Overview
overview
10Static
static
10Open AI So...89.exe
windows7-x64
6Open AI So...89.exe
windows10-2004-x64
6app-11.4.0...ls.dll
windows7-x64
1app-11.4.0...ls.dll
windows10-2004-x64
1app-11.4.0...ld.dll
windows7-x64
1app-11.4.0...ld.dll
windows10-2004-x64
1app-11.4.0...89.exe
windows7-x64
7app-11.4.0...89.exe
windows10-2004-x64
7app-11.4.0...ls.dll
windows7-x64
1app-11.4.0...ls.dll
windows10-2004-x64
1app-11.4.0...gs.dll
windows7-x64
1app-11.4.0...gs.dll
windows10-2004-x64
1app-11.4.0...s2.dll
windows7-x64
1app-11.4.0...s2.dll
windows10-2004-x64
1app-11.4.0...ls.dll
windows7-x64
1app-11.4.0...ls.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0...-0.dll
windows10-2004-x64
1app-11.4.0..._1.dll
windows7-x64
1app-11.4.0..._1.dll
windows10-2004-x64
1app-11.4.0...ds.dll
windows7-x64
1app-11.4.0...ds.dll
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2024 20:25
Behavioral task
behavioral1
Sample
Open AI Sora 4.0 Verison 4.89.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Open AI Sora 4.0 Verison 4.89.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
app-11.4.0/EMUtils.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
app-11.4.0/EMUtils.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
app-11.4.0/EMUtilsOld.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
app-11.4.0/EMUtilsOld.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
app-11.4.0/Open AI Sora 4.0 Verison 4.89.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
app-11.4.0/Open AI Sora 4.0 Verison 4.89.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
app-11.4.0/Qt6LabsQmlModels.dll
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
app-11.4.0/Qt6LabsQmlModels.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
app-11.4.0/Qt6LabsSettings.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
app-11.4.0/Qt6LabsSettings.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
app-11.4.0/Qt6QuickControls2.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
app-11.4.0/Qt6QuickControls2.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
app-11.4.0/Qt6QuickDialogs2Utils.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
app-11.4.0/Qt6QuickDialogs2Utils.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
app-11.4.0/api-ms-win-crt-convert-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
app-11.4.0/api-ms-win-crt-environment-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
app-11.4.0/api-ms-win-crt-filesystem-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
app-11.4.0/api-ms-win-crt-heap-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
app-11.4.0/api-ms-win-crt-locale-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
app-11.4.0/api-ms-win-crt-math-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
app-11.4.0/api-ms-win-crt-multibyte-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
app-11.4.0/api-ms-win-crt-private-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
app-11.4.0/api-ms-win-crt-process-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
app-11.4.0/api-ms-win-crt-runtime-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
app-11.4.0/api-ms-win-crt-stdio-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
app-11.4.0/api-ms-win-crt-string-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
app-11.4.0/msvcp140_1.dll
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
app-11.4.0/msvcp140_1.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
app-11.4.0/msvcp140_codecvt_ids.dll
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
app-11.4.0/msvcp140_codecvt_ids.dll
Resource
win10v2004-20241007-en
General
-
Target
app-11.4.0/Open AI Sora 4.0 Verison 4.89.exe
-
Size
717.9MB
-
MD5
4ca74930fb928138ef72335d06cc39db
-
SHA1
14ea9754494af1beb429224911b2ec2f43d3a802
-
SHA256
86f1e1adb0542298fede2316612d6a90ab655a2774d5bc766c4eb77e0bd25e70
-
SHA512
7aaa890c51d012eced7d1f565b61a9d3dc2480945e4ef1509806763cd48fa016ee4c9c44bde44bc10da34b00aee3e897038f200b19b9e136cb98788a6977bee2
-
SSDEEP
3145728:lnOvz6yqIkFIkFIkFIkFIkFIkFIkFIkYZzwJgFos:eGIkFIkFIkFIkFIkFIkFIkFIk5m6s
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Open AI Sora 4.0 Verison 4.89.exe -
Executes dropped EXE 1 IoCs
pid Process 868 Chrome Service.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" Open AI Sora 4.0 Verison 4.89.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 ipinfo.io 20 ipinfo.io -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome Service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Open AI Sora 4.0 Verison 4.89.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2912 Open AI Sora 4.0 Verison 4.89.exe 2912 Open AI Sora 4.0 Verison 4.89.exe 3332 powershell.exe 3332 powershell.exe 3332 powershell.exe 2912 Open AI Sora 4.0 Verison 4.89.exe 2912 Open AI Sora 4.0 Verison 4.89.exe 760 powershell.exe 760 powershell.exe 760 powershell.exe 2912 Open AI Sora 4.0 Verison 4.89.exe 2912 Open AI Sora 4.0 Verison 4.89.exe 1044 powershell.exe 1044 powershell.exe 1044 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3332 powershell.exe Token: SeDebugPrivilege 760 powershell.exe Token: SeDebugPrivilege 1044 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2912 wrote to memory of 3332 2912 Open AI Sora 4.0 Verison 4.89.exe 86 PID 2912 wrote to memory of 3332 2912 Open AI Sora 4.0 Verison 4.89.exe 86 PID 2912 wrote to memory of 3332 2912 Open AI Sora 4.0 Verison 4.89.exe 86 PID 2912 wrote to memory of 760 2912 Open AI Sora 4.0 Verison 4.89.exe 88 PID 2912 wrote to memory of 760 2912 Open AI Sora 4.0 Verison 4.89.exe 88 PID 2912 wrote to memory of 760 2912 Open AI Sora 4.0 Verison 4.89.exe 88 PID 2912 wrote to memory of 1044 2912 Open AI Sora 4.0 Verison 4.89.exe 90 PID 2912 wrote to memory of 1044 2912 Open AI Sora 4.0 Verison 4.89.exe 90 PID 2912 wrote to memory of 1044 2912 Open AI Sora 4.0 Verison 4.89.exe 90 PID 2912 wrote to memory of 868 2912 Open AI Sora 4.0 Verison 4.89.exe 108 PID 2912 wrote to memory of 868 2912 Open AI Sora 4.0 Verison 4.89.exe 108 PID 2912 wrote to memory of 868 2912 Open AI Sora 4.0 Verison 4.89.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "msedge"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3332
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "firefox"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "firefox"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
-
C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:868
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
17KB
MD5a2d8e4d213bfd199c7abf5b5b3d91e0a
SHA16618a25104b173190de8b613ca8f6f900a8af368
SHA256883fd39c2e7a652f131429bc71a268a32ff592cf3c5d0c729f8596a7d18f2a76
SHA5129b8be87ed0e12c5d5a7aeb66e5225528f388a06a834e9db511bc87e10b77d78651d8cdad2fdf5bf9b275d3e96448196f96937ee5d3dcd2fb40ee9850306733d6
-
Filesize
17KB
MD5d33cce10257de9d42ffbca845d21a0f2
SHA19c4b3747dbbe8457a5a67d0a05667dfa8aece0e3
SHA256010cfb7fc9b3a3bf2339c0c99700871be793fc49cbe085ab9e991e545e843e97
SHA512047915e97b0fd6195ea45d7a7a3045d6722decf354d19c76a68ba49647cdc7cb27d0296bdf5ee463b0ea7e51c4a01a061705e4d0eee9b95395eb3fd76c009ece
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82