Malware Analysis Report

2024-11-13 13:55

Sample ID 241016-sl557sweja
Target Open AI Sora 4.0 Verison 4.89.zip
SHA256 b129e97f69d29879931e00f9b7cc1827292ef5c1b8d9d368f26ecf0a8508effe
Tags
discovery persistence spyware stealer ducktail
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b129e97f69d29879931e00f9b7cc1827292ef5c1b8d9d368f26ecf0a8508effe

Threat Level: Known bad

The file Open AI Sora 4.0 Verison 4.89.zip was found to be: Known bad.

Malicious Activity Summary

discovery persistence spyware stealer ducktail

Ducktail family

Detect Ducktail Third Stage Payload

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Executes dropped EXE

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 15:15

Signatures

Detect Ducktail Third Stage Payload

Description Indicator Process Target
N/A N/A N/A N/A

Ducktail family

ducktail

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-16 15:13

Reported

2024-10-16 15:24

Platform

win11-20241007-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3376 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 3376 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 3376 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe

"C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "msedge"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/3376-0-0x0000000006E50000-0x00000000077D9000-memory.dmp

memory/3376-12-0x0000000000D44000-0x0000000000D45000-memory.dmp

memory/3376-11-0x00000000069C0000-0x00000000069DD000-memory.dmp

memory/3376-8-0x00000000069C0000-0x00000000069DD000-memory.dmp

memory/3376-7-0x0000000006A40000-0x0000000006AE7000-memory.dmp

memory/3376-3-0x0000000006E50000-0x00000000077D9000-memory.dmp

memory/3376-16-0x0000000006A10000-0x0000000006A38000-memory.dmp

memory/3376-13-0x0000000006A10000-0x0000000006A38000-memory.dmp

memory/3376-4-0x0000000006A40000-0x0000000006AE7000-memory.dmp

memory/3376-20-0x000000002F900000-0x000000002FA8E000-memory.dmp

memory/3376-29-0x000000002F820000-0x000000002F8C5000-memory.dmp

memory/3376-36-0x000000002F770000-0x000000002F785000-memory.dmp

memory/3376-33-0x000000002F770000-0x000000002F785000-memory.dmp

memory/3376-32-0x000000002F820000-0x000000002F8C5000-memory.dmp

memory/3376-28-0x000000002FDF0000-0x0000000030146000-memory.dmp

memory/3376-25-0x000000002FDF0000-0x0000000030146000-memory.dmp

memory/3376-21-0x0000000006730000-0x0000000006760000-memory.dmp

memory/3376-17-0x000000002F900000-0x000000002FA8E000-memory.dmp

memory/3376-24-0x0000000006730000-0x0000000006760000-memory.dmp

memory/3376-41-0x000000002FB20000-0x000000002FB95000-memory.dmp

memory/3376-44-0x000000002FB20000-0x000000002FB95000-memory.dmp

memory/3376-60-0x000000002FAE0000-0x000000002FB1C000-memory.dmp

memory/3376-64-0x000000002FD80000-0x000000002FD92000-memory.dmp

memory/3376-61-0x000000002FD80000-0x000000002FD92000-memory.dmp

memory/3376-57-0x000000002FAE0000-0x000000002FB1C000-memory.dmp

memory/3376-56-0x000000002FC00000-0x000000002FC7A000-memory.dmp

memory/3376-53-0x000000002FC00000-0x000000002FC7A000-memory.dmp

memory/3376-49-0x000000002FCA0000-0x000000002FD36000-memory.dmp

memory/3376-48-0x000000002FBA0000-0x000000002FBF4000-memory.dmp

memory/3376-45-0x000000002FBA0000-0x000000002FBF4000-memory.dmp

memory/3376-52-0x000000002FCA0000-0x000000002FD36000-memory.dmp

memory/3376-40-0x000000002F8D0000-0x000000002F8E1000-memory.dmp

memory/3376-37-0x000000002F8D0000-0x000000002F8E1000-memory.dmp

memory/1304-143-0x000000007385E000-0x000000007385F000-memory.dmp

memory/1304-144-0x00000000052C0000-0x00000000052F6000-memory.dmp

memory/1304-146-0x0000000005930000-0x0000000005F5A000-memory.dmp

memory/1304-145-0x0000000073850000-0x0000000074001000-memory.dmp

memory/1304-148-0x0000000073850000-0x0000000074001000-memory.dmp

memory/1304-150-0x00000000061A0000-0x0000000006206000-memory.dmp

memory/1304-149-0x0000000006130000-0x0000000006196000-memory.dmp

memory/1304-147-0x0000000005F90000-0x0000000005FB2000-memory.dmp

memory/1304-156-0x0000000006210000-0x0000000006567000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_axwma4pp.cfp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1304-160-0x0000000006700000-0x000000000671E000-memory.dmp

memory/1304-161-0x0000000006CC0000-0x0000000006D0C000-memory.dmp

memory/1304-162-0x00000000076C0000-0x0000000007756000-memory.dmp

memory/1304-163-0x0000000006BA0000-0x0000000006BBA000-memory.dmp

memory/1304-164-0x0000000006BF0000-0x0000000006C12000-memory.dmp

memory/1304-165-0x0000000007D10000-0x00000000082B6000-memory.dmp

memory/1304-168-0x0000000073850000-0x0000000074001000-memory.dmp

memory/4996-179-0x0000000073850000-0x0000000074001000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 e080d58e6387c9fd87434a502e1a902e
SHA1 ae76ce6a2a39d79226c343cfe4745d48c7c1a91a
SHA256 6fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425
SHA512 6c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede

memory/4996-180-0x0000000073850000-0x0000000074001000-memory.dmp

memory/4996-181-0x0000000073850000-0x0000000074001000-memory.dmp

memory/4996-190-0x0000000006120000-0x0000000006477000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e6bfab4d6e3aed045bacb21d7a4365cd
SHA1 ac06b60993b2053242eb21fdc0efabcfa52b4c7a
SHA256 b65cdf33f2f147ba9c1d81e650f617d2c70345b0807e97e694a998f0e99b0c6b
SHA512 bc3a93858832b6c2541e1e40860fc4743b6281fe56ad54c2a0e198a4b039eb3b4e884b402110ce1886038ae84a68fc4a42b40ef6b3cc2daeb2309cd9a358270f

memory/4996-193-0x0000000073850000-0x0000000074001000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f6b4df435649013bb1b244ebf4481d98
SHA1 13b93079403526b2580213f9df91610a42aee1ae
SHA256 335d0e955ea8bbd904d73947c886c6f4df465838b75242512f474b07f896240a
SHA512 0d57e6ad9d91bf861b3c9d52d6083ae272b8ce4b77899d3c8c02ed3818ea2f494a2db5c7cf4100500ed1eb653b957b8b0d59a62e40a166aac4bf4440fbbebce2

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 15:13

Reported

2024-10-16 15:24

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0_Setup_Version 5.96.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe
PID 1652 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe
PID 1652 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe
PID 404 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 404 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 404 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0_Setup_Version 5.96.exe

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0_Setup_Version 5.96.exe"

C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe

"C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "msedge"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/404-0-0x0000000006E80000-0x0000000007809000-memory.dmp

memory/404-4-0x00000000005A4000-0x00000000005A5000-memory.dmp

memory/404-3-0x0000000006E80000-0x0000000007809000-memory.dmp

memory/404-8-0x0000000006750000-0x00000000067F7000-memory.dmp

memory/404-12-0x00000000066D0000-0x00000000066ED000-memory.dmp

memory/404-16-0x0000000006720000-0x0000000006748000-memory.dmp

memory/404-13-0x0000000006720000-0x0000000006748000-memory.dmp

memory/404-9-0x00000000066D0000-0x00000000066ED000-memory.dmp

memory/404-5-0x0000000006750000-0x00000000067F7000-memory.dmp

memory/404-20-0x000000002F6A0000-0x000000002F82E000-memory.dmp

memory/404-24-0x0000000006D30000-0x0000000006D60000-memory.dmp

memory/404-25-0x000000002FB90000-0x000000002FEE6000-memory.dmp

memory/404-41-0x000000002FA20000-0x000000002FA95000-memory.dmp

memory/404-57-0x000000002F9E0000-0x000000002FA1C000-memory.dmp

memory/404-65-0x000000002F8D0000-0x000000002F8D6000-memory.dmp

memory/404-64-0x000000002FF30000-0x000000002FF42000-memory.dmp

memory/404-61-0x000000002FF30000-0x000000002FF42000-memory.dmp

memory/404-56-0x000000002FB00000-0x000000002FB7A000-memory.dmp

memory/404-52-0x000000002FF90000-0x0000000030026000-memory.dmp

memory/404-49-0x000000002FF90000-0x0000000030026000-memory.dmp

memory/404-48-0x000000002FAA0000-0x000000002FAF4000-memory.dmp

memory/404-45-0x000000002FAA0000-0x000000002FAF4000-memory.dmp

memory/404-44-0x000000002FA20000-0x000000002FA95000-memory.dmp

memory/404-40-0x000000002F890000-0x000000002F8A1000-memory.dmp

memory/404-37-0x000000002F890000-0x000000002F8A1000-memory.dmp

memory/404-36-0x0000000006E40000-0x0000000006E55000-memory.dmp

memory/404-33-0x0000000006E40000-0x0000000006E55000-memory.dmp

memory/404-53-0x000000002FB00000-0x000000002FB7A000-memory.dmp

memory/404-32-0x000000002F8E0000-0x000000002F985000-memory.dmp

memory/404-29-0x000000002F8E0000-0x000000002F985000-memory.dmp

memory/404-28-0x000000002FB90000-0x000000002FEE6000-memory.dmp

memory/404-21-0x0000000006D30000-0x0000000006D60000-memory.dmp

memory/404-17-0x000000002F6A0000-0x000000002F82E000-memory.dmp

memory/2692-143-0x00000000738EE000-0x00000000738EF000-memory.dmp

memory/2692-144-0x0000000004690000-0x00000000046C6000-memory.dmp

memory/2692-146-0x0000000004DF0000-0x0000000005418000-memory.dmp

memory/2692-145-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/2692-147-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/2692-148-0x0000000005420000-0x0000000005442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_psys1n40.teg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2692-150-0x00000000055F0000-0x0000000005656000-memory.dmp

memory/2692-149-0x0000000005580000-0x00000000055E6000-memory.dmp

memory/2692-160-0x0000000005760000-0x0000000005AB4000-memory.dmp

memory/2692-161-0x0000000005C60000-0x0000000005C7E000-memory.dmp

memory/2692-162-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

memory/2692-165-0x0000000006190000-0x00000000061B2000-memory.dmp

memory/2692-164-0x0000000006140000-0x000000000615A000-memory.dmp

memory/2692-166-0x0000000007470000-0x0000000007A14000-memory.dmp

memory/2692-163-0x0000000006E20000-0x0000000006EB6000-memory.dmp

memory/2692-169-0x00000000738E0000-0x0000000074090000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/3212-180-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/3212-191-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/3212-190-0x00000000062C0000-0x0000000006614000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 92c06fdc8cd72a0b4d1b71a5f051df73
SHA1 c322765dd9cc1d277f3538adf7242fc5f10e002c
SHA256 47c9490331c4e4a346c45bf60d3426aaaf1eb7271f2c5bc35ccd00ea1676380d
SHA512 ee4e4e5e6d3cc3b4b08fd4d62948c6c6f496de1cf02553e625142b6e6f139b941741260722bb6d383ad508f9d97b5388eea35e3510da611f5a4d9f49ff126756

memory/3212-192-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/3212-195-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/4848-206-0x0000000005810000-0x0000000005B64000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2aeb6b94e066740e19976cbc02799928
SHA1 54290ae8e057b86135d1b41212e75cdc46d07b34
SHA256 067b9212850f13b0b7747e3c1b77a6098ac9e72f8f3f4323d8c266347ceba8aa
SHA512 9476f8db57fd4b93cb74d6d040456d996cafb25421b13f3a2e0b26ea34875d4f9366fa158fa7e2c3656aafdc8fee4fb0291a3a7fdf97f925f04a9e7736536ab8

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 15:13

Reported

2024-10-16 15:24

Platform

win11-20241007-en

Max time kernel

144s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0_Setup_Version 5.96.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe
PID 1144 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe
PID 1144 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe
PID 3984 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 3984 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 3984 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0_Setup_Version 5.96.exe

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0_Setup_Version 5.96.exe"

C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe

"C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "msedge"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/3984-0-0x00000000070B0000-0x0000000007A39000-memory.dmp

memory/3984-4-0x0000000000974000-0x0000000000975000-memory.dmp

memory/3984-3-0x00000000070B0000-0x0000000007A39000-memory.dmp

memory/3984-12-0x0000000006A10000-0x0000000006A2D000-memory.dmp

memory/3984-16-0x0000000006A60000-0x0000000006A88000-memory.dmp

memory/3984-13-0x0000000006A60000-0x0000000006A88000-memory.dmp

memory/3984-9-0x0000000006A10000-0x0000000006A2D000-memory.dmp

memory/3984-17-0x000000002F9D0000-0x000000002FB5E000-memory.dmp

memory/3984-21-0x0000000006F70000-0x0000000006FA0000-memory.dmp

memory/3984-52-0x00000000302C0000-0x0000000030356000-memory.dmp

memory/3984-60-0x000000002FD10000-0x000000002FD4C000-memory.dmp

memory/3984-57-0x000000002FD10000-0x000000002FD4C000-memory.dmp

memory/3984-56-0x000000002FE30000-0x000000002FEAA000-memory.dmp

memory/3984-53-0x000000002FE30000-0x000000002FEAA000-memory.dmp

memory/3984-49-0x00000000302C0000-0x0000000030356000-memory.dmp

memory/3984-48-0x000000002FDD0000-0x000000002FE24000-memory.dmp

memory/3984-45-0x000000002FDD0000-0x000000002FE24000-memory.dmp

memory/3984-44-0x000000002FD50000-0x000000002FDC5000-memory.dmp

memory/3984-41-0x000000002FD50000-0x000000002FDC5000-memory.dmp

memory/3984-40-0x000000002FBE0000-0x000000002FBF1000-memory.dmp

memory/3984-37-0x000000002FBE0000-0x000000002FBF1000-memory.dmp

memory/3984-36-0x0000000007080000-0x0000000007095000-memory.dmp

memory/3984-33-0x0000000007080000-0x0000000007095000-memory.dmp

memory/3984-32-0x000000002FC10000-0x000000002FCB5000-memory.dmp

memory/3984-29-0x000000002FC10000-0x000000002FCB5000-memory.dmp

memory/3984-28-0x000000002FEC0000-0x0000000030216000-memory.dmp

memory/3984-25-0x000000002FEC0000-0x0000000030216000-memory.dmp

memory/3984-20-0x000000002F9D0000-0x000000002FB5E000-memory.dmp

memory/3984-24-0x0000000006F70000-0x0000000006FA0000-memory.dmp

memory/3984-8-0x0000000006AC0000-0x0000000006B67000-memory.dmp

memory/3984-5-0x0000000006AC0000-0x0000000006B67000-memory.dmp

memory/3984-64-0x0000000030280000-0x0000000030292000-memory.dmp

memory/3984-61-0x0000000030280000-0x0000000030292000-memory.dmp

memory/4632-143-0x00000000735CE000-0x00000000735CF000-memory.dmp

memory/4632-144-0x0000000002870000-0x00000000028A6000-memory.dmp

memory/4632-145-0x00000000735C0000-0x0000000073D71000-memory.dmp

memory/4632-146-0x00000000054A0000-0x0000000005ACA000-memory.dmp

memory/4632-147-0x00000000051B0000-0x00000000051D2000-memory.dmp

memory/4632-150-0x00000000735C0000-0x0000000073D71000-memory.dmp

memory/4632-148-0x0000000005AD0000-0x0000000005B36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aj4kpkwk.uhh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4632-149-0x0000000005BB0000-0x0000000005C16000-memory.dmp

memory/4632-159-0x0000000005C20000-0x0000000005F77000-memory.dmp

memory/4632-160-0x0000000006040000-0x000000000605E000-memory.dmp

memory/4632-161-0x0000000006080000-0x00000000060CC000-memory.dmp

memory/4632-164-0x00000000065C0000-0x00000000065E2000-memory.dmp

memory/4632-163-0x0000000006570000-0x000000000658A000-memory.dmp

memory/4632-165-0x0000000007660000-0x0000000007C06000-memory.dmp

memory/4632-162-0x0000000007010000-0x00000000070A6000-memory.dmp

memory/4632-168-0x00000000735C0000-0x0000000073D71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 e080d58e6387c9fd87434a502e1a902e
SHA1 ae76ce6a2a39d79226c343cfe4745d48c7c1a91a
SHA256 6fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425
SHA512 6c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede

memory/4788-179-0x00000000735C0000-0x0000000073D71000-memory.dmp

memory/4788-181-0x00000000735C0000-0x0000000073D71000-memory.dmp

memory/4788-180-0x00000000735C0000-0x0000000073D71000-memory.dmp

memory/4788-190-0x00000000054F0000-0x0000000005847000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8683c67a0f306c5c3bba913e966f9dde
SHA1 733ff88904f3c8468dd476d5492d81c47e09c3cc
SHA256 721ce43c50deca4c994d2007a9ba62eccc4ed78371b28c7541f082e3bfb988cf
SHA512 ad8aeaf0cf614c54f65daa5c2e8c86ffc5ff739ab781ae17e2a454da0178d309cf4237906a1106487aa25b9b1306d2ffaff9a86c20a228ab9e2d77d6853b3f23

memory/4788-193-0x00000000735C0000-0x0000000073D71000-memory.dmp

memory/1512-195-0x0000000006260000-0x00000000065B7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0f63d814ee5c76cdc0371b974be0d5f9
SHA1 a0e2d9509b2b4e6739580d7ef5d858b1855b3c2f
SHA256 96aea05db7d88bf649163c586773aff4a163399bfd0a19209241d2c0394af735
SHA512 1458c791c3a72186376595d0737e75840ec729855017383c47e6fe2c0bf9b3b01539f73b3c9e0c8e478f3d7f604f1b2b298aa34e939f7a7c6d8fb2e010751b48

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-16 15:13

Reported

2024-10-16 15:25

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 228 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 228 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 228 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe

"C:\Users\Admin\AppData\Local\Temp\app-5.96.0\Open AI Sora 4.0_Setup_Version 5.96.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "msedge"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/228-0-0x0000000006DF0000-0x0000000007779000-memory.dmp

memory/228-3-0x0000000006DF0000-0x0000000007779000-memory.dmp

memory/228-16-0x0000000000FB4000-0x0000000000FB5000-memory.dmp

memory/228-15-0x00000000069E0000-0x0000000006A08000-memory.dmp

memory/228-12-0x00000000069E0000-0x0000000006A08000-memory.dmp

memory/228-11-0x0000000006990000-0x00000000069AD000-memory.dmp

memory/228-7-0x0000000006A10000-0x0000000006AB7000-memory.dmp

memory/228-4-0x0000000006A10000-0x0000000006AB7000-memory.dmp

memory/228-8-0x0000000006990000-0x00000000069AD000-memory.dmp

memory/228-17-0x0000000006C50000-0x0000000006DDE000-memory.dmp

memory/228-24-0x0000000006740000-0x0000000006770000-memory.dmp

memory/228-25-0x000000002FCB0000-0x0000000030006000-memory.dmp

memory/228-41-0x0000000006BD0000-0x0000000006C45000-memory.dmp

memory/228-49-0x000000002FB60000-0x000000002FBF6000-memory.dmp

memory/228-61-0x000000002FA40000-0x000000002FA52000-memory.dmp

memory/228-64-0x000000002FA40000-0x000000002FA52000-memory.dmp

memory/228-60-0x000000002FAC0000-0x000000002FAFC000-memory.dmp

memory/228-57-0x000000002FAC0000-0x000000002FAFC000-memory.dmp

memory/228-56-0x000000002FC00000-0x000000002FC7A000-memory.dmp

memory/228-53-0x000000002FC00000-0x000000002FC7A000-memory.dmp

memory/228-52-0x000000002FB60000-0x000000002FBF6000-memory.dmp

memory/228-48-0x000000002FA60000-0x000000002FAB4000-memory.dmp

memory/228-45-0x000000002FA60000-0x000000002FAB4000-memory.dmp

memory/228-40-0x00000000067E0000-0x00000000067F1000-memory.dmp

memory/228-37-0x00000000067E0000-0x00000000067F1000-memory.dmp

memory/228-36-0x00000000067A0000-0x00000000067B5000-memory.dmp

memory/228-33-0x00000000067A0000-0x00000000067B5000-memory.dmp

memory/228-32-0x000000002F950000-0x000000002F9F5000-memory.dmp

memory/228-44-0x0000000006BD0000-0x0000000006C45000-memory.dmp

memory/228-29-0x000000002F950000-0x000000002F9F5000-memory.dmp

memory/228-28-0x000000002FCB0000-0x0000000030006000-memory.dmp

memory/228-20-0x0000000006C50000-0x0000000006DDE000-memory.dmp

memory/228-21-0x0000000006740000-0x0000000006770000-memory.dmp

memory/1032-143-0x00000000738EE000-0x00000000738EF000-memory.dmp

memory/1032-144-0x0000000002760000-0x0000000002796000-memory.dmp

memory/1032-145-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/1032-146-0x0000000005310000-0x0000000005938000-memory.dmp

memory/1032-147-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/1032-148-0x0000000005190000-0x00000000051B2000-memory.dmp

memory/1032-150-0x0000000005A20000-0x0000000005A86000-memory.dmp

memory/1032-149-0x00000000059B0000-0x0000000005A16000-memory.dmp

memory/1032-151-0x0000000005A90000-0x0000000005DE4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mhfgpsoy.neq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1032-161-0x0000000006050000-0x000000000606E000-memory.dmp

memory/1032-162-0x0000000006080000-0x00000000060CC000-memory.dmp

memory/1032-163-0x00000000065B0000-0x0000000006646000-memory.dmp

memory/1032-164-0x0000000006530000-0x000000000654A000-memory.dmp

memory/1032-165-0x0000000006580000-0x00000000065A2000-memory.dmp

memory/1032-166-0x0000000007800000-0x0000000007DA4000-memory.dmp

memory/1032-169-0x00000000738E0000-0x0000000074090000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/1760-180-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/1760-181-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/1760-182-0x00000000738E0000-0x0000000074090000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3771e11a8dd2b4ec3332a1b7b7bb91b8
SHA1 0f2be33598790bb54ea0b9f7786f893f4a1a6746
SHA256 46061c699c92f28c08f2053c216d0be107e4805fed122f426359d50d62684cff
SHA512 b563bc66e290f6a9a71235bfb3a254b138fc4f5fed71f5e9f8dc8e7a4c529dc3ea354903c23c52c53c773a004ffa268907515272913ceca8784f9cc21e6eb5b5

memory/1760-194-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/960-205-0x0000000005880000-0x0000000005BD4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c1d7580d4dfac2573e4c72456a677a11
SHA1 71a9443d7192acf1bb5144aa40aff7de067f6533
SHA256 592aabf20359769b067604495e1e8e1d3764d9452060312fe6ccd7f1e8f776b5
SHA512 1343b44c5e2150ec6b2bf65078fde0eaea76f0b96e6f2662d214f23d3aa8d2392a641f81535333c1fe381b23e170f27b227f2cdcaa1ebad3e4f2c6f5b5fc370a