Malware Analysis Report

2024-11-13 13:54

Sample ID 241019-y7r4csxbjf
Target Open AI Sora 4.0 Verison 4.89.zip
SHA256 9ecdf63c778837fe391974d12dbda0752ccb58ef8e6241dd2bfc223580b1f536
Tags
ducktail discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ecdf63c778837fe391974d12dbda0752ccb58ef8e6241dd2bfc223580b1f536

Threat Level: Known bad

The file Open AI Sora 4.0 Verison 4.89.zip was found to be: Known bad.

Malicious Activity Summary

ducktail discovery persistence spyware stealer

Detect Ducktail Third Stage Payload

Ducktail family

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Executes dropped EXE

Loads dropped DLL

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 20:27

Signatures

Detect Ducktail Third Stage Payload

Description Indicator Process Target
N/A N/A N/A N/A

Ducktail family

ducktail

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win7-20241010-en

Max time kernel

119s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 2324 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 2324 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 2324 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 1972 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 1972 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 1972 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 1972 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe"

C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe

"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/1972-27-0x000000002C580000-0x000000002C8D6000-memory.dmp

memory/1972-60-0x0000000000514000-0x0000000000515000-memory.dmp

memory/1972-59-0x00000000066F0000-0x000000000672C000-memory.dmp

memory/1972-56-0x00000000066F0000-0x000000000672C000-memory.dmp

memory/1972-55-0x000000002C3F0000-0x000000002C46A000-memory.dmp

memory/1972-52-0x000000002C3F0000-0x000000002C46A000-memory.dmp

memory/1972-51-0x000000002C350000-0x000000002C3E6000-memory.dmp

memory/1972-48-0x000000002C350000-0x000000002C3E6000-memory.dmp

memory/1972-47-0x000000002BEF0000-0x000000002BF44000-memory.dmp

memory/1972-44-0x000000002BEF0000-0x000000002BF44000-memory.dmp

memory/1972-43-0x000000002C220000-0x000000002C295000-memory.dmp

memory/1972-40-0x000000002C220000-0x000000002C295000-memory.dmp

memory/1972-39-0x00000000060D0000-0x00000000060E1000-memory.dmp

memory/1972-64-0x0000000006110000-0x0000000006122000-memory.dmp

memory/1972-61-0x0000000006110000-0x0000000006122000-memory.dmp

memory/1972-36-0x00000000060D0000-0x00000000060E1000-memory.dmp

memory/1972-35-0x0000000005C00000-0x0000000005C15000-memory.dmp

memory/1972-32-0x0000000005C00000-0x0000000005C15000-memory.dmp

memory/1972-31-0x000000002BFB0000-0x000000002C055000-memory.dmp

memory/1972-28-0x000000002BFB0000-0x000000002C055000-memory.dmp

memory/1972-24-0x000000002C580000-0x000000002C8D6000-memory.dmp

memory/1972-23-0x0000000005B90000-0x0000000005BC0000-memory.dmp

memory/1972-20-0x0000000005B90000-0x0000000005BC0000-memory.dmp

memory/1972-19-0x000000002C090000-0x000000002C21E000-memory.dmp

memory/1972-16-0x000000002C090000-0x000000002C21E000-memory.dmp

memory/1972-15-0x0000000002880000-0x00000000028A8000-memory.dmp

memory/1972-12-0x0000000002880000-0x00000000028A8000-memory.dmp

memory/1972-11-0x0000000002860000-0x000000000287D000-memory.dmp

memory/1972-8-0x0000000002860000-0x000000000287D000-memory.dmp

memory/1972-7-0x00000000062B0000-0x0000000006357000-memory.dmp

memory/1972-4-0x00000000062B0000-0x0000000006357000-memory.dmp

memory/1972-3-0x0000000006750000-0x00000000070D9000-memory.dmp

memory/1972-0-0x0000000006750000-0x00000000070D9000-memory.dmp

memory/1328-148-0x0000000073811000-0x0000000073812000-memory.dmp

memory/1328-149-0x0000000073810000-0x0000000073DBB000-memory.dmp

memory/1328-150-0x0000000073810000-0x0000000073DBB000-memory.dmp

memory/1328-152-0x0000000073810000-0x0000000073DBB000-memory.dmp

memory/1328-151-0x0000000073810000-0x0000000073DBB000-memory.dmp

memory/1328-153-0x0000000073810000-0x0000000073DBB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 ac62b9a66851e7e1c49b34a8b2cc544d
SHA1 c03e13f5046c1970b8ffcf0637c22e76444643a9
SHA256 15477495136705d42dd4bc7eb09d461d93711a1a4f46bcceeb90c8fc48b33aee
SHA512 7b4a6dac5c2759340b174332e04d3c6500580c3a75d915688773f0672d117a73063d8853c60ff33e7fe9c7369e3c5984d4b8d489f362d915d08dfc5c27d0b568

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win7-20240903-en

Max time kernel

122s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtilsOld.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtilsOld.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:37

Platform

win7-20241010-en

Max time kernel

122s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsQmlModels.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsQmlModels.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win7-20240903-en

Max time kernel

122s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsSettings.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsSettings.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win7-20240903-en

Max time kernel

121s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickDialogs2Utils.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickDialogs2Utils.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-locale-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-locale-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-multibyte-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-multibyte-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 1596 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 1596 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 624 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 624 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 624 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 624 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 624 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 624 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 624 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 624 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 624 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 624 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 624 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 624 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe"

C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe

"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "msedge"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 139.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/624-0-0x0000000006CE0000-0x0000000007669000-memory.dmp

memory/624-3-0x0000000006CE0000-0x0000000007669000-memory.dmp

memory/624-4-0x0000000000F84000-0x0000000000F85000-memory.dmp

memory/624-12-0x0000000006720000-0x000000000673D000-memory.dmp

memory/624-16-0x0000000006770000-0x0000000006798000-memory.dmp

memory/624-13-0x0000000006770000-0x0000000006798000-memory.dmp

memory/624-9-0x0000000006720000-0x000000000673D000-memory.dmp

memory/624-8-0x00000000065E0000-0x0000000006687000-memory.dmp

memory/624-5-0x00000000065E0000-0x0000000006687000-memory.dmp

memory/624-21-0x0000000006BA0000-0x0000000006BD0000-memory.dmp

memory/624-24-0x0000000006BA0000-0x0000000006BD0000-memory.dmp

memory/624-60-0x000000002DE00000-0x000000002DE3C000-memory.dmp

memory/624-57-0x000000002DE00000-0x000000002DE3C000-memory.dmp

memory/624-56-0x000000002DF20000-0x000000002DF9A000-memory.dmp

memory/624-53-0x000000002DF20000-0x000000002DF9A000-memory.dmp

memory/624-49-0x000000002E3C0000-0x000000002E456000-memory.dmp

memory/624-48-0x000000002DEC0000-0x000000002DF14000-memory.dmp

memory/624-45-0x000000002DEC0000-0x000000002DF14000-memory.dmp

memory/624-42-0x000000002DE40000-0x000000002DEB5000-memory.dmp

memory/624-40-0x000000002DCA0000-0x000000002DCB1000-memory.dmp

memory/624-37-0x000000002DCA0000-0x000000002DCB1000-memory.dmp

memory/624-36-0x0000000006CC0000-0x0000000006CD5000-memory.dmp

memory/624-32-0x000000002DD10000-0x000000002DDB5000-memory.dmp

memory/624-29-0x000000002DD10000-0x000000002DDB5000-memory.dmp

memory/624-25-0x000000002DFB0000-0x000000002E306000-memory.dmp

memory/624-20-0x000000002DAC0000-0x000000002DC4E000-memory.dmp

memory/624-52-0x000000002E3C0000-0x000000002E456000-memory.dmp

memory/624-44-0x000000002DE40000-0x000000002DEB5000-memory.dmp

memory/624-33-0x0000000006CC0000-0x0000000006CD5000-memory.dmp

memory/624-28-0x000000002DFB0000-0x000000002E306000-memory.dmp

memory/624-64-0x000000002E350000-0x000000002E362000-memory.dmp

memory/624-61-0x000000002E350000-0x000000002E362000-memory.dmp

memory/624-17-0x000000002DAC0000-0x000000002DC4E000-memory.dmp

memory/1716-143-0x000000007356E000-0x000000007356F000-memory.dmp

memory/1716-144-0x0000000002610000-0x0000000002646000-memory.dmp

memory/1716-146-0x0000000005230000-0x0000000005858000-memory.dmp

memory/1716-145-0x0000000073560000-0x0000000073D10000-memory.dmp

memory/1716-147-0x0000000073560000-0x0000000073D10000-memory.dmp

memory/1716-148-0x0000000005080000-0x00000000050A2000-memory.dmp

memory/1716-149-0x0000000005860000-0x00000000058C6000-memory.dmp

memory/1716-150-0x00000000058D0000-0x0000000005936000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pro4kqwf.mku.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1716-160-0x0000000005A40000-0x0000000005D94000-memory.dmp

memory/1716-161-0x0000000005F30000-0x0000000005F4E000-memory.dmp

memory/1716-162-0x0000000005F60000-0x0000000005FAC000-memory.dmp

memory/1716-163-0x0000000006F50000-0x0000000006FE6000-memory.dmp

memory/1716-164-0x0000000006430000-0x000000000644A000-memory.dmp

memory/1716-165-0x0000000006480000-0x00000000064A2000-memory.dmp

memory/1716-166-0x00000000075A0000-0x0000000007B44000-memory.dmp

memory/1716-169-0x0000000073560000-0x0000000073D10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/4824-180-0x0000000073560000-0x0000000073D10000-memory.dmp

memory/4824-181-0x0000000073560000-0x0000000073D10000-memory.dmp

memory/4824-182-0x0000000073560000-0x0000000073D10000-memory.dmp

memory/4824-192-0x0000000005770000-0x0000000005AC4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e19994e49d129737dea9aa44db121c1d
SHA1 4188fd56441e0bad0bb440b0e2db16ca4a392fc5
SHA256 0ccfe2fd3e8397c8e82df8ed5b668445b214eda22abfbd3411a475d066ca5acf
SHA512 0081784f7690e43fcee8884f42410d83d7149eeac9ac70493be1ca929fe3c684c9f2ac888bbf01ae457e388a8cfbbf35a74bbf8d549620a7f033118412cea600

memory/4824-195-0x0000000073560000-0x0000000073D10000-memory.dmp

memory/2960-206-0x0000000005FD0000-0x0000000006324000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b25926ce87a27fe055dd9343a1bda32
SHA1 197f2177d6657efdaa1804af8445a54f16931ae4
SHA256 ada05f795734a2126ba6c2a7d3d5c166276df2d8e18568d63195918cf7bcf2a0
SHA512 fcaf43c6d34cb2b216ae57d3f77d76ef2e3ea9c7a8baceaa0ac18d738bd63772cb5433fe3c0b7c2581cbe99802dd4bbeff56cecce899181ff38b0c1d490b0fe8

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsSettings.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsSettings.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win7-20240903-en

Max time kernel

121s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickControls2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickControls2.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-string-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-string-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:37

Platform

win7-20241010-en

Max time kernel

27s

Max time network

25s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_1.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

129s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-stdio-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-stdio-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickControls2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickControls2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-environment-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-environment-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-math-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-math-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-runtime-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-runtime-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2912 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2912 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe

"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "msedge"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 139.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2912-3-0x00000000070D0000-0x0000000007A59000-memory.dmp

memory/2912-0-0x00000000070D0000-0x0000000007A59000-memory.dmp

memory/2912-4-0x00000000010A4000-0x00000000010A5000-memory.dmp

memory/2912-5-0x0000000000400000-0x00000000004A7000-memory.dmp

memory/2912-12-0x00000000069C0000-0x00000000069E8000-memory.dmp

memory/2912-11-0x0000000006970000-0x000000000698D000-memory.dmp

memory/2912-8-0x0000000006970000-0x000000000698D000-memory.dmp

memory/2912-15-0x00000000069C0000-0x00000000069E8000-memory.dmp

memory/2912-16-0x000000002E050000-0x000000002E1DE000-memory.dmp

memory/2912-31-0x000000002DF70000-0x000000002E015000-memory.dmp

memory/2912-51-0x000000002E370000-0x000000002E406000-memory.dmp

memory/2912-59-0x000000002E2C0000-0x000000002E2FC000-memory.dmp

memory/2912-56-0x000000002E2C0000-0x000000002E2FC000-memory.dmp

memory/2912-64-0x000000002DF60000-0x000000002DF66000-memory.dmp

memory/2912-63-0x000000002E020000-0x000000002E032000-memory.dmp

memory/2912-60-0x000000002E020000-0x000000002E032000-memory.dmp

memory/2912-55-0x000000002E410000-0x000000002E48A000-memory.dmp

memory/2912-52-0x000000002E410000-0x000000002E48A000-memory.dmp

memory/2912-48-0x000000002E370000-0x000000002E406000-memory.dmp

memory/2912-47-0x000000002E260000-0x000000002E2B4000-memory.dmp

memory/2912-44-0x000000002E260000-0x000000002E2B4000-memory.dmp

memory/2912-43-0x000000002E1E0000-0x000000002E255000-memory.dmp

memory/2912-40-0x000000002E1E0000-0x000000002E255000-memory.dmp

memory/2912-39-0x000000002DED0000-0x000000002DEE1000-memory.dmp

memory/2912-36-0x000000002DED0000-0x000000002DEE1000-memory.dmp

memory/2912-35-0x0000000006AE0000-0x0000000006AF5000-memory.dmp

memory/2912-32-0x0000000006AE0000-0x0000000006AF5000-memory.dmp

memory/2912-27-0x000000002E540000-0x000000002E896000-memory.dmp

memory/2912-28-0x000000002DF70000-0x000000002E015000-memory.dmp

memory/2912-24-0x000000002E540000-0x000000002E896000-memory.dmp

memory/2912-23-0x0000000006AB0000-0x0000000006AE0000-memory.dmp

memory/2912-19-0x000000002E050000-0x000000002E1DE000-memory.dmp

memory/2912-20-0x0000000006AB0000-0x0000000006AE0000-memory.dmp

memory/3332-142-0x0000000073E5E000-0x0000000073E5F000-memory.dmp

memory/3332-143-0x0000000004DA0000-0x0000000004DD6000-memory.dmp

memory/3332-144-0x0000000005470000-0x0000000005A98000-memory.dmp

memory/3332-145-0x0000000073E50000-0x0000000074600000-memory.dmp

memory/3332-146-0x0000000073E50000-0x0000000074600000-memory.dmp

memory/3332-147-0x0000000005B20000-0x0000000005B42000-memory.dmp

memory/3332-148-0x0000000005CC0000-0x0000000005D26000-memory.dmp

memory/3332-149-0x0000000005D30000-0x0000000005D96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_atfa2zgf.auz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3332-159-0x0000000005DA0000-0x00000000060F4000-memory.dmp

memory/3332-160-0x0000000006370000-0x000000000638E000-memory.dmp

memory/3332-161-0x00000000063B0000-0x00000000063FC000-memory.dmp

memory/3332-162-0x0000000007530000-0x00000000075C6000-memory.dmp

memory/3332-163-0x0000000007410000-0x000000000742A000-memory.dmp

memory/3332-164-0x0000000007490000-0x00000000074B2000-memory.dmp

memory/3332-165-0x0000000007B80000-0x0000000008124000-memory.dmp

memory/3332-168-0x0000000073E50000-0x0000000074600000-memory.dmp

memory/760-179-0x0000000073E50000-0x0000000074600000-memory.dmp

memory/760-180-0x0000000073E50000-0x0000000074600000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/760-181-0x0000000073E50000-0x0000000074600000-memory.dmp

memory/760-191-0x00000000058D0000-0x0000000005C24000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2d8e4d213bfd199c7abf5b5b3d91e0a
SHA1 6618a25104b173190de8b613ca8f6f900a8af368
SHA256 883fd39c2e7a652f131429bc71a268a32ff592cf3c5d0c729f8596a7d18f2a76
SHA512 9b8be87ed0e12c5d5a7aeb66e5225528f388a06a834e9db511bc87e10b77d78651d8cdad2fdf5bf9b275d3e96448196f96937ee5d3dcd2fb40ee9850306733d6

memory/760-194-0x0000000073E50000-0x0000000074600000-memory.dmp

memory/1044-201-0x0000000005460000-0x00000000057B4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d33cce10257de9d42ffbca845d21a0f2
SHA1 9c4b3747dbbe8457a5a67d0a05667dfa8aece0e3
SHA256 010cfb7fc9b3a3bf2339c0c99700871be793fc49cbe085ab9e991e545e843e97
SHA512 047915e97b0fd6195ea45d7a7a3045d6722decf354d19c76a68ba49647cdc7cb27d0296bdf5ee463b0ea7e51c4a01a061705e4d0eee9b95395eb3fd76c009ece

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsQmlModels.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsQmlModels.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickDialogs2Utils.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickDialogs2Utils.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win7-20240903-en

Max time kernel

122s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2196 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2196 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2196 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe

"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2196-0-0x0000000006B20000-0x00000000074A9000-memory.dmp

memory/2196-4-0x0000000000624000-0x0000000000625000-memory.dmp

memory/2196-9-0x0000000000CE0000-0x0000000000CFD000-memory.dmp

memory/2196-12-0x0000000000CE0000-0x0000000000CFD000-memory.dmp

memory/2196-8-0x0000000000EC0000-0x0000000000F67000-memory.dmp

memory/2196-5-0x0000000000EC0000-0x0000000000F67000-memory.dmp

memory/2196-3-0x0000000006B20000-0x00000000074A9000-memory.dmp

memory/2196-13-0x0000000000E40000-0x0000000000E68000-memory.dmp

memory/2196-16-0x0000000000E40000-0x0000000000E68000-memory.dmp

memory/2196-17-0x000000002BEF0000-0x000000002C07E000-memory.dmp

memory/2196-20-0x000000002BEF0000-0x000000002C07E000-memory.dmp

memory/2196-28-0x000000002C3E0000-0x000000002C736000-memory.dmp

memory/2196-21-0x0000000002820000-0x0000000002850000-memory.dmp

memory/2196-25-0x000000002C3E0000-0x000000002C736000-memory.dmp

memory/2196-24-0x0000000002820000-0x0000000002850000-memory.dmp

memory/2196-33-0x0000000002C00000-0x0000000002C15000-memory.dmp

memory/2196-44-0x0000000006190000-0x0000000006205000-memory.dmp

memory/2196-48-0x0000000005F80000-0x0000000005FD4000-memory.dmp

memory/2196-56-0x000000002C1D0000-0x000000002C24A000-memory.dmp

memory/2196-57-0x000000002C080000-0x000000002C0BC000-memory.dmp

memory/2196-64-0x0000000002CE0000-0x0000000002CF2000-memory.dmp

memory/2196-61-0x0000000002CE0000-0x0000000002CF2000-memory.dmp

memory/2196-54-0x000000002C1D0000-0x000000002C24A000-memory.dmp

memory/2196-52-0x000000002C130000-0x000000002C1C6000-memory.dmp

memory/2196-49-0x000000002C130000-0x000000002C1C6000-memory.dmp

memory/2196-45-0x0000000005F80000-0x0000000005FD4000-memory.dmp

memory/2196-41-0x0000000006190000-0x0000000006205000-memory.dmp

memory/2196-40-0x0000000002C70000-0x0000000002C81000-memory.dmp

memory/2196-37-0x0000000002C70000-0x0000000002C81000-memory.dmp

memory/2196-36-0x0000000002C00000-0x0000000002C15000-memory.dmp

memory/2196-32-0x0000000006A40000-0x0000000006AE5000-memory.dmp

memory/2196-29-0x0000000006A40000-0x0000000006AE5000-memory.dmp

memory/2196-60-0x000000002C080000-0x000000002C0BC000-memory.dmp

memory/1980-148-0x00000000731C1000-0x00000000731C2000-memory.dmp

memory/1980-150-0x00000000731C0000-0x000000007376B000-memory.dmp

memory/1980-149-0x00000000731C0000-0x000000007376B000-memory.dmp

memory/1980-152-0x00000000731C0000-0x000000007376B000-memory.dmp

memory/1980-151-0x00000000731C0000-0x000000007376B000-memory.dmp

memory/1980-153-0x00000000731C0000-0x000000007376B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 ae0bd364d561d847d45f94cecef5c4c8
SHA1 57d8449489aca5f9e28bde1387766f23654335f6
SHA256 b639beea573eece67a0f0337cd99d54b6e19dd11efb90863937f39ffe6393c4f
SHA512 652b9a137173f43e0d1336a7300ab4d24c5bf5f13e76133c1d84c4bfc0abaf25191493bb62fcc35648a4d597b06af9815d5c9b53e686d9617ee4806b002017d8

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-convert-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-convert-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

132s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-filesystem-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-filesystem-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-heap-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-heap-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-private-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-private-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 139.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtilsOld.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtilsOld.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win7-20240708-en

Max time kernel

9s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_codecvt_ids.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 2488 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2520 wrote to memory of 2488 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2520 wrote to memory of 2488 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_codecvt_ids.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2520 -s 80

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_codecvt_ids.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_codecvt_ids.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:37

Platform

win7-20241010-en

Max time kernel

32s

Max time network

26s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtils.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtils.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

117s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtils.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtils.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 137.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-10-19 20:25

Reported

2024-10-19 20:36

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-process-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-process-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp

Files

N/A