Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
163s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 18:13
Static task
static1
Behavioral task
behavioral1
Sample
ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe
Resource
win7-20220812-en
windows7-x64
21 signatures
150 seconds
General
-
Target
ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe
-
Size
320KB
-
MD5
22e8a705f7e9fdc8336c43889a6602e0
-
SHA1
91411aa04f10292c32c8c689d1b2805d967c8887
-
SHA256
ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63
-
SHA512
67771ee9c3fc5b5e4846571d1e033b4c44c0d586180b0f9c8e513baa262e69aebf33fde899b09fdbd6d73e27b0fb9f832af2e85f3b3fd20c00ccd8eb9b03bb92
-
SSDEEP
3072:qvY6LipwcDWXVa7bMdY0vJhdzOkvTxIC5wwRvlV+Mb8RK0jLydi:npw5kstvT3hRX+UCKu2di
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" schedl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" schedl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" schedl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" schedl.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" schedl.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 5096 schedl.exe -
resource yara_rule behavioral2/memory/796-133-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx behavioral2/memory/796-136-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx behavioral2/memory/796-143-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx behavioral2/memory/796-145-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx behavioral2/memory/5096-146-0x00000000034A0000-0x000000000452E000-memory.dmp upx behavioral2/memory/5096-148-0x00000000034A0000-0x000000000452E000-memory.dmp upx behavioral2/memory/5096-150-0x00000000034A0000-0x000000000452E000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" schedl.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\RUN schedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\schedl = "C:\\Windows\\Help\\schedl.exe" schedl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" schedl.exe -
Enumerates connected drives 3 TTPs 43 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\N: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\T: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\U: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\X: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\Y: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\K: schedl.exe File opened (read-only) \??\E: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\G: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\V: schedl.exe File opened (read-only) \??\L: schedl.exe File opened (read-only) \??\Q: schedl.exe File opened (read-only) \??\Z: schedl.exe File opened (read-only) \??\F: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\V: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\O: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\H: schedl.exe File opened (read-only) \??\P: schedl.exe File opened (read-only) \??\K: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\L: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\Q: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\M: schedl.exe File opened (read-only) \??\N: schedl.exe File opened (read-only) \??\U: schedl.exe File opened (read-only) \??\Y: schedl.exe File opened (read-only) \??\J: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\M: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\R: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\S: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\G: schedl.exe File opened (read-only) \??\X: schedl.exe File opened (read-only) \??\I: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\P: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\F: schedl.exe File opened (read-only) \??\I: schedl.exe File opened (read-only) \??\J: schedl.exe File opened (read-only) \??\O: schedl.exe File opened (read-only) \??\S: schedl.exe File opened (read-only) \??\T: schedl.exe File opened (read-only) \??\W: ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened (read-only) \??\E: schedl.exe File opened (read-only) \??\R: schedl.exe File opened (read-only) \??\W: schedl.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf schedl.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files\Program Files.exe schedl.exe File created C:\Program Files (x86)\Program Files (x86).exe schedl.exe File opened for modification C:\Program Files (x86)\Program Files (x86).exe schedl.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe schedl.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe schedl.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe schedl.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe schedl.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe schedl.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe schedl.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe schedl.exe File opened for modification C:\Program Files\Program Files.exe schedl.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe schedl.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe schedl.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe schedl.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe schedl.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Help\schedl.exe ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File opened for modification C:\Windows\Help\schedl.exe ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe File created C:\Windows\Windows.exe schedl.exe File opened for modification C:\Windows\Windows.exe schedl.exe File opened for modification C:\Windows\Help\schedl.exe schedl.exe File opened for modification C:\Windows\SYSTEM.INI ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 5096 schedl.exe 5096 schedl.exe 5096 schedl.exe 5096 schedl.exe 5096 schedl.exe 5096 schedl.exe 5096 schedl.exe 5096 schedl.exe 5096 schedl.exe 5096 schedl.exe 5096 schedl.exe 5096 schedl.exe 5096 schedl.exe 5096 schedl.exe 5096 schedl.exe 5096 schedl.exe 5096 schedl.exe 5096 schedl.exe 5096 schedl.exe 5096 schedl.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Token: SeDebugPrivilege 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 5096 schedl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 796 wrote to memory of 776 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 8 PID 796 wrote to memory of 768 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 26 PID 796 wrote to memory of 1020 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 10 PID 796 wrote to memory of 2452 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 40 PID 796 wrote to memory of 2468 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 41 PID 796 wrote to memory of 2768 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 48 PID 796 wrote to memory of 2720 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 50 PID 796 wrote to memory of 3012 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 51 PID 796 wrote to memory of 3252 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 52 PID 796 wrote to memory of 3344 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 54 PID 796 wrote to memory of 3412 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 53 PID 796 wrote to memory of 3496 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 55 PID 796 wrote to memory of 3696 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 56 PID 796 wrote to memory of 4560 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 74 PID 796 wrote to memory of 4084 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 65 PID 796 wrote to memory of 888 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 64 PID 796 wrote to memory of 5096 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 81 PID 796 wrote to memory of 5096 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 81 PID 796 wrote to memory of 5096 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 81 PID 796 wrote to memory of 776 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 8 PID 796 wrote to memory of 768 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 26 PID 796 wrote to memory of 1020 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 10 PID 796 wrote to memory of 2452 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 40 PID 796 wrote to memory of 2468 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 41 PID 796 wrote to memory of 2768 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 48 PID 796 wrote to memory of 2720 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 50 PID 796 wrote to memory of 3012 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 51 PID 796 wrote to memory of 3252 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 52 PID 796 wrote to memory of 3344 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 54 PID 796 wrote to memory of 3412 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 53 PID 796 wrote to memory of 3496 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 55 PID 796 wrote to memory of 3696 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 56 PID 796 wrote to memory of 4560 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 74 PID 796 wrote to memory of 4084 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 65 PID 796 wrote to memory of 888 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 64 PID 796 wrote to memory of 5096 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 81 PID 796 wrote to memory of 5096 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 81 PID 796 wrote to memory of 776 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 8 PID 796 wrote to memory of 768 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 26 PID 796 wrote to memory of 1020 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 10 PID 796 wrote to memory of 2452 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 40 PID 796 wrote to memory of 2468 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 41 PID 796 wrote to memory of 2768 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 48 PID 796 wrote to memory of 2720 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 50 PID 796 wrote to memory of 3012 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 51 PID 796 wrote to memory of 3252 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 52 PID 796 wrote to memory of 3344 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 54 PID 796 wrote to memory of 3412 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 53 PID 796 wrote to memory of 3496 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 55 PID 796 wrote to memory of 3696 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 56 PID 796 wrote to memory of 4560 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 74 PID 796 wrote to memory of 4084 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 65 PID 796 wrote to memory of 888 796 ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe 64 PID 5096 wrote to memory of 776 5096 schedl.exe 8 PID 5096 wrote to memory of 768 5096 schedl.exe 26 PID 5096 wrote to memory of 1020 5096 schedl.exe 10 PID 5096 wrote to memory of 2452 5096 schedl.exe 40 PID 5096 wrote to memory of 2468 5096 schedl.exe 41 PID 5096 wrote to memory of 2768 5096 schedl.exe 48 PID 5096 wrote to memory of 2720 5096 schedl.exe 50 PID 5096 wrote to memory of 3012 5096 schedl.exe 51 PID 5096 wrote to memory of 3252 5096 schedl.exe 52 PID 5096 wrote to memory of 3344 5096 schedl.exe 54 PID 5096 wrote to memory of 3412 5096 schedl.exe 53 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" schedl.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2468
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2768
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe"C:\Users\Admin\AppData\Local\Temp\ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:796 -
C:\Windows\Help\schedl.exeC:\Windows\Help\schedl.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5096
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3012
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3252
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3412
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3344
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3496
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3696
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:888
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4084
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4560
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD5284bbd513f8e570fac5de9a90de3d192
SHA1aef7f72a8cee2010e94a986fe23b5a02c04242c2
SHA25654873eb39aac8ba0f974dc21807ea789a50ee6bca5eb601fc14a72ec5900c662
SHA51267df691740c5b7851b9345ece6c83d8933f5b73455b8be006114d645b49bf7af70a9484b9ce95352307604726bb3b99e92fe7329fc5bd0ccd0750890561c359d
-
Filesize
320KB
MD522e8a705f7e9fdc8336c43889a6602e0
SHA191411aa04f10292c32c8c689d1b2805d967c8887
SHA256ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63
SHA51267771ee9c3fc5b5e4846571d1e033b4c44c0d586180b0f9c8e513baa262e69aebf33fde899b09fdbd6d73e27b0fb9f832af2e85f3b3fd20c00ccd8eb9b03bb92
-
Filesize
320KB
MD522e8a705f7e9fdc8336c43889a6602e0
SHA191411aa04f10292c32c8c689d1b2805d967c8887
SHA256ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63
SHA51267771ee9c3fc5b5e4846571d1e033b4c44c0d586180b0f9c8e513baa262e69aebf33fde899b09fdbd6d73e27b0fb9f832af2e85f3b3fd20c00ccd8eb9b03bb92
-
Filesize
257B
MD5a1547ef81f8cfffb3ac58c68badaa17f
SHA129e908e6a9143d8c194d1c04693d6b0bb4449767
SHA25655c3e803c687fc3c6fc6617961f3899d078d9a5bcb2ef2331cca106eae6e22d2
SHA51229f1c49096578258ab72dcab94160bee445ba6f45d1a103d3ffa72be67efe99045f1c86059cabbdc8a4d874ba08148985dce571932b6ae53e912261f8d1fc523