51b4ab44329a6efe2d4a23d5c4664da236fe08b12728d181c909feddf19eb2dc

Analysis

max time kernel
154s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-05-2023 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlenderSetup-3.5.0-win-x64.exe
Size

637.6MB
MD5

443cc79e21eea02b0731b09aa0c58987
SHA1

976078d978f3dc0e5b8476923531aecf3485c078
SHA256

9f00eac23eaa3f569d4320235c814c1abc3a80997acbb537bed2fdb5ffba08e8
SHA512

2d6aa8e8cc46e1fe51c89eb919f5973459e4a0f1b1cf3cdbf5701e2057fd5d8533325e65efde8f2b263df2f7cf414b27680b5c13aa68919ff2e889ba4d3ec714
SSDEEP

1572864:Hcljj7Hs6Hjo0pQI/ALJXuHo9YDvA2zA10srNqr+en3R5yUJsU:H8jjbs6Hj9X/ALJoo9oA21mNi33TL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1632	SetupFileApp_v6.0.9.exe

Loads dropped DLL 1 IoCs

pid	Process
1644	BlenderSetup-3.5.0-win-x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe
1632	SetupFileApp_v6.0.9.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	SetupFileApp_v6.0.9.exe
Token: SeDebugPrivilege	584	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1632	1644	BlenderSetup-3.5.0-win-x64.exe	28
PID 1644 wrote to memory of 1632	1644	BlenderSetup-3.5.0-win-x64.exe	28
PID 1644 wrote to memory of 1632	1644	BlenderSetup-3.5.0-win-x64.exe	28
PID 1644 wrote to memory of 1632	1644	BlenderSetup-3.5.0-win-x64.exe	28
PID 1644 wrote to memory of 1632	1644	BlenderSetup-3.5.0-win-x64.exe	28
PID 1644 wrote to memory of 1632	1644	BlenderSetup-3.5.0-win-x64.exe	28
PID 1644 wrote to memory of 1632	1644	BlenderSetup-3.5.0-win-x64.exe	28
PID 1632 wrote to memory of 584	1632	SetupFileApp_v6.0.9.exe	29
PID 1632 wrote to memory of 584	1632	SetupFileApp_v6.0.9.exe	29
PID 1632 wrote to memory of 584	1632	SetupFileApp_v6.0.9.exe	29
PID 1632 wrote to memory of 584	1632	SetupFileApp_v6.0.9.exe	29

C:\Users\Admin\AppData\Local\Temp\BlenderSetup-3.5.0-win-x64.exe
"C:\Users\Admin\AppData\Local\Temp\BlenderSetup-3.5.0-win-x64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\SetupFileApp_v6.0.9\SetupFileApp_v6.0.9.exe
  "C:\Users\Admin\AppData\Local\Temp\SetupFileApp_v6.0.9\SetupFileApp_v6.0.9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SetupFileApp_v6.0.9\SetupFileApp_v6.0.9.exe

Filesize
682.9MB

MD5
74787c859f34fb3c9c48f231dfe88138

SHA1
e497eafd140ea49a781991720939d14555f2173b

SHA256
75867645289292fbf3a75b451b0f65988661cfa54d1019e6c72499c0aebf5843

SHA512
01975b3f0f6da889717465f1a5dc99d63cd40af2c9c67028b7dc10cb6c9515dc5e25bf8a5931826e7bda01045e2384475d01e155f5e5474ef0066eb5cbc58b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupFileApp_v6.0.9\SetupFileApp_v6.0.9.exe

Filesize
605.1MB

MD5
999f5318216876227b9306a77e7e9690

SHA1
988c80414631f266839072a9ec7df3afc2572cf1

SHA256
ce0af1ec2bb531f8e3dfc420af7ac13c130df97102f2611c97e48ea25f4357d0

SHA512
25b9cb564f1fdc99b4b085fbfd223dc88c14a4291d851f38a995737e44fb2a1ecf8ac71c50a254e86044839f7464aa2fdd5a77c2d6d79aa976e36d89ca4b7dc7

Download Submit
\Users\Admin\AppData\Local\Temp\SetupFileApp_v6.0.9\SetupFileApp_v6.0.9.exe

Filesize
650.8MB

MD5
c8b8affad164eec4b5b9de99ca5077c7

SHA1
8963778bcb236e68163780b60b5fdc4fb015eddf

SHA256
854d3d39da418fef9f10c794e14963369c0ecd374b42afe41ab3a249533d7d43

SHA512
448d91f29565a1e4bad40a91152cb7d48ea2c4ce43ae71e444ea18497a3cb840a41a30298df966cdca393279c77764ad2a56d62134a64549c309784e772c1bb7

Download Submit
memory/584-66-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/584-67-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/584-68-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/584-69-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/584-70-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/1632-61-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1632-62-0x0000000004B90000-0x0000000004BD0000-memory.dmp

Filesize
256KB

Download
memory/1632-63-0x0000000004B90000-0x0000000004BD0000-memory.dmp

Filesize
256KB

Download