Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/10/2022, 18:13
Static task
static1
Behavioral task
behavioral1
Sample
ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe
Resource
win7-20220812-en
General
-
Target
ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe
-
Size
320KB
-
MD5
22e8a705f7e9fdc8336c43889a6602e0
-
SHA1
91411aa04f10292c32c8c689d1b2805d967c8887
-
SHA256
ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63
-
SHA512
67771ee9c3fc5b5e4846571d1e033b4c44c0d586180b0f9c8e513baa262e69aebf33fde899b09fdbd6d73e27b0fb9f832af2e85f3b3fd20c00ccd8eb9b03bb92
-
SSDEEP
3072:qvY6LipwcDWXVa7bMdY0vJhdzOkvTxIC5wwRvlV+Mb8RK0jLydi:npw5kstvT3hRX+UCKu2di
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" schedl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" schedl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" schedl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" schedl.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" schedl.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1096 schedl.exe -
resource yara_rule behavioral1/memory/980-57-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral1/memory/980-72-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral1/memory/1096-74-0x0000000003820000-0x00000000048AE000-memory.dmp upx behavioral1/memory/1096-76-0x0000000003820000-0x00000000048AE000-memory.dmp upx behavioral1/memory/1096-78-0x0000000003820000-0x00000000048AE000-memory.dmp upx -
Deletes itself 1 IoCs
pid Process 1096 schedl.exe -
Loads dropped DLL 2 IoCs
pid Process 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" schedl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc schedl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\RUN schedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\schedl = "C:\\Windows\\Help\\schedl.exe" schedl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" schedl.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: schedl.exe File opened (read-only) \??\V: schedl.exe File opened (read-only) \??\Y: schedl.exe File opened (read-only) \??\I: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\O: schedl.exe File opened (read-only) \??\P: schedl.exe File opened (read-only) \??\Q: schedl.exe File opened (read-only) \??\N: schedl.exe File opened (read-only) \??\S: schedl.exe File opened (read-only) \??\W: schedl.exe File opened (read-only) \??\E: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\G: schedl.exe File opened (read-only) \??\G: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\H: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\E: schedl.exe File opened (read-only) \??\F: schedl.exe File opened (read-only) \??\J: schedl.exe File opened (read-only) \??\L: schedl.exe File opened (read-only) \??\F: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\I: schedl.exe File opened (read-only) \??\R: schedl.exe File opened (read-only) \??\T: schedl.exe File opened (read-only) \??\U: schedl.exe File opened (read-only) \??\Z: schedl.exe File opened (read-only) \??\H: schedl.exe File opened (read-only) \??\M: schedl.exe File opened (read-only) \??\X: schedl.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Program Files (x86).exe schedl.exe File opened for modification C:\Program Files (x86)\Program Files (x86).exe schedl.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe schedl.exe File created C:\Program Files\Program Files.exe schedl.exe File opened for modification C:\Program Files\Program Files.exe schedl.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File created C:\Windows\Help\schedl.exe ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened for modification C:\Windows\Help\schedl.exe ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File created C:\Windows\Windows.exe schedl.exe File opened for modification C:\Windows\Windows.exe schedl.exe File opened for modification C:\Windows\Help\schedl.exe schedl.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 1096 schedl.exe 1096 schedl.exe 1096 schedl.exe 1096 schedl.exe 1096 schedl.exe 1096 schedl.exe 1096 schedl.exe 1096 schedl.exe 1096 schedl.exe 1096 schedl.exe 1096 schedl.exe 1096 schedl.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe Token: SeDebugPrivilege 1096 schedl.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 1096 schedl.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 980 wrote to memory of 1248 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 18 PID 980 wrote to memory of 1316 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 17 PID 980 wrote to memory of 1372 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 16 PID 980 wrote to memory of 1096 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 28 PID 980 wrote to memory of 1096 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 28 PID 980 wrote to memory of 1096 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 28 PID 980 wrote to memory of 1096 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 28 PID 980 wrote to memory of 1248 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 18 PID 980 wrote to memory of 1316 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 17 PID 980 wrote to memory of 1372 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 16 PID 980 wrote to memory of 1096 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 28 PID 980 wrote to memory of 1096 980 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 28 PID 1096 wrote to memory of 1248 1096 schedl.exe 18 PID 1096 wrote to memory of 1316 1096 schedl.exe 17 PID 1096 wrote to memory of 1372 1096 schedl.exe 16 PID 1096 wrote to memory of 1248 1096 schedl.exe 18 PID 1096 wrote to memory of 1316 1096 schedl.exe 17 PID 1096 wrote to memory of 1372 1096 schedl.exe 16 PID 1096 wrote to memory of 1584 1096 schedl.exe 29 PID 1096 wrote to memory of 1248 1096 schedl.exe 18 PID 1096 wrote to memory of 1316 1096 schedl.exe 17 PID 1096 wrote to memory of 1372 1096 schedl.exe 16 PID 1096 wrote to memory of 1248 1096 schedl.exe 18 PID 1096 wrote to memory of 1316 1096 schedl.exe 17 PID 1096 wrote to memory of 1372 1096 schedl.exe 16 PID 1096 wrote to memory of 1248 1096 schedl.exe 18 PID 1096 wrote to memory of 1316 1096 schedl.exe 17 PID 1096 wrote to memory of 1372 1096 schedl.exe 16 PID 1096 wrote to memory of 1248 1096 schedl.exe 18 PID 1096 wrote to memory of 1316 1096 schedl.exe 17 PID 1096 wrote to memory of 1372 1096 schedl.exe 16 PID 1096 wrote to memory of 1248 1096 schedl.exe 18 PID 1096 wrote to memory of 1316 1096 schedl.exe 17 PID 1096 wrote to memory of 1372 1096 schedl.exe 16 PID 1096 wrote to memory of 1248 1096 schedl.exe 18 PID 1096 wrote to memory of 1316 1096 schedl.exe 17 PID 1096 wrote to memory of 1372 1096 schedl.exe 16 PID 1096 wrote to memory of 1248 1096 schedl.exe 18 PID 1096 wrote to memory of 1316 1096 schedl.exe 17 PID 1096 wrote to memory of 1372 1096 schedl.exe 16 PID 1096 wrote to memory of 1248 1096 schedl.exe 18 PID 1096 wrote to memory of 1316 1096 schedl.exe 17 PID 1096 wrote to memory of 1372 1096 schedl.exe 16 PID 1096 wrote to memory of 1248 1096 schedl.exe 18 PID 1096 wrote to memory of 1316 1096 schedl.exe 17 PID 1096 wrote to memory of 1372 1096 schedl.exe 16 PID 1096 wrote to memory of 1248 1096 schedl.exe 18 PID 1096 wrote to memory of 1316 1096 schedl.exe 17 PID 1096 wrote to memory of 1372 1096 schedl.exe 16 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" schedl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe"C:\Users\Admin\AppData\Local\Temp\ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:980 -
C:\Windows\Help\schedl.exeC:\Windows\Help\schedl.exe2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Deletes itself
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1096
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1372
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1316
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1248
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1584
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
MD522e8a705f7e9fdc8336c43889a6602e0
SHA191411aa04f10292c32c8c689d1b2805d967c8887
SHA256ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63
SHA51267771ee9c3fc5b5e4846571d1e033b4c44c0d586180b0f9c8e513baa262e69aebf33fde899b09fdbd6d73e27b0fb9f832af2e85f3b3fd20c00ccd8eb9b03bb92
-
Filesize
320KB
MD522e8a705f7e9fdc8336c43889a6602e0
SHA191411aa04f10292c32c8c689d1b2805d967c8887
SHA256ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63
SHA51267771ee9c3fc5b5e4846571d1e033b4c44c0d586180b0f9c8e513baa262e69aebf33fde899b09fdbd6d73e27b0fb9f832af2e85f3b3fd20c00ccd8eb9b03bb92
-
Filesize
255B
MD5134c7d97e87fb45ca638c2a6be7bf15f
SHA1cb10044e24ec1406aec02520043d75a64deef7dc
SHA2565ff552482ca64f62e3f0048c2971c84454af20d9de99150adf9725ab9171996c
SHA5128d86921ec900041f48e81a5fb2b8b969945f9446ae3f58f37df841f5f3b645219a3371b78e7ae2f025cb650060908b97bf7ceaf3db6524fb3eb1dc558087dc5c
-
Filesize
320KB
MD522e8a705f7e9fdc8336c43889a6602e0
SHA191411aa04f10292c32c8c689d1b2805d967c8887
SHA256ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63
SHA51267771ee9c3fc5b5e4846571d1e033b4c44c0d586180b0f9c8e513baa262e69aebf33fde899b09fdbd6d73e27b0fb9f832af2e85f3b3fd20c00ccd8eb9b03bb92
-
Filesize
320KB
MD522e8a705f7e9fdc8336c43889a6602e0
SHA191411aa04f10292c32c8c689d1b2805d967c8887
SHA256ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63
SHA51267771ee9c3fc5b5e4846571d1e033b4c44c0d586180b0f9c8e513baa262e69aebf33fde899b09fdbd6d73e27b0fb9f832af2e85f3b3fd20c00ccd8eb9b03bb92