Analysis
-
max time kernel
119s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
17/10/2024, 17:13
General
-
Target
app-11.4.0/Open AI Sora 4.0 Verison 4.89.exe
-
Size
717.9MB
-
MD5
4ca74930fb928138ef72335d06cc39db
-
SHA1
14ea9754494af1beb429224911b2ec2f43d3a802
-
SHA256
86f1e1adb0542298fede2316612d6a90ab655a2774d5bc766c4eb77e0bd25e70
-
SHA512
7aaa890c51d012eced7d1f565b61a9d3dc2480945e4ef1509806763cd48fa016ee4c9c44bde44bc10da34b00aee3e897038f200b19b9e136cb98788a6977bee2
-
SSDEEP
3145728:lnOvz6yqIkFIkFIkFIkFIkFIkFIkFIkYZzwJgFos:eGIkFIkFIkFIkFIkFIkFIkFIk5m6s
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "firefox"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "firefox"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD562a5c95f439409c6f20621c5dd69a9da
SHA140fd565b81682b48d38f3b0598b430c1c84acce3
SHA256f299d4dd08ed45f1d10150148a4fcfe464913aa234affcb11c58998a146ba47f
SHA5122ba3a69546e405f64877f3f1302598ca1f72f4bc24a2db4baacd2f90a5f919a8064cd934b089d3070138235c754b8a2bc7abdf81d4b7ee4e428022e0483d9438
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
468KB
-
Filesize
84KB
-
Filesize
1.6MB
-
Filesize
660KB
-
Filesize
336KB
-
Filesize
240KB
-
Filesize
192KB
-
Filesize
240KB
-
Filesize
488KB
-
Filesize
488KB
-
Filesize
600KB
-
Filesize
600KB
-
Filesize
336KB
-
Filesize
9.5MB
-
Filesize
468KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
160KB
-
Filesize
84KB
-
Filesize
660KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
192KB
-
Filesize
1.6MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
160KB
-
Filesize
668KB
-
Filesize
668KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
4KB
-
Filesize
9.5MB