Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2024, 05:42
Behavioral task
behavioral1
Sample
Autodesk License Patcher Uninstaller.exe
Resource
win7-20231215-en
windows7-x64
7 signatures
150 seconds
General
-
Target
Autodesk License Patcher Uninstaller.exe
-
Size
225KB
-
MD5
8fdb0ed20826feb0512321dac91a93bd
-
SHA1
753d87a8f74fdb4cf9c9a8562ebb28eb0513ef17
-
SHA256
2343cb780d1a0c8543bb76c7c7586f9af957655ee20655871b85092b0ecbb055
-
SHA512
dd22e44ad19a54707c084b176ebdee9aeee426154c6b9f4c4ce911e80367100c1fdcba4b3a348c0a0b57557468baf9a2082a7eb42c83fcb8bacc83e0cc30504a
-
SSDEEP
3072:i3pox1w8FCoFjKej0u/Dt1XWhlPhoutuFLtVBjnmATFPJg:i58u8PFjcurvXUlPhoSuvfTZphg
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 3520 netsh.exe 2444 netsh.exe 2036 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation Autodesk License Patcher Uninstaller.exe -
resource yara_rule behavioral2/memory/3004-0-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral2/memory/3004-5-0x0000000000400000-0x0000000000479000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 9 IoCs
pid Process 1132 taskkill.exe 4152 taskkill.exe 4900 taskkill.exe 4144 taskkill.exe 4336 taskkill.exe 4972 taskkill.exe 2900 taskkill.exe 3560 taskkill.exe 908 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.Admin\shell\runas reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.Admin\shell\runas\command\ = "cmd /x /d /r set \"f0=%2\" &call \"%2\" %3" reg.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.Admin\shell\runas\command reg.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.Admin reg.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.Admin\shell reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4280 reg.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 3 IoCs
pid Process 1640 PING.EXE 4292 PING.EXE 3960 PING.EXE -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 1132 taskkill.exe Token: SeDebugPrivilege 3560 taskkill.exe Token: SeDebugPrivilege 4152 taskkill.exe Token: SeDebugPrivilege 4900 taskkill.exe Token: SeDebugPrivilege 4144 taskkill.exe Token: SeDebugPrivilege 4336 taskkill.exe Token: SeDebugPrivilege 908 taskkill.exe Token: SeDebugPrivilege 4972 taskkill.exe Token: SeDebugPrivilege 2900 taskkill.exe Token: SeShutdownPrivilege 4608 msiexec.exe Token: SeIncreaseQuotaPrivilege 4608 msiexec.exe Token: SeSecurityPrivilege 4540 msiexec.exe Token: SeCreateTokenPrivilege 4608 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4608 msiexec.exe Token: SeLockMemoryPrivilege 4608 msiexec.exe Token: SeIncreaseQuotaPrivilege 4608 msiexec.exe Token: SeMachineAccountPrivilege 4608 msiexec.exe Token: SeTcbPrivilege 4608 msiexec.exe Token: SeSecurityPrivilege 4608 msiexec.exe Token: SeTakeOwnershipPrivilege 4608 msiexec.exe Token: SeLoadDriverPrivilege 4608 msiexec.exe Token: SeSystemProfilePrivilege 4608 msiexec.exe Token: SeSystemtimePrivilege 4608 msiexec.exe Token: SeProfSingleProcessPrivilege 4608 msiexec.exe Token: SeIncBasePriorityPrivilege 4608 msiexec.exe Token: SeCreatePagefilePrivilege 4608 msiexec.exe Token: SeCreatePermanentPrivilege 4608 msiexec.exe Token: SeBackupPrivilege 4608 msiexec.exe Token: SeRestorePrivilege 4608 msiexec.exe Token: SeShutdownPrivilege 4608 msiexec.exe Token: SeDebugPrivilege 4608 msiexec.exe Token: SeAuditPrivilege 4608 msiexec.exe Token: SeSystemEnvironmentPrivilege 4608 msiexec.exe Token: SeChangeNotifyPrivilege 4608 msiexec.exe Token: SeRemoteShutdownPrivilege 4608 msiexec.exe Token: SeUndockPrivilege 4608 msiexec.exe Token: SeSyncAgentPrivilege 4608 msiexec.exe Token: SeEnableDelegationPrivilege 4608 msiexec.exe Token: SeManageVolumePrivilege 4608 msiexec.exe Token: SeImpersonatePrivilege 4608 msiexec.exe Token: SeCreateGlobalPrivilege 4608 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3004 wrote to memory of 1380 3004 Autodesk License Patcher Uninstaller.exe 87 PID 3004 wrote to memory of 1380 3004 Autodesk License Patcher Uninstaller.exe 87 PID 3004 wrote to memory of 1380 3004 Autodesk License Patcher Uninstaller.exe 87 PID 1380 wrote to memory of 5024 1380 cmd.exe 90 PID 1380 wrote to memory of 5024 1380 cmd.exe 90 PID 1380 wrote to memory of 5024 1380 cmd.exe 90 PID 1380 wrote to memory of 2580 1380 cmd.exe 91 PID 1380 wrote to memory of 2580 1380 cmd.exe 91 PID 1380 wrote to memory of 2580 1380 cmd.exe 91 PID 1380 wrote to memory of 4280 1380 cmd.exe 92 PID 1380 wrote to memory of 4280 1380 cmd.exe 92 PID 1380 wrote to memory of 4280 1380 cmd.exe 92 PID 1380 wrote to memory of 2856 1380 cmd.exe 93 PID 1380 wrote to memory of 2856 1380 cmd.exe 93 PID 1380 wrote to memory of 2856 1380 cmd.exe 93 PID 1380 wrote to memory of 1640 1380 cmd.exe 94 PID 1380 wrote to memory of 1640 1380 cmd.exe 94 PID 1380 wrote to memory of 1640 1380 cmd.exe 94 PID 1380 wrote to memory of 4292 1380 cmd.exe 102 PID 1380 wrote to memory of 4292 1380 cmd.exe 102 PID 1380 wrote to memory of 4292 1380 cmd.exe 102 PID 1380 wrote to memory of 2208 1380 cmd.exe 103 PID 1380 wrote to memory of 2208 1380 cmd.exe 103 PID 1380 wrote to memory of 2208 1380 cmd.exe 103 PID 1380 wrote to memory of 3520 1380 cmd.exe 104 PID 1380 wrote to memory of 3520 1380 cmd.exe 104 PID 1380 wrote to memory of 3520 1380 cmd.exe 104 PID 1380 wrote to memory of 2444 1380 cmd.exe 105 PID 1380 wrote to memory of 2444 1380 cmd.exe 105 PID 1380 wrote to memory of 2444 1380 cmd.exe 105 PID 1380 wrote to memory of 2036 1380 cmd.exe 106 PID 1380 wrote to memory of 2036 1380 cmd.exe 106 PID 1380 wrote to memory of 2036 1380 cmd.exe 106 PID 1380 wrote to memory of 4932 1380 cmd.exe 107 PID 1380 wrote to memory of 4932 1380 cmd.exe 107 PID 1380 wrote to memory of 4932 1380 cmd.exe 107 PID 4932 wrote to memory of 2400 4932 net.exe 108 PID 4932 wrote to memory of 2400 4932 net.exe 108 PID 4932 wrote to memory of 2400 4932 net.exe 108 PID 1380 wrote to memory of 1132 1380 cmd.exe 109 PID 1380 wrote to memory of 1132 1380 cmd.exe 109 PID 1380 wrote to memory of 1132 1380 cmd.exe 109 PID 1380 wrote to memory of 3560 1380 cmd.exe 110 PID 1380 wrote to memory of 3560 1380 cmd.exe 110 PID 1380 wrote to memory of 3560 1380 cmd.exe 110 PID 1380 wrote to memory of 4152 1380 cmd.exe 111 PID 1380 wrote to memory of 4152 1380 cmd.exe 111 PID 1380 wrote to memory of 4152 1380 cmd.exe 111 PID 1380 wrote to memory of 4900 1380 cmd.exe 112 PID 1380 wrote to memory of 4900 1380 cmd.exe 112 PID 1380 wrote to memory of 4900 1380 cmd.exe 112 PID 1380 wrote to memory of 4144 1380 cmd.exe 113 PID 1380 wrote to memory of 4144 1380 cmd.exe 113 PID 1380 wrote to memory of 4144 1380 cmd.exe 113 PID 1380 wrote to memory of 4336 1380 cmd.exe 114 PID 1380 wrote to memory of 4336 1380 cmd.exe 114 PID 1380 wrote to memory of 4336 1380 cmd.exe 114 PID 1380 wrote to memory of 908 1380 cmd.exe 115 PID 1380 wrote to memory of 908 1380 cmd.exe 115 PID 1380 wrote to memory of 908 1380 cmd.exe 115 PID 1380 wrote to memory of 4972 1380 cmd.exe 116 PID 1380 wrote to memory of 4972 1380 cmd.exe 116 PID 1380 wrote to memory of 4972 1380 cmd.exe 116 PID 1380 wrote to memory of 2900 1380 cmd.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\Autodesk License Patcher Uninstaller.exe"C:\Users\Admin\AppData\Local\Temp\Autodesk License Patcher Uninstaller.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\AutodeskLicensePatcherUninstaller\AutodeskLicensePatcherUninstaller.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\chcp.comchcp 12543⤵PID:5024
-
-
C:\Windows\SysWOW64\mode.commode con: cols=70 lines=153⤵PID:2580
-
-
C:\Windows\SysWOW64\reg.exereg add hkcu\software\classes\.Admin\shell\runas\command /f /ve /d "cmd /x /d /r set \"f0=%2\" &call \"%2\" %3"3⤵
- Modifies registry class
- Modifies registry key
PID:4280
-
-
C:\Windows\SysWOW64\fltMC.exefltmc3⤵PID:2856
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 153⤵
- Runs ping.exe
PID:1640
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:4292
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Delete /tn "\Microsoft\Windows\Autodesk\Autodesk" /f3⤵PID:2208
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="AutodeskNLM"3⤵
- Modifies Windows Firewall
PID:3520
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="Allowed C:\Users\Admin\AppData\Local\Temp\Autodesk License Patcher Uninstaller.exe"3⤵
- Modifies Windows Firewall
PID:2444
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="Blocked C:\Users\Admin\AppData\Local\Temp\Autodesk License Patcher Uninstaller.exe"3⤵
- Modifies Windows Firewall
PID:2036
-
-
C:\Windows\SysWOW64\net.exenet stop AdskLicensingService3⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AdskLicensingService4⤵PID:2400
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "AdskLicensingService.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "AdskLicensingAgent.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "ADPClientService.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "AdskLicensingAnalyticsClient.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "AdskLicensingInstHelper.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "lmgrd.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "adskflex.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "lmutil.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "lmtools.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec.exe /X {4BE91685-1632-47FC-B563-A8A542C6664C} /qn3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
C:\Windows\SysWOW64\net.exenet start AdskLicensingService3⤵PID:552
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start AdskLicensingService4⤵PID:2228
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:3960
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD506005a6038452582d28fc65a62ed1612
SHA14c8b36375b1d6228b517d9159950b5afd85f03ac
SHA256bd7d4183901679a4c095418a5ce2fa05c76c7da2ca69c2c27ff9d59d8856a59f
SHA5122d7d1e43f69bc2d3fe22f8acbe3d1f572944e4a626a2222ef410d54819d7879008f06fb267d8d217a1478f3a64679748123d4cd7e149d72723a471f8ae73e1b5