Analysis
-
max time kernel
146s -
max time network
41s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13/08/2021, 07:22
General
-
Target
Autodesk License Patcher Ultimate Installer.exe
-
Size
10.6MB
-
MD5
a88f74305278474aefa30ec8d89ac91b
-
SHA1
2d8fe3cafb42e3d0264bba4807345d8e4aa13ba3
-
SHA256
9cbf4a9f365fa6e302cbeefe79fbb060e3281c1d8266e7485e82e8f78b3b56bc
-
SHA512
ee437f6e275a51474ef4b6de42a6e31c6600626545f712268a47f50bb6413912f9c6162453b1fba392dbe466498b10fa467fa213afcbdff605dd5278fd32d12a
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 3 IoCs
-
Drops file in Program Files directory 18 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 8 IoCs
-
Kills process with taskkill 18 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 10 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Autodesk License Patcher Ultimate Installer.exe"C:\Users\Admin\AppData\Local\Temp\Autodesk License Patcher Ultimate Installer.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mode.commode con: cols=70 lines=153⤵
-
-
C:\Windows\SysWOW64\chcp.comchcp 12543⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 153⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet stop AdskLicensingService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AdskLicensingService4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "AdskLicensingService.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "AdskLicensingAgent.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "ADPClientService.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "AdskLicensingAnalyticsClient.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "AdskLicensingInstHelper.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "lmgrd.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "adskflex.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "lmutil.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "lmtools.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec.exe /X {4BE91685-1632-47FC-B563-A8A542C6664C} /qn3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i3⤵
- Drops file in Program Files directory
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\lmgrd.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i3⤵
- Drops file in Program Files directory
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lic" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i3⤵
- Drops file in Program Files directory
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\AutodeskLicensePatcherInstaller\Files\Service\Service.vbs" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i3⤵
- Drops file in Program Files directory
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\AutodeskLicensePatcherInstaller\Files\Service\Service.bat" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i3⤵
- Drops file in Program Files directory
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\AdskLicensingService.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingService\" /Y /K /R /S /H /i3⤵
- Drops file in Program Files directory
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\AdskLicensingAgent.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingAgent\" /Y /K /R /S /H /i3⤵
- Drops file in Program Files directory
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\adlmint.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingAgent\" /Y /K /R /S /H /i3⤵
- Drops file in Program Files directory
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hostname3⤵
-
C:\Windows\SysWOW64\HOSTNAME.EXEhostname4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%USB%%' AND AdapterTypeID='0'" get MacAddress,AdapterType3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path Win32_NetworkAdapter where "PNPDeviceID like '%%USB%%' AND AdapterTypeID='0'" get MacAddress,AdapterType4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%PCI%%' AND AdapterTypeID='0'" get MacAddress,AdapterType3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path Win32_NetworkAdapter where "PNPDeviceID like '%%PCI%%' AND AdapterTypeID='0'" get MacAddress,AdapterType4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(gc License.lic) -replace 'MAC', '42C11A88956C ' -replace 'HOSTNAME', 'Mrbkymno' | Out-File -encoding ASCII License.lic"3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\sc.exesc config AdskLicensingService Start=Auto3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Delete /tn "Autodesk" /f3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /XML C:\AutodeskLicensePatcherInstaller\Files\Task\Autodesk.xml /tn "\Microsoft\Windows\Autodesk\Autodesk"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="AutodeskNLM"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingAnalyticsClient\ADPClientService.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAnalyticsClient\ADPClientService.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingAnalyticsClient\AdskLicensingAnalyticsClient.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAnalyticsClient\AdskLicensingAnalyticsClient.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingAgent\CER\senddmp.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\CER\senddmp.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\helper\AdskLicensingInstHelper.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\helper\AdskLicensingInstHelper.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingAgent\AdskLicensingAgent.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\AdskLicensingAgent.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingService\AdskLicensingService.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingService\AdskLicensingService.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingAnalyticsClient\ADPClientService.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAnalyticsClient\ADPClientService.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingAnalyticsClient\AdskLicensingAnalyticsClient.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAnalyticsClient\AdskLicensingAnalyticsClient.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingAgent\CER\senddmp.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\CER\senddmp.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\helper\AdskLicensingInstHelper.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\helper\AdskLicensingInstHelper.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingAgent\AdskLicensingAgent.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\AdskLicensingAgent.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingService\AdskLicensingService.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingService\AdskLicensingService.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe"3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"3⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet start AdskLicensingService3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start AdskLicensingService4⤵
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.vbs" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.bat"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.bat" "4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\mode.commode con: cols=70 lines=125⤵
-
-
C:\Windows\SysWOW64\chcp.comchcp 12545⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 55⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet stop AdskLicensingService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AdskLicensingService6⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "AdskLicensingService.exe"5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "AdskLicensingAgent.exe"5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "ADPClientService.exe"5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "AdskLicensingAnalyticsClient.exe"5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "AdskLicensingInstHelper.exe"5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "lmgrd.exe"5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "adskflex.exe"5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "lmutil.exe"5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "lmtools.exe"5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\net.exenet start AdskLicensingService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start AdskLicensingService6⤵
-
-
-
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exelmgrd.exe -z -c License.lic5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exeadskflex.exe -T Mrbkymno 11.18 -1 -c ";License.lic;" -lmgrd_port 6978 -srv E9hgEMr2Awep8sexFkQ13zMpM4f0Zb7uqZrXSM6zNl4gNNV7Kj80bYFHSbwil38 --lmgrd_start 61161ef7 -vdrestart 06⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB