5d08cb6254e4d4280137d6d37ec689fc3f0c61dad08bbc978a451ac16b7f271c

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/05/2024, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Autodesk_Meshmixer_v3p5_Win64.exe
Size

100.6MB
MD5

774a5bf2a9f09980fa72b5a420334d6d
SHA1

4225ab8f598e4d61205945fe3847df8771e397e1
SHA256

5d08cb6254e4d4280137d6d37ec689fc3f0c61dad08bbc978a451ac16b7f271c
SHA512

57cf253e57bd21d63cb72e8770f7ac413f3230e7a36a1054559af43ee9676df9165cad0e49216891d6a61d53623dda2a1b9854ef3f7f82a29a9883928a31eb37
SSDEEP

3145728:4MMsZZToqlINOsfO0qYPJh20iBcLazwtmX:4MzZZToFNOsfGspmX

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} = "\"C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_amd64_20240519194106.log\" /quiet /norestart ignored /burn.runonce"	vcredist_2012_x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Autodesk\Meshmixer\MC3d.dll	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\Qt5WebChannel.dll	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Arms\1369278734_1265236713_gremlin.obj	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Ears\1369279210_1265235452_elephant3.obj.prt	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Ears\1378491691_00001_1378491545_00001_10021_Giraffe_v04_v4.obj.prt	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Numbers\1369279601_temp.obj.prt	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Numbers\1369279609_temp.obj.prt	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Primitives\1397485507_00001_bunny.obj	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\default_shaders\IntenseBlue.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\default_shaders\redcandy.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Arms\1369278734_1265236713_gremlin.obj.prt	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Heads\1369278945_1265235807_camel.obj	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Legs\1369278796_1265236986_cow2.obj	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Letters\1369324646_temp.obj.prt	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Letters\1369324663_temp.obj.prt	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Miscellaneous\1369278570_1265236622_human1_subd.obj.prt	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Numbers\1369279601_temp.obj.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Primitives\1397485556_00001_cylinder.obj.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Symbols\1369279675_temp.obj.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\libacml_dll.dll	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Miscellaneous\1369278556_1265236408_1000000009_athenashield.obj	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Numbers\1369279579_temp.obj.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Primitives\1397485525_00001_cube.obj	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Legs\1369278773_1271204371_dog.obj	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Legs\1369278773_1271204371_dog.obj.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Legs\1378327488_00001_12272_Koala_v1_L3_v4.obj	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Numbers\1369279609_temp.obj.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Symbols\1369279669_temp.obj.prt	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\models\elephant.obj	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\help_docs\printing3dinfo.pdf	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\DADispatcherService.exe	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Heads\1369278919_1271205067_dog.obj.prt	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Heads\1378735843_00001_1378735573_00001_Male.obj.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Letters\1369324687_temp.obj.prt	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Letters\1369324701_temp.obj	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Primitives\1397485593_00001_sphere.obj	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\default_shaders\GreyResin.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\default_shaders\blue_clay.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Letters\1369324694_temp.obj.prt	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Numbers\1369279595_temp.obj.prt	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\user\My Parts\logo.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Arms\1369278734_1265236713_gremlin.obj.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Arms\1378494286_00001_1378494089_00001_hand.obj.prt	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Ears\1369279210_1265235452_elephant3.obj	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Legs\1369278784_1271204497_dog.obj.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Letters\1369324582_temp.obj	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Letters\1369324595_temp.obj.prt	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Letters\1369324708_temp.obj.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Miscellaneous\1416939209_connector.obj.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\Qt5OpenGL.dll	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\libacml_mv_dll.dll	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\default_polygons\triangle.obj	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Ears\1369279234_1271205130_bunnyr.obj.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Legs\1378327488_00001_12272_Koala_v1_L3_v4.obj.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Letters\1369324610_temp.obj.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Letters\1369324679_temp.obj.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Numbers\1369279585_temp.obj.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Numbers\1369279595_temp.obj.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Legs\1378492710_00001_1378492623_00001_1378492470_00001_1378491998_00001_12243_Osprey_v1_l3_v4.obj.prt	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Letters\1369324595_temp.obj	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Letters\1369324670_temp.obj.prt	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Primitives\1397485517_00001_cone.obj.prt	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\meshmixer\libraries\parts\default\Primitives\1397485646_00001_torus.obj.png	Autodesk_Meshmixer_v3p5_Win64.exe
File created	C:\Program Files\Autodesk\Meshmixer\resources\Printerbot_simple.ini	Autodesk_Meshmixer_v3p5_Win64.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	vcredist_2012_x64.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 4 IoCs

pid	Process
2732	vcredist_2012_x64.exe
2024	vcredist_2012_x64.exe
1692	vcredist_2015_x64.exe
2052	vcredist_2015_x64.exe

Loads dropped DLL 16 IoCs

pid	Process
2932	Autodesk_Meshmixer_v3p5_Win64.exe
2932	Autodesk_Meshmixer_v3p5_Win64.exe
2932	Autodesk_Meshmixer_v3p5_Win64.exe
2932	Autodesk_Meshmixer_v3p5_Win64.exe
2932	Autodesk_Meshmixer_v3p5_Win64.exe
2932	Autodesk_Meshmixer_v3p5_Win64.exe
2932	Autodesk_Meshmixer_v3p5_Win64.exe
2732	vcredist_2012_x64.exe
2024	vcredist_2012_x64.exe
2932	Autodesk_Meshmixer_v3p5_Win64.exe
1692	vcredist_2015_x64.exe
2052	vcredist_2015_x64.exe
2932	Autodesk_Meshmixer_v3p5_Win64.exe
2932	Autodesk_Meshmixer_v3p5_Win64.exe
2932	Autodesk_Meshmixer_v3p5_Win64.exe
1212	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mix	Autodesk_Meshmixer_v3p5_Win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.stl	Autodesk_Meshmixer_v3p5_Win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Meshmixer.Document	Autodesk_Meshmixer_v3p5_Win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Meshmixer.Document\DefaultIcon	Autodesk_Meshmixer_v3p5_Win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Meshmixer.Document\DefaultIcon\ = "C:\\Program Files\\Autodesk\\Meshmixer\\meshmixer.exe,1"	Autodesk_Meshmixer_v3p5_Win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Meshmixer.Document\shell\print\command\ = "\"C:\\Program Files\\Autodesk\\Meshmixer\\meshmixer.exe\" --print \"%1\""	Autodesk_Meshmixer_v3p5_Win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Meshmixer.Document\shell\open\command	Autodesk_Meshmixer_v3p5_Win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Meshmixer.Document\shell	Autodesk_Meshmixer_v3p5_Win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Meshmixer.Document\shell\open\command\ = "\"C:\\Program Files\\Autodesk\\Meshmixer\\meshmixer.exe\" \"%1\""	Autodesk_Meshmixer_v3p5_Win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Meshmixer.Document\shell\print\command	Autodesk_Meshmixer_v3p5_Win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mix\ = "Meshmixer.Document"	Autodesk_Meshmixer_v3p5_Win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Meshmixer.Document\ = "Meshmixer Document"	Autodesk_Meshmixer_v3p5_Win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Meshmixer.Document\shell\open	Autodesk_Meshmixer_v3p5_Win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Meshmixer.Document\shell\print	Autodesk_Meshmixer_v3p5_Win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.stl\ = "Meshmixer.Document"	Autodesk_Meshmixer_v3p5_Win64.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2932	Autodesk_Meshmixer_v3p5_Win64.exe
2932	Autodesk_Meshmixer_v3p5_Win64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2932	Autodesk_Meshmixer_v3p5_Win64.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeBackupPrivilege	2816	vssvc.exe
Token: SeRestorePrivilege	2816	vssvc.exe
Token: SeAuditPrivilege	2816	vssvc.exe
Token: SeRestorePrivilege	1536	DrvInst.exe
Token: SeRestorePrivilege	1536	DrvInst.exe
Token: SeRestorePrivilege	1536	DrvInst.exe
Token: SeRestorePrivilege	1536	DrvInst.exe
Token: SeRestorePrivilege	1536	DrvInst.exe
Token: SeRestorePrivilege	1536	DrvInst.exe
Token: SeRestorePrivilege	1536	DrvInst.exe
Token: SeLoadDriverPrivilege	1536	DrvInst.exe
Token: SeLoadDriverPrivilege	1536	DrvInst.exe
Token: SeLoadDriverPrivilege	1536	DrvInst.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2732	2932	Autodesk_Meshmixer_v3p5_Win64.exe	28
PID 2932 wrote to memory of 2732	2932	Autodesk_Meshmixer_v3p5_Win64.exe	28
PID 2932 wrote to memory of 2732	2932	Autodesk_Meshmixer_v3p5_Win64.exe	28
PID 2932 wrote to memory of 2732	2932	Autodesk_Meshmixer_v3p5_Win64.exe	28
PID 2932 wrote to memory of 2732	2932	Autodesk_Meshmixer_v3p5_Win64.exe	28
PID 2932 wrote to memory of 2732	2932	Autodesk_Meshmixer_v3p5_Win64.exe	28
PID 2932 wrote to memory of 2732	2932	Autodesk_Meshmixer_v3p5_Win64.exe	28
PID 2732 wrote to memory of 2024	2732	vcredist_2012_x64.exe	29
PID 2732 wrote to memory of 2024	2732	vcredist_2012_x64.exe	29
PID 2732 wrote to memory of 2024	2732	vcredist_2012_x64.exe	29
PID 2732 wrote to memory of 2024	2732	vcredist_2012_x64.exe	29
PID 2732 wrote to memory of 2024	2732	vcredist_2012_x64.exe	29
PID 2732 wrote to memory of 2024	2732	vcredist_2012_x64.exe	29
PID 2732 wrote to memory of 2024	2732	vcredist_2012_x64.exe	29
PID 2932 wrote to memory of 1692	2932	Autodesk_Meshmixer_v3p5_Win64.exe	34
PID 2932 wrote to memory of 1692	2932	Autodesk_Meshmixer_v3p5_Win64.exe	34
PID 2932 wrote to memory of 1692	2932	Autodesk_Meshmixer_v3p5_Win64.exe	34
PID 2932 wrote to memory of 1692	2932	Autodesk_Meshmixer_v3p5_Win64.exe	34
PID 2932 wrote to memory of 1692	2932	Autodesk_Meshmixer_v3p5_Win64.exe	34
PID 2932 wrote to memory of 1692	2932	Autodesk_Meshmixer_v3p5_Win64.exe	34
PID 2932 wrote to memory of 1692	2932	Autodesk_Meshmixer_v3p5_Win64.exe	34
PID 1692 wrote to memory of 2052	1692	vcredist_2015_x64.exe	35
PID 1692 wrote to memory of 2052	1692	vcredist_2015_x64.exe	35
PID 1692 wrote to memory of 2052	1692	vcredist_2015_x64.exe	35
PID 1692 wrote to memory of 2052	1692	vcredist_2015_x64.exe	35
PID 1692 wrote to memory of 2052	1692	vcredist_2015_x64.exe	35
PID 1692 wrote to memory of 2052	1692	vcredist_2015_x64.exe	35
PID 1692 wrote to memory of 2052	1692	vcredist_2015_x64.exe	35

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Autodesk_Meshmixer_v3p5_Win64.exe
"C:\Users\Admin\AppData\Local\Temp\Autodesk_Meshmixer_v3p5_Win64.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\vcredist_2012_x64.exe
  C:\Users\Admin\AppData\Local\Temp\vcredist_2012_x64.exe /q /norestart
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\vcredist_2012_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\vcredist_2012_x64.exe" /q /norestart -burn.unelevated BurnPipe.{684D5B30-D8C2-49B7-B742-2AA3C0A6C107} {560CE4BB-9EC0-4869-B925-AC61EAADCF44} 2732
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2024
- C:\Users\Admin\AppData\Local\Temp\vcredist_2015_x64.exe
  C:\Users\Admin\AppData\Local\Temp\vcredist_2015_x64.exe /q /norestart
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\vcredist_2015_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\vcredist_2015_x64.exe" /q /norestart -burn.unelevated BurnPipe.{211377A9-2D2B-428D-953C-59B28AED3B84} {CA452B9B-4DE2-49B6-9547-53A71B5934E0} 1692
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005AC" "00000000000002BC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Autodesk\Meshmixer\meshmixer.exe

Filesize
25.0MB

MD5
b6967e6a04904465f0ba330f8742226e

SHA1
ae2dd97a5d636962fa70e0b5872bd2996781a4e2

SHA256
73a5b989e2b5dfae4577f85a15c2d95668249f4759179bf4717d82fdef69e03b

SHA512
79a44d4f660bd6c0d996c664361f8d5b569166894fce0e325da30226b93d2beccdf19a40a88c95d355dc7d40b3ff3ce2d11c28aeb7c51b574a4ec35c98aee00c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\.be\vcredist_x64.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
\Program Files\Autodesk\Meshmixer\Uninstall.exe

Filesize
415KB

MD5
d3dc9d153048853c17bd3202cc96d479

SHA1
1a90d2410f392fd335dffd74caac43896ca248b5

SHA256
d23a2f95623781405bc43e53d3aaaa56ec0529384cee3c2bf59708fba537ba8c

SHA512
c1a5562090be9fe5ddf1daae1597221c6aff6e43934626458cff8eaa25120a25b27484c67f4a29146cf029f74da0c53157acb59acc125122d7544543fdf88ef1

Download Submit
\Users\Admin\AppData\Local\Temp\nst1AD2.tmp\LogEx.dll

Filesize
44KB

MD5
0f96d9eb959ad4e8fd205e6d58cf01b8

SHA1
7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

SHA256
57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

SHA512
9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

Download Submit
\Users\Admin\AppData\Local\Temp\nst1AD2.tmp\Math.dll

Filesize
144KB

MD5
889e8fe8a034acb4d4a33349e34907a9

SHA1
e439458df040ec14002c67f0a863bb714a6241aa

SHA256
d9b253e80eca58d3e2c5882359b5aa3257bd0b4bec5d02a7874004466ef77c57

SHA512
a604e3f8c385af9b2f29e82fa411b220a71bc234521d1194de1a2a09cca567f31c33c887a1f69ffb33fb2db91519a99e84ef064d507af16646db6919dd712d94

Download Submit
\Users\Admin\AppData\Local\Temp\nst1AD2.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nst1AD2.tmp\UAC.dll

Filesize
13KB

MD5
09809c8d905a557be3b7ac0cd54cae22

SHA1
9a7b5f9bf4d35d6041620120735d3df6d588846b

SHA256
729f8f2a5c0720d3150e5551dd71aa41052f9747687449fbd047d57f1c65d213

SHA512
34baf2caba3082ed1e4103ce4aff2dfca98bfacaf5bab4ac4262e67918ac8f1ef408b7d1341bbe5f2488089474952bc5dc0ad3fe3ae6a872c9435b43450056f2

Download Submit
\Users\Admin\AppData\Local\Temp\nst1AD2.tmp\nsDialogs.dll

Filesize
9KB

MD5
4ccc4a742d4423f2f0ed744fd9c81f63

SHA1
704f00a1acc327fd879cf75fc90d0b8f927c36bc

SHA256
416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

SHA512
790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

Download Submit
\Users\Admin\AppData\Local\Temp\nst1AD2.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\vcredist_2012_x64.exe

Filesize
6.9MB

MD5
3c03562b5af9ed347614053d459d7778

SHA1
1a5d93dddbc431ab27b1da711cd3370891542797

SHA256
681be3e5ba9fd3da02c09d7e565adfa078640ed66a0d58583efad2c1e3cc4064

SHA512
6c2f4eeb38705c2dafc4d75d8de0036a0aed197f83e9cb261d255fe26e4391f24b0b156e9019c739dd99057041c2bb80f9ab80f56869bc1e01f0469a76f24f75

Download Submit
\Users\Admin\AppData\Local\Temp\vcredist_2015_x64.exe

Filesize
14.6MB

MD5
2397cb0a7d4f611b521a23e8e3b22424

SHA1
cd2fce1bf61637b2536b66ee52a9662473bbdc82

SHA256
d7257265dbc0635c96dd67ddf938a09abe0866cb2d4fa05f8b758c8644e724e4

SHA512
020e8050f5e12c1f009fc81fba43ad5116f425d78bcf75cd6bc7e5211d8c05c0446795fa6a09a48871180a27adeaec3161c507f8c16a57ddb1d9581ebf217b4a

Download Submit
\Users\Admin\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\wixstdba.dll

Filesize
118KB

MD5
4d20a950a3571d11236482754b4a8e76

SHA1
e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

SHA256
a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

SHA512
8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

Download Submit
\Users\Admin\AppData\Local\Temp\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\.ba1\wixstdba.dll

Filesize
126KB

MD5
d7bf29763354eda154aad637017b5483

SHA1
dfa7d296bfeecde738ef4708aaabfebec6bc1e48

SHA256
7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93

SHA512
1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

Download Submit
memory/2932-39-0x00000000039C0000-0x00000000039CC000-memory.dmp

Filesize
48KB

Download
memory/2932-66-0x00000000751F4000-0x00000000751F5000-memory.dmp

Filesize
4KB

Download
memory/2932-21-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2932-22-0x00000000751F4000-0x00000000751F5000-memory.dmp

Filesize
4KB

Download