753a2b1227d1a89d29bcb9b9a6231f143d933e6cff86ab9b7e151d38873b7906

General

Target

Maxon Cinema 4D 2024.4.0 x64.exe
Size

19.1MB
MD5

3a5b5a4c669327a410bf354aac7a8e35
SHA1

c5e8fbdb4f19a6cb85048879b24b6f3bee03b2ef
SHA256

753a2b1227d1a89d29bcb9b9a6231f143d933e6cff86ab9b7e151d38873b7906
SHA512

8292fbe0bf5377b91082ad9d5c2ee5f465a8f3319f8be05c8e13bc94f1e54d2e7d9c9367c3fc714804d2f6225e219b69bb31eae2ff09f3c15987b553c60aecd6
SSDEEP

393216:X4SQMl42yHOc3CEMCmjaQOz/RbFn5ukQQqdyT:Xoy4tHl2jpG5b1hyyT

Score

6^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2956	powershell.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\H:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\T:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\Y:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\Q:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\V:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\Z:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\A:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\K:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\O:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\P:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\U:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\R:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\B:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\E:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\I:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\J:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\L:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\M:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\N:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\S:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\W:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\X:	Maxon Cinema 4D 2024.4.0 x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1920	Maxon Cinema 4D 2024.4.0 x64.exe
2956	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1920	Maxon Cinema 4D 2024.4.0 x64.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1920	Maxon Cinema 4D 2024.4.0 x64.exe
Token: SeIncBasePriorityPrivilege	1920	Maxon Cinema 4D 2024.4.0 x64.exe
Token: SeDebugPrivilege	2956	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2956	1920	Maxon Cinema 4D 2024.4.0 x64.exe	30
PID 1920 wrote to memory of 2956	1920	Maxon Cinema 4D 2024.4.0 x64.exe	30
PID 1920 wrote to memory of 2956	1920	Maxon Cinema 4D 2024.4.0 x64.exe	30

C:\Users\Admin\AppData\Local\Temp\Maxon Cinema 4D 2024.4.0 x64.exe
"C:\Users\Admin\AppData\Local\Temp\Maxon Cinema 4D 2024.4.0 x64.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell $ProgressPreference = 'SilentlyContinue';$r = (mount-diskimage -storagetype ISO -imagepath 'C:\Users\Admin\AppData\Local\Temp\Deploy.db' -passthru | get-volume).driveletter;Set-Clipboard $r
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\Temp_1\restfiles\vidbanner.mp4

Filesize
9.9MB

MD5
74baafec4842208637896ca7e7aa291e

SHA1
63fd9a182e4e78b76898d048a5e7ff56b94180fa

SHA256
58d546cd6ab0bffe18f99abe62ae6e251f8d68a0db7cbfdce7fefc0bad12ee6c

SHA512
13e48839489bcb2e02986c0ab51d7239a8a4b7a92b9ff2019240616d70e348d0c4e1a13de1ac222a85502e382afd1767360840e6fbc92f4b74ba340142e54dff

Download Submit
memory/1920-47-0x00000000024F0000-0x00000000024FA000-memory.dmp

Filesize
40KB

Download
memory/1920-12-0x00000000024D0000-0x00000000024DA000-memory.dmp

Filesize
40KB

Download
memory/1920-11-0x00000000024D0000-0x00000000024DA000-memory.dmp

Filesize
40KB

Download
memory/1920-14-0x00000000024D0000-0x00000000024DA000-memory.dmp

Filesize
40KB

Download
memory/1920-15-0x00000000024D0000-0x00000000024DA000-memory.dmp

Filesize
40KB

Download
memory/1920-13-0x00000000024D0000-0x00000000024DA000-memory.dmp

Filesize
40KB

Download
memory/1920-33-0x000007FEF5390000-0x000007FEF5781000-memory.dmp

Filesize
3.9MB

Download
memory/1920-30-0x000007FEF5390000-0x000007FEF5781000-memory.dmp

Filesize
3.9MB

Download
memory/1920-32-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1920-31-0x00000000024F0000-0x00000000024FA000-memory.dmp

Filesize
40KB

Download
memory/1920-10-0x000007FEF572C000-0x000007FEF5737000-memory.dmp

Filesize
44KB

Download
memory/1920-56-0x000007FEF572C000-0x000007FEF5737000-memory.dmp

Filesize
44KB

Download
memory/1920-46-0x00000000024D0000-0x00000000024DA000-memory.dmp

Filesize
40KB

Download
memory/1920-43-0x000007FEF572C000-0x000007FEF5737000-memory.dmp

Filesize
44KB

Download
memory/1920-44-0x00000000024D0000-0x00000000024DA000-memory.dmp

Filesize
40KB

Download
memory/1920-45-0x00000000024D0000-0x00000000024DA000-memory.dmp

Filesize
40KB

Download
memory/1920-57-0x000007FEF5390000-0x000007FEF5781000-memory.dmp

Filesize
3.9MB

Download
memory/1920-6-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1920-49-0x00000000024F0000-0x00000000024FA000-memory.dmp

Filesize
40KB

Download
memory/1920-50-0x000007FEF5390000-0x000007FEF5781000-memory.dmp

Filesize
3.9MB

Download
memory/1920-51-0x00000000024F0000-0x00000000024FA000-memory.dmp

Filesize
40KB

Download
memory/1920-52-0x000007FEF5390000-0x000007FEF5781000-memory.dmp

Filesize
3.9MB

Download
memory/2956-38-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2956-39-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing