753a2b1227d1a89d29bcb9b9a6231f143d933e6cff86ab9b7e151d38873b7906

General

Target

Maxon Cinema 4D 2024.4.0 x64.exe
Size

19.1MB
MD5

3a5b5a4c669327a410bf354aac7a8e35
SHA1

c5e8fbdb4f19a6cb85048879b24b6f3bee03b2ef
SHA256

753a2b1227d1a89d29bcb9b9a6231f143d933e6cff86ab9b7e151d38873b7906
SHA512

8292fbe0bf5377b91082ad9d5c2ee5f465a8f3319f8be05c8e13bc94f1e54d2e7d9c9367c3fc714804d2f6225e219b69bb31eae2ff09f3c15987b553c60aecd6
SSDEEP

393216:X4SQMl42yHOc3CEMCmjaQOz/RbFn5ukQQqdyT:Xoy4tHl2jpG5b1hyyT

Score

6^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3316	powershell.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\W:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\X:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\B:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\L:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\N:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\O:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\P:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\G:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\Y:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\A:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\H:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\S:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\V:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\Q:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\R:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\U:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\E:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\I:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\J:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\K:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\M:	Maxon Cinema 4D 2024.4.0 x64.exe
File opened (read-only)	\??\Z:	Maxon Cinema 4D 2024.4.0 x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{541E64B9-B216-41C0-8A02-612BCC76BBF1}	Maxon Cinema 4D 2024.4.0 x64.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4508	Maxon Cinema 4D 2024.4.0 x64.exe
4508	Maxon Cinema 4D 2024.4.0 x64.exe
3316	powershell.exe
3316	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4508	Maxon Cinema 4D 2024.4.0 x64.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4508	Maxon Cinema 4D 2024.4.0 x64.exe
Token: SeCreatePagefilePrivilege	4508	Maxon Cinema 4D 2024.4.0 x64.exe
Token: 33	2720	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2720	AUDIODG.EXE
Token: SeShutdownPrivilege	4508	Maxon Cinema 4D 2024.4.0 x64.exe
Token: SeCreatePagefilePrivilege	4508	Maxon Cinema 4D 2024.4.0 x64.exe
Token: SeShutdownPrivilege	4508	Maxon Cinema 4D 2024.4.0 x64.exe
Token: SeCreatePagefilePrivilege	4508	Maxon Cinema 4D 2024.4.0 x64.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeIncreaseQuotaPrivilege	3316	powershell.exe
Token: SeSecurityPrivilege	3316	powershell.exe
Token: SeTakeOwnershipPrivilege	3316	powershell.exe
Token: SeLoadDriverPrivilege	3316	powershell.exe
Token: SeSystemProfilePrivilege	3316	powershell.exe
Token: SeSystemtimePrivilege	3316	powershell.exe
Token: SeProfSingleProcessPrivilege	3316	powershell.exe
Token: SeIncBasePriorityPrivilege	3316	powershell.exe
Token: SeCreatePagefilePrivilege	3316	powershell.exe
Token: SeBackupPrivilege	3316	powershell.exe
Token: SeRestorePrivilege	3316	powershell.exe
Token: SeShutdownPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeSystemEnvironmentPrivilege	3316	powershell.exe
Token: SeRemoteShutdownPrivilege	3316	powershell.exe
Token: SeUndockPrivilege	3316	powershell.exe
Token: SeManageVolumePrivilege	3316	powershell.exe
Token: 33	3316	powershell.exe
Token: 34	3316	powershell.exe
Token: 35	3316	powershell.exe
Token: 36	3316	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 3316	4508	Maxon Cinema 4D 2024.4.0 x64.exe	87
PID 4508 wrote to memory of 3316	4508	Maxon Cinema 4D 2024.4.0 x64.exe	87

C:\Users\Admin\AppData\Local\Temp\Maxon Cinema 4D 2024.4.0 x64.exe
"C:\Users\Admin\AppData\Local\Temp\Maxon Cinema 4D 2024.4.0 x64.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell $ProgressPreference = 'SilentlyContinue';$r = (mount-diskimage -storagetype ISO -imagepath 'C:\Users\Admin\AppData\Local\Temp\Deploy.db' -passthru | get-volume).driveletter;Set-Clipboard $r
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3316

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x2c0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
0778cd387d38ec570411e5d210262d5f

SHA1
2d4f6361b12f0a36bd3c3fce05c802794ad91464

SHA256
0f06cda501ad115a17e4ee2ada9016f12345bb2374ef0e47a32df6617f279498

SHA512
cf729f3faf42ebf4410c4f3c35b5c1fcb56eaac02ebfb33adfccdd9ba5cc0de66554c4c492c6b9e0fa8d7290a50d9d76c057cba6dd17b1358735ea4c0791ae13

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xld45zmg.uk1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut8647.tmp

Filesize
9.9MB

MD5
74baafec4842208637896ca7e7aa291e

SHA1
63fd9a182e4e78b76898d048a5e7ff56b94180fa

SHA256
58d546cd6ab0bffe18f99abe62ae6e251f8d68a0db7cbfdce7fefc0bad12ee6c

SHA512
13e48839489bcb2e02986c0ab51d7239a8a4b7a92b9ff2019240616d70e348d0c4e1a13de1ac222a85502e382afd1767360840e6fbc92f4b74ba340142e54dff

Download Submit
memory/3316-36-0x000002C4731A0000-0x000002C4731C2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing