora 4.0_Setup_Version 5.96.exe 4996 powershell.exe 4996 powershell.exe 4996 powershell.exe 3376 Open AI Sora 4.0_Setup_Version 5.96.exe 3376 Open AI Sora 4.0_Setup_Version 5.96.exe 4620 powershell.exe 4620 powershell.exe 4620 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1304 powershell.exe Token: SeDebugPrivilege 4996 powershell.exe Token: SeDebugPrivilege 4620 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Open AI Sora 4.0_Setup_Version 5.96.exedescription pid process target process PID 3376 wrote to memory of 1304 3376 Open AI Sora 4.0_Setup_Version 5.96.exe powershell.exe PID 3376 wrote to memory of 1304 3376 Open AI Sora 4.0_Setup_Version 5.96.exe powershell.exe PID 3376 wrote to memory of 1304 3376 Open AI Sora 4.0_Setup_Version 5.96.exe powershell.exe PID 3376 wrote to memory of 4996 3376 Open AI Sora 4.0_Setup_Version 5.96.exe powershell.exe PID 3376 wrote to memory of 4996 3376 Open AI Sora 4.0_Setup_Version 5.96.exe powershell.exe PID 3376 wrote to memory of 4996 3376 Open AI Sora 4.0_Setup_Version 5.96.exe powershell.exe PID 3376 wrote to memory of 4620 3376 Open AI Sora 4.0_Setup_Version 5.96.exe powershell.exe PID 3376 wrote to memory of 4620 3376 Open AI Sora 4.0_Setup_Version 5.96.exe powershell.exe PID 3376 wrote to memory of 4620 3376 Open AI Sora 4.0_Setup_Version 5.96.exe powershell.exe PID 3376 wrote to memory of 4544 3376 Open AI Sora 4.0_Setup_Version 5.96.exe Chrome Service.exe PID 3376 wrote to memory of 4544 3376 Open AI Sora 4.0_Setup_Version 5.96.exe Chrome Service.exe PID 3376 wrote to memory of 4544 3376 Open AI Sora 4.0_Setup_Version 5.96.exe Chrome Service.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe"C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "msedge"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "firefox"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "firefox"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4620 -
C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e080d58e6387c9fd87434a502e1a902e
SHA1ae76ce6a2a39d79226c343cfe4745d48c7c1a91a
SHA2566fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425
SHA5126c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede
-
Filesize
17KB
MD5e6bfab4d6e3aed045bacb21d7a4365cd
SHA1ac06b60993b2053242eb21fdc0efabcfa52b4c7a
SHA256b65cdf33f2f147ba9c1d81e650f617d2c70345b0807e97e694a998f0e99b0c6b
SHA512bc3a93858832b6c2541e1e40860fc4743b6281fe56ad54c2a0e198a4b039eb3b4e884b402110ce1886038ae84a68fc4a42b40ef6b3cc2daeb2309cd9a358270f
-
Filesize
17KB
MD5f6b4df435649013bb1b244ebf4481d98
SHA113b93079403526b2580213f9df91610a42aee1ae
SHA256335d0e955ea8bbd904d73947c886c6f4df465838b75242512f474b07f896240a
SHA5120d57e6ad9d91bf861b3c9d52d6083ae272b8ce4b77899d3c8c02ed3818ea2f494a2db5c7cf4100500ed1eb653b957b8b0d59a62e40a166aac4bf4440fbbebce2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82