Windows Analysis Report
Lic.exe

Overview

General Information

Sample name: Lic.exe
Analysis ID: 1579538
MD5: c5eaff76b3a6615840b4e0bc7e92fbc8
SHA1: 73e004370c39788699c010a09638d350a0d8fe1a
SHA256: 2316de75234975ef265f843eb585a3b34d875507a6f7506209a7df932de48667
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection

barindex
Source: Lic.exe ReversingLabs: Detection: 19%
Source: Lic.exe Virustotal: Detection: 19% Perma Link
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.4% probability
Source: Lic.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\Lic.exe Code function: 0_2_00007FFE133027C0 CryptQueryObject,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,CryptMsgGetParam,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,LocalAlloc,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,CryptMsgGetParam,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose, 0_2_00007FFE133027C0
Source: C:\Users\user\Desktop\Lic.exe Code function: 0_2_00007FFE13302E35 lstrcmpA,CryptDecodeObject,CertFreeCertificateContext, 0_2_00007FFE13302E35
Source: C:\Users\user\Desktop\Lic.exe Code function: 0_2_00007FFE13302E00 lstrcmpA,CryptDecodeObject,CertFreeCertificateContext,LocalAlloc,CertFreeCertificateContext,CryptDecodeObject,CertFreeCertificateContext,CertFreeCertificateContext, 0_2_00007FFE13302E00
Source: Lic.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: clrjit.pdb source: Lic.exe, 00000000.00000002.1725058787.0000024B719D2000.00000004.00000020.00020000.00000000.sdmp
Source: Lic.exe String found in binary or memory: https://#/SCClientPing.php#Invalid
Source: C:\Users\user\Desktop\Lic.exe Code function: 0_2_00007FFE13301D70 0_2_00007FFE13301D70
Source: C:\Users\user\Desktop\Lic.exe Code function: 0_2_00007FFE13303270 0_2_00007FFE13303270
Source: C:\Users\user\Desktop\Lic.exe Code function: 0_2_00007FFE133014D0 0_2_00007FFE133014D0
Source: C:\Users\user\Desktop\Lic.exe Code function: 0_2_00007FFD9B7D6C12 0_2_00007FFD9B7D6C12
Source: C:\Users\user\Desktop\Lic.exe Code function: 0_2_00007FFD9B7D5E66 0_2_00007FFD9B7D5E66
Source: Lic.exe Binary or memory string: OriginalFilename vs Lic.exe
Source: Lic.exe, 00000000.00000002.1725852927.00007FFE13313000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: OriginalFilename vs Lic.exe
Source: Lic.exe, 00000000.00000002.1724955220.0000024B69201000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Lic.exe
Source: AgileDotNetRT64.dll.0.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AgileDotNetRT64.dll.0.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engine Classification label: mal60.evad.winEXE@1/2@0/0
Source: C:\Users\user\Desktop\Lic.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Lic.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Mutant created: NULL
Source: C:\Users\user\Desktop\Lic.exe Mutant created: \Sessions\1\BaseNamedObjects\{37c18af4-686a-4078-aea2-125b9784b6de}
Source: C:\Users\user\Desktop\Lic.exe File created: C:\Users\user\AppData\Local\Temp\9d157fef-9d80-4c40-8e32-b40db35317cb Jump to behavior
Source: Lic.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Lic.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Lic.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Users\user\Desktop\Lic.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Lic.exe ReversingLabs: Detection: 19%
Source: Lic.exe Virustotal: Detection: 19%
Source: Lic.exe String found in binary or memory: application/xml)/authorize/stops.xml1/authorize/authorize.xml'www.decisionbar.com
Source: Lic.exe String found in binary or memory: application/xml)/authorize/stops.xml1/authorize/authorize.xml'www.decisionbar.com
Source: C:\Users\user\Desktop\Lic.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Lic.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Lic.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: clrjit.pdb source: Lic.exe, 00000000.00000002.1725058787.0000024B719D2000.00000004.00000020.00020000.00000000.sdmp
Source: Lic.exe Static PE information: 0xE66D18D1 [Thu Jul 3 07:44:17 2092 UTC]
Source: C:\Users\user\Desktop\Lic.exe Code function: 0_2_00007FFE13308C00 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetFileVersionInfoSizeExW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,VerQueryValueA,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree, 0_2_00007FFE13308C00
Source: C:\Users\user\Desktop\Lic.exe Code function: 0_2_00007FFE13304803 push D84C6147h; ret 0_2_00007FFE1330480C
Source: C:\Users\user\Desktop\Lic.exe Code function: 0_2_00007FFE1331F5C5 push 37ED6F56h; ret 0_2_00007FFE1331F5CC
Source: C:\Users\user\Desktop\Lic.exe Code function: 0_2_00007FFD9B7D00BD pushad ; iretd 0_2_00007FFD9B7D00C1
Source: C:\Users\user\Desktop\Lic.exe File created: C:\Users\user\AppData\Local\Temp\9d157fef-9d80-4c40-8e32-b40db35317cb\AgileDotNetRT64.dll Jump to dropped file
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\Lic.exe RDTSC instruction interceptor: First address: 7FFE13301F0F second address: 7FFE13301F90 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov dword ptr [esp+28h], eax 0x0000000e dec eax 0x0000000f mov eax, dword ptr [esp+30h] 0x00000013 dec eax 0x00000014 mov ecx, dword ptr [esp+28h] 0x00000018 dec eax 0x00000019 sub ecx, eax 0x0000001b dec eax 0x0000001c mov eax, ecx 0x0000001e dec eax 0x0000001f add esp, 48h 0x00000022 ret 0x00000023 dec eax 0x00000024 mov dword ptr [00010326h], eax 0x0000002a mov dword ptr [esp+28h], 00000000h 0x00000032 jmp 00007FBCC0E8733Ch 0x00000034 mov eax, dword ptr [esp+50h] 0x00000038 cmp dword ptr [esp+28h], eax 0x0000003c jnl 00007FBCC0E87374h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\Lic.exe Memory allocated: 24B59170000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Memory allocated: 24B71200000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Code function: 0_2_00007FFE13301F40 rdtsc 0_2_00007FFE13301F40
Source: C:\Users\user\Desktop\Lic.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9d157fef-9d80-4c40-8e32-b40db35317cb\AgileDotNetRT64.dll Jump to dropped file
Source: C:\Users\user\Desktop\Lic.exe TID: 6168 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Users\user\Desktop\Lic.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Users\user\Desktop\Lic.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Lic.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Lic.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Lic.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Lic.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Lic.exe Code function: 0_2_00007FFE13301F40 rdtsc 0_2_00007FFE13301F40
Source: C:\Users\user\Desktop\Lic.exe Code function: 0_2_00007FFE13308C00 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetFileVersionInfoSizeExW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,VerQueryValueA,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree, 0_2_00007FFE13308C00
Source: C:\Users\user\Desktop\Lic.exe Code function: 0_2_00007FFE133012E0 K32EnumProcessModules,GetProcessHeap,HeapAlloc,EnumProcessModules,K32EnumProcessModules,GetProcessHeap,HeapFree,GetModuleBaseNameA,K32GetModuleBaseNameA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_00007FFE133012E0
Source: C:\Users\user\Desktop\Lic.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Queries volume information: C:\Users\user\Desktop\Lic.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Lic.exe Code function: 0_2_00007FFE13306880 MessageBoxW,GetSystemTimeAsFileTime,CompareFileTime,MessageBoxW, 0_2_00007FFE13306880
Source: C:\Users\user\Desktop\Lic.exe Code function: 0_2_00007FFE133010A0 GetVersionExW, 0_2_00007FFE133010A0
Source: C:\Users\user\Desktop\Lic.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
No contacted IP infos