5db7dc6f8602e411012bafd15d63fceb921a578ee8223feabef3ad81fa732f62

General

Target

DigitalLicense.exe
Size

1.4MB
MD5

d08f3081c7052a39abb7881f94bb7c88
SHA1

48a01ce6555cc0672996f6844539983df56f65b1
SHA256

5db7dc6f8602e411012bafd15d63fceb921a578ee8223feabef3ad81fa732f62
SHA512

c71d8c2167d5c24c7e10095ae76bc46d0b4f56abc362e98b0290521ac205824e8c190214238a7f78328d2f61bdcf0f1ca5901b1b2f8cc1e0d3e6631de217e590
SSDEEP

24576:212l7Ht38gd2gOb60SpTOhqbCzpn/NcSc/VmruNt+g88i:21Eq7WgqGzpn+3/VmC/i

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3240	gatherosstate.exe

Loads dropped DLL 2 IoCs

pid	Process
3240	gatherosstate.exe
3240	gatherosstate.exe

Checks SCSI registry key(s) 3 TTPs 11 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	ClipUp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	ClipUp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	gatherosstate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	ClipUp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	ClipUp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	ClipUp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	ClipUp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3752	DigitalLicense.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 4272	3752	DigitalLicense.exe	97
PID 3752 wrote to memory of 4272	3752	DigitalLicense.exe	97
PID 4272 wrote to memory of 3240	4272	cmd.exe	99
PID 4272 wrote to memory of 3240	4272	cmd.exe	99
PID 4272 wrote to memory of 3240	4272	cmd.exe	99
PID 3752 wrote to memory of 4184	3752	DigitalLicense.exe	100
PID 3752 wrote to memory of 4184	3752	DigitalLicense.exe	100
PID 4184 wrote to memory of 5000	4184	cmd.exe	102
PID 4184 wrote to memory of 5000	4184	cmd.exe	102
PID 3752 wrote to memory of 4700	3752	DigitalLicense.exe	105
PID 3752 wrote to memory of 4700	3752	DigitalLicense.exe	105
PID 4700 wrote to memory of 4772	4700	cmd.exe	107
PID 4700 wrote to memory of 4772	4700	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\DigitalLicense.exe
"C:\Users\Admin\AppData\Local\Temp\DigitalLicense.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\gatherosstate.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\gatherosstate.exe
    C:\Users\Admin\AppData\Local\Temp\gatherosstate.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    PID:3240
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c C:\Windows\system32\ClipUp.exe -v -o -altto C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\system32\ClipUp.exe
    C:\Windows\system32\ClipUp.exe -v -o -altto C:\Users\Admin\AppData\Local\Temp
    3⤵
    PID:5000
  - - C:\Windows\system32\ClipUp.exe
      C:\Windows\system32\ClipUp.exe -v -o -altto C:\Users\Admin\AppData\Local\Temp -ppl C:\Users\Admin\AppData\Local\Temp\tem14B7.tmp
      4⤵
      Checks SCSI registry key(s)
      PID:4892
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c cscript.exe /nologo C:\Windows\system32\slmgr.vbs /ato
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\system32\cscript.exe
    cscript.exe /nologo C:\Windows\system32\slmgr.vbs /ato
    3⤵
    PID:4772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GenuineTicket.xml

Filesize
1KB

MD5
87ac019370b4868672b76f0142ceaced

SHA1
3c66895b5b03ab86ea301b93dfc149824d360fe3

SHA256
2bf0fc26d75e79ff059883a085ffef4c0a527f100ccf78065c083de274204beb

SHA512
e9ad2a99ff893fca8eb6aef65dde753c29c37dc2ff8821daa125df7c801f0fd0aaf6d56103577eba60e1b76525cbc55cdf0511cb0e9bde9999f2dcef4d3d92d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLC.DLL

Filesize
5KB

MD5
4011727e3c6ee42c3d0133aa0d7185ae

SHA1
cd8663743e441a6ee3f22f4e4880aa9231dc9533

SHA256
3f773df3869bc5f63e47a7207d11d322f14a5b4044d18f770c2602d303ef5d9e

SHA512
e2b40bac9138ae668c3dd6d8468fc460be6c47ed3e0ca201f9db7f0182f7cba5f356b8a3508f5fa8fdd29ad09a18429ae85688a85664775c3b486b0be32a62de

Download Submit
C:\Users\Admin\AppData\Local\Temp\gatherosstate.exe

Filesize
730KB

MD5
55c43aeacd80fb45663c38c777e46513

SHA1
73b54242dddf7770cdcaae9278fe1fb530ad5a63

SHA256
03906a073a8215d110b944b0a13f9e7fed3a2bd61a95686adea9f6f4fe63598b

SHA512
095d90f7005b9eea5584f71d63cc0d5631e836d3ea8aac8b72a2b6d46ead740c4af38e87e34a58d9cd8b3a7c38ac0afd82831bdd776896c38e3fdd1cb85cc0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sku.txt

Filesize
9B

MD5
d3852fbaf9594ade32cf0590afaa2f41

SHA1
96ebbe754c9b516a2e71fddf7cdd75e30081c253

SHA256
9c278b0fb83de0ae76c21390f8a125fbbea27820810a9da838d3c20e73400810

SHA512
8d6e70977b3d1230474120ff4e07b7cc5aa6e4784a1131e584bbe68e661bde021467e146058af9eb66a21729efa2b9cf21084c096f5d416e4173f064bad858fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\slc.dll

Filesize
5KB

MD5
4011727e3c6ee42c3d0133aa0d7185ae

SHA1
cd8663743e441a6ee3f22f4e4880aa9231dc9533

SHA256
3f773df3869bc5f63e47a7207d11d322f14a5b4044d18f770c2602d303ef5d9e

SHA512
e2b40bac9138ae668c3dd6d8468fc460be6c47ed3e0ca201f9db7f0182f7cba5f356b8a3508f5fa8fdd29ad09a18429ae85688a85664775c3b486b0be32a62de

Download Submit
C:\Users\Admin\AppData\Local\Temp\slc.dll

Filesize
5KB

MD5
4011727e3c6ee42c3d0133aa0d7185ae

SHA1
cd8663743e441a6ee3f22f4e4880aa9231dc9533

SHA256
3f773df3869bc5f63e47a7207d11d322f14a5b4044d18f770c2602d303ef5d9e

SHA512
e2b40bac9138ae668c3dd6d8468fc460be6c47ed3e0ca201f9db7f0182f7cba5f356b8a3508f5fa8fdd29ad09a18429ae85688a85664775c3b486b0be32a62de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem14B7.tmp

Filesize
582B

MD5
8fad0419d066592849e3b89dbc37171f

SHA1
e0d77c6d91088eb1fa65974cfb7a61474c515069

SHA256
92de2e55a8b42ac28bae7de24c3804849851be5f69149c627563c339b7f860fc

SHA512
d088d62f14a32d1ed28d10fa29b90d30861fe3604f195513dfcfdad04c09c4cf73b671f6665726e61273c6fc080b782a62c659e8e7efdaa5ee664a366302c4d1

Download Submit
memory/3752-136-0x00000292A9990000-0x00000292A99AE000-memory.dmp

Filesize
120KB

Download
memory/3752-135-0x00000292AD920000-0x00000292AD996000-memory.dmp

Filesize
472KB

Download
memory/3752-134-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

Filesize
10.8MB

Download
memory/3752-133-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

Filesize
10.8MB

Download
memory/3752-132-0x000002928F0F0000-0x000002928F266000-memory.dmp

Filesize
1.5MB

Download
memory/4892-154-0x00000228DE410000-0x00000228DE420000-memory.dmp

Filesize
64KB

Download
memory/4892-149-0x00000228DE410000-0x00000228DE420000-memory.dmp

Filesize
64KB

Download
memory/4892-150-0x00000228DE410000-0x00000228DE420000-memory.dmp

Filesize
64KB

Download
memory/4892-152-0x00000228DE410000-0x00000228DE420000-memory.dmp

Filesize
64KB

Download
memory/4892-153-0x00000228DE410000-0x00000228DE420000-memory.dmp

Filesize
64KB

Download
memory/4892-157-0x00000228DE570000-0x00000228DE6C3000-memory.dmp

Filesize
1.3MB

Download
memory/4892-161-0x00000228DE570000-0x00000228DE6C3000-memory.dmp

Filesize
1.3MB

Download
memory/5000-148-0x0000027F4F5C0000-0x0000027F4F5D0000-memory.dmp

Filesize
64KB

Download
memory/5000-147-0x0000027F4F5C0000-0x0000027F4F5D0000-memory.dmp

Filesize
64KB

Download
memory/5000-156-0x0000027F4F5C0000-0x0000027F4F5D0000-memory.dmp

Filesize
64KB

Download
memory/5000-158-0x0000027F4F5C0000-0x0000027F4F5D0000-memory.dmp

Filesize
64KB

Download
memory/5000-146-0x0000027F4F5C0000-0x0000027F4F5D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing