Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 03:01
Static task
static1
Behavioral task
behavioral1
Sample
Maxon Cinema 4D 2024.4.0 x64.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Maxon Cinema 4D 2024.4.0 x64.exe
Resource
win10v2004-20240802-en
General
-
Target
Maxon Cinema 4D 2024.4.0 x64.exe
-
Size
19.1MB
-
MD5
3a5b5a4c669327a410bf354aac7a8e35
-
SHA1
c5e8fbdb4f19a6cb85048879b24b6f3bee03b2ef
-
SHA256
753a2b1227d1a89d29bcb9b9a6231f143d933e6cff86ab9b7e151d38873b7906
-
SHA512
8292fbe0bf5377b91082ad9d5c2ee5f465a8f3319f8be05c8e13bc94f1e54d2e7d9c9367c3fc714804d2f6225e219b69bb31eae2ff09f3c15987b553c60aecd6
-
SSDEEP
393216:X4SQMl42yHOc3CEMCmjaQOz/RbFn5ukQQqdyT:Xoy4tHl2jpG5b1hyyT
Malware Config
Signatures
-
pid Process 2956 powershell.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\H: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\T: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\Y: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\Q: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\V: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\Z: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\A: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\K: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\O: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\P: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\U: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\R: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\B: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\E: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\I: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\J: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\L: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\M: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\N: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\S: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\W: Maxon Cinema 4D 2024.4.0 x64.exe File opened (read-only) \??\X: Maxon Cinema 4D 2024.4.0 x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1920 Maxon Cinema 4D 2024.4.0 x64.exe 2956 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1920 Maxon Cinema 4D 2024.4.0 x64.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 33 1920 Maxon Cinema 4D 2024.4.0 x64.exe Token: SeIncBasePriorityPrivilege 1920 Maxon Cinema 4D 2024.4.0 x64.exe Token: SeDebugPrivilege 2956 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1920 wrote to memory of 2956 1920 Maxon Cinema 4D 2024.4.0 x64.exe 30 PID 1920 wrote to memory of 2956 1920 Maxon Cinema 4D 2024.4.0 x64.exe 30 PID 1920 wrote to memory of 2956 1920 Maxon Cinema 4D 2024.4.0 x64.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Maxon Cinema 4D 2024.4.0 x64.exe"C:\Users\Admin\AppData\Local\Temp\Maxon Cinema 4D 2024.4.0 x64.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $ProgressPreference = 'SilentlyContinue';$r = (mount-diskimage -storagetype ISO -imagepath 'C:\Users\Admin\AppData\Local\Temp\Deploy.db' -passthru | get-volume).driveletter;Set-Clipboard $r2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.9MB
MD574baafec4842208637896ca7e7aa291e
SHA163fd9a182e4e78b76898d048a5e7ff56b94180fa
SHA25658d546cd6ab0bffe18f99abe62ae6e251f8d68a0db7cbfdce7fefc0bad12ee6c
SHA51213e48839489bcb2e02986c0ab51d7239a8a4b7a92b9ff2019240616d70e348d0c4e1a13de1ac222a85502e382afd1767360840e6fbc92f4b74ba340142e54dff