b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd

max time kernel
135s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

licensingdiag.exe
Size

520KB
MD5

aaba9809c6980df22cfbad179a120d9b
SHA1

8c141f5c037594dfe244a3c8acabe9cf0fe9cff2
SHA256

b2ab5e9fa6c8ba42e1111b8193721d091cbb259682007634c8f19ed3c1168a7e
SHA512

315ae9ea70300dcf03ea522a5db431c143fa5e73a6471f4263709f136b20def641386fb1818f48e33aa98cdb4a125fb445fd1d5dfc20365b284b8a102ed84f50
SSDEEP

12288:7FAC5Vcf2cHDRV/tqHtwTx/SHt2PMfOrbaErC8RH+yyQXM0ZPpIRvXjX1rBbcEhz:7FVVcf2UDRVFqQx/SffOrbaErC8NyQXg

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	licensingdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	licensingdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	licensingdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	licensingdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	licensingdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	licensingdiag.exe

Enumerates system info in registry 2 TTPs 16 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosMajorRelease	licensingdiag.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	licensingdiag.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	licensingdiag.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	licensingdiag.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	licensingdiag.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	licensingdiag.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	licensingdiag.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	licensingdiag.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	licensingdiag.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	licensingdiag.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	licensingdiag.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	licensingdiag.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosMinorRelease	licensingdiag.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	licensingdiag.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	licensingdiag.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	licensingdiag.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	licensingdiag.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 4912	4376	licensingdiag.exe	90
PID 4376 wrote to memory of 4912	4376	licensingdiag.exe	90
PID 4376 wrote to memory of 2840	4376	licensingdiag.exe	91
PID 4376 wrote to memory of 2840	4376	licensingdiag.exe	91
PID 4376 wrote to memory of 4860	4376	licensingdiag.exe	92
PID 4376 wrote to memory of 4860	4376	licensingdiag.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\licensingdiag.exe
"C:\Users\Admin\AppData\Local\Temp\licensingdiag.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" export HKLM\System\WPA "C:\Users\Admin\AppData\Local\Temp\\UXMRPRRI_2024-08-23_diag\WPAKeys.reg.txt"
  2⤵
  PID:4912
- C:\Windows\system32\nslookup.exe
  "C:\Windows\system32\nslookup.exe" -type=srv _vlmcs._tcp
  2⤵
  PID:2840
- C:\Windows\system32\dsregcmd.exe
  "C:\Windows\system32\dsregcmd.exe" /status
  2⤵
  PID:4860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\REGE261.tmp

Filesize
6KB

MD5
06d70b653db40bef34cba676eb1ae37f

SHA1
98c1d855867453954cb734d3b357b0fcd1843cba

SHA256
805962813409699be08f0ee346451a56852c397c040a79c87221217a0ebaf934

SHA512
67c171102ea5c509e0df26afc26eb619293cc9d723a02ee1b3e91ca35ce19aa5f5c3a03f434605cbc2001b8c9504a8adc0af0853750502cf0bfb8e67614ee2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\UXMRPRRI_2024-08-23_diag\Setup.evtx

Filesize
68KB

MD5
75a81298246fad67b677052ecda2b30d

SHA1
24646fc05517adbda476f6a336cad693e1d43ee5

SHA256
727e3c978fbbe391a82de1e45e4473a9d3b275e6a7a0b5c5951a184e16d8a57b

SHA512
ae9105332281fe677342773135542c17223e43d86ae0edfa6f3a623114c44b278d2ffbebd6ffa26be03b021512143b7c05007836275a51cac28f5fac5284d060

Download Submit
C:\Users\Admin\AppData\Local\Temp\UXMRPRRI_2024-08-23_diag\WindowsPolicyData.xml

Filesize
40KB

MD5
603243cfb736306f657fe20c8a96d648

SHA1
5839513d841185cebb912049a052bef3ecd0a336

SHA256
0b5187cc459dfdc5cd4a72e01e181f36185cb5cd90424f44cfc7618207d84e3a

SHA512
162a9342763e9890d902ba410ea500b33dd783a4fa7a30a372cbfb316005bf402c2d17853d3f38ce2034473cfa03fea134884e8ccbfbc090e795154d25a7d9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UXMRPRRI_2024-08-23_diag\data.dat

Filesize
11KB

MD5
89c56fd811170db9eb33429c5c5d539f

SHA1
be2d40ae98c6ec0e952ad6db75db42c0d3a16de5

SHA256
f6f8ef226a52ed92319f763c73ace4e439880d1cf7450eb514f2ff3550a55b2c

SHA512
1ab7ff04ed03d7f5cb994bd2e5e6b2b0224bcd3bc09959273c04d89620ff429a14bafb0200f499aef6870992ca30cd18e00e1d688056a0b60a8ea9fa652b8793

Download Submit
C:\Users\Admin\AppData\Local\Temp\UXMRPRRI_2024-08-23_diag\tokens.dat

Filesize
11.1MB

MD5
8814f7b725e64290f646fb339b459941

SHA1
c3a8c815e586becd2f53e65a454c47c3d638abce

SHA256
e266ee701eb6520f36d66556830d18e5e57aa8ccebaae379232d6035740060a7

SHA512
0ab7308956fbbf9a0f26c99680c4143084add8d7a2b261f7cf309465dc6248763e36b12d92141960694111f10a1703b558cf0be7d6482af898041d6ac1ed5bd3

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads