Analysis
-
max time kernel
151s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 19:15
Static task
static1
Behavioral task
behavioral1
Sample
231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe
Resource
win7-20220812-en
General
-
Target
231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe
-
Size
284KB
-
MD5
0119e70e60e0f2c1d9fdf426e6e63440
-
SHA1
476669e7ce6b9a0e73cd3daf3a4c5127db792cdc
-
SHA256
231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2
-
SHA512
4d48d48e73fb7dd64631f3d175a07b7817f81fa69af5295a2341fc125e2ebd3b599e2b11d74f4b0ef6ccb7830648a2194c46d843a8f703f733b154ed457de7a6
-
SSDEEP
3072:ivL7PdY0vvhdzOhXIpqulm/cJsw+1CnN:oRaUJi4N
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exeschedl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" schedl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" schedl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe -
Processes:
231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exeschedl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" schedl.exe -
Processes:
schedl.exe231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
schedl.exe231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" schedl.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
schedl.exepid process 3364 schedl.exe -
Processes:
resource yara_rule behavioral2/memory/3268-135-0x0000000002B50000-0x0000000003BDE000-memory.dmp upx behavioral2/memory/3268-138-0x0000000002B50000-0x0000000003BDE000-memory.dmp upx behavioral2/memory/3268-147-0x0000000002B50000-0x0000000003BDE000-memory.dmp upx behavioral2/memory/3364-148-0x0000000003120000-0x00000000041AE000-memory.dmp upx behavioral2/memory/3364-150-0x0000000003120000-0x00000000041AE000-memory.dmp upx behavioral2/memory/3364-151-0x0000000003120000-0x00000000041AE000-memory.dmp upx -
Processes:
schedl.exe231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
schedl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\RUN schedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\schedl = "C:\\Windows\\Help\\schedl.exe" schedl.exe -
Processes:
231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exeschedl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" schedl.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
schedl.exedescription ioc process File opened (read-only) \??\Z: schedl.exe File opened (read-only) \??\N: schedl.exe File opened (read-only) \??\S: schedl.exe File opened (read-only) \??\V: schedl.exe File opened (read-only) \??\P: schedl.exe File opened (read-only) \??\Y: schedl.exe File opened (read-only) \??\J: schedl.exe File opened (read-only) \??\L: schedl.exe File opened (read-only) \??\O: schedl.exe File opened (read-only) \??\R: schedl.exe File opened (read-only) \??\U: schedl.exe File opened (read-only) \??\E: schedl.exe File opened (read-only) \??\F: schedl.exe File opened (read-only) \??\I: schedl.exe File opened (read-only) \??\W: schedl.exe File opened (read-only) \??\X: schedl.exe File opened (read-only) \??\M: schedl.exe File opened (read-only) \??\Q: schedl.exe File opened (read-only) \??\T: schedl.exe File opened (read-only) \??\G: schedl.exe File opened (read-only) \??\H: schedl.exe File opened (read-only) \??\K: schedl.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
schedl.exedescription ioc process File opened for modification C:\autorun.inf schedl.exe -
Drops file in Program Files directory 15 IoCs
Processes:
schedl.exedescription ioc process File created C:\Program Files\Program Files.exe schedl.exe File opened for modification C:\Program Files (x86)\Program Files (x86).exe schedl.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe schedl.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe schedl.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe schedl.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe schedl.exe File opened for modification C:\Program Files\Program Files.exe schedl.exe File created C:\Program Files (x86)\Program Files (x86).exe schedl.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe schedl.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe schedl.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe schedl.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe schedl.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe schedl.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe schedl.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe schedl.exe -
Drops file in Windows directory 6 IoCs
Processes:
231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exeschedl.exedescription ioc process File created C:\Windows\Help\schedl.exe 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe File opened for modification C:\Windows\Help\schedl.exe 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe File created C:\Windows\Windows.exe schedl.exe File opened for modification C:\Windows\Windows.exe schedl.exe File opened for modification C:\Windows\Help\schedl.exe schedl.exe File opened for modification C:\Windows\SYSTEM.INI 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exeschedl.exepid process 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe 3364 schedl.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exedescription pid process Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Token: SeDebugPrivilege 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exeschedl.exepid process 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe 3364 schedl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exeschedl.exedescription pid process target process PID 3268 wrote to memory of 776 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe fontdrvhost.exe PID 3268 wrote to memory of 784 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe fontdrvhost.exe PID 3268 wrote to memory of 312 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe dwm.exe PID 3268 wrote to memory of 2516 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe sihost.exe PID 3268 wrote to memory of 2528 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe svchost.exe PID 3268 wrote to memory of 2636 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe taskhostw.exe PID 3268 wrote to memory of 2596 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Explorer.EXE PID 3268 wrote to memory of 944 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe svchost.exe PID 3268 wrote to memory of 3256 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe DllHost.exe PID 3268 wrote to memory of 3368 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe StartMenuExperienceHost.exe PID 3268 wrote to memory of 3472 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe RuntimeBroker.exe PID 3268 wrote to memory of 3568 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe SearchApp.exe PID 3268 wrote to memory of 3768 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe RuntimeBroker.exe PID 3268 wrote to memory of 4724 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe RuntimeBroker.exe PID 3268 wrote to memory of 3364 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe schedl.exe PID 3268 wrote to memory of 3364 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe schedl.exe PID 3268 wrote to memory of 3364 3268 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe schedl.exe PID 3364 wrote to memory of 776 3364 schedl.exe fontdrvhost.exe PID 3364 wrote to memory of 784 3364 schedl.exe fontdrvhost.exe PID 3364 wrote to memory of 312 3364 schedl.exe dwm.exe PID 3364 wrote to memory of 2516 3364 schedl.exe sihost.exe PID 3364 wrote to memory of 2528 3364 schedl.exe svchost.exe PID 3364 wrote to memory of 2636 3364 schedl.exe taskhostw.exe PID 3364 wrote to memory of 2596 3364 schedl.exe Explorer.EXE PID 3364 wrote to memory of 944 3364 schedl.exe svchost.exe PID 3364 wrote to memory of 3256 3364 schedl.exe DllHost.exe PID 3364 wrote to memory of 3368 3364 schedl.exe StartMenuExperienceHost.exe PID 3364 wrote to memory of 3472 3364 schedl.exe RuntimeBroker.exe PID 3364 wrote to memory of 3568 3364 schedl.exe SearchApp.exe PID 3364 wrote to memory of 3768 3364 schedl.exe RuntimeBroker.exe PID 3364 wrote to memory of 4724 3364 schedl.exe RuntimeBroker.exe PID 3364 wrote to memory of 776 3364 schedl.exe fontdrvhost.exe PID 3364 wrote to memory of 784 3364 schedl.exe fontdrvhost.exe PID 3364 wrote to memory of 312 3364 schedl.exe dwm.exe PID 3364 wrote to memory of 2516 3364 schedl.exe sihost.exe PID 3364 wrote to memory of 2528 3364 schedl.exe svchost.exe PID 3364 wrote to memory of 2636 3364 schedl.exe taskhostw.exe PID 3364 wrote to memory of 2596 3364 schedl.exe Explorer.EXE PID 3364 wrote to memory of 944 3364 schedl.exe svchost.exe PID 3364 wrote to memory of 3256 3364 schedl.exe DllHost.exe PID 3364 wrote to memory of 3368 3364 schedl.exe StartMenuExperienceHost.exe PID 3364 wrote to memory of 3472 3364 schedl.exe RuntimeBroker.exe PID 3364 wrote to memory of 3568 3364 schedl.exe SearchApp.exe PID 3364 wrote to memory of 3768 3364 schedl.exe RuntimeBroker.exe PID 3364 wrote to memory of 4724 3364 schedl.exe RuntimeBroker.exe PID 3364 wrote to memory of 776 3364 schedl.exe fontdrvhost.exe PID 3364 wrote to memory of 784 3364 schedl.exe fontdrvhost.exe PID 3364 wrote to memory of 312 3364 schedl.exe dwm.exe PID 3364 wrote to memory of 2516 3364 schedl.exe sihost.exe PID 3364 wrote to memory of 2528 3364 schedl.exe svchost.exe PID 3364 wrote to memory of 2636 3364 schedl.exe taskhostw.exe PID 3364 wrote to memory of 2596 3364 schedl.exe Explorer.EXE PID 3364 wrote to memory of 944 3364 schedl.exe svchost.exe PID 3364 wrote to memory of 3256 3364 schedl.exe DllHost.exe PID 3364 wrote to memory of 3368 3364 schedl.exe StartMenuExperienceHost.exe PID 3364 wrote to memory of 3472 3364 schedl.exe RuntimeBroker.exe PID 3364 wrote to memory of 3568 3364 schedl.exe SearchApp.exe PID 3364 wrote to memory of 3768 3364 schedl.exe RuntimeBroker.exe PID 3364 wrote to memory of 4724 3364 schedl.exe RuntimeBroker.exe PID 3364 wrote to memory of 776 3364 schedl.exe fontdrvhost.exe PID 3364 wrote to memory of 784 3364 schedl.exe fontdrvhost.exe PID 3364 wrote to memory of 312 3364 schedl.exe dwm.exe PID 3364 wrote to memory of 2516 3364 schedl.exe sihost.exe PID 3364 wrote to memory of 2528 3364 schedl.exe svchost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exeschedl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" schedl.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe"C:\Users\Admin\AppData\Local\Temp\231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Help\schedl.exeC:\Windows\Help\schedl.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Help\schedl.exeFilesize
284KB
MD50119e70e60e0f2c1d9fdf426e6e63440
SHA1476669e7ce6b9a0e73cd3daf3a4c5127db792cdc
SHA256231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2
SHA5124d48d48e73fb7dd64631f3d175a07b7817f81fa69af5295a2341fc125e2ebd3b599e2b11d74f4b0ef6ccb7830648a2194c46d843a8f703f733b154ed457de7a6
-
C:\Windows\Help\schedl.exeFilesize
284KB
MD50119e70e60e0f2c1d9fdf426e6e63440
SHA1476669e7ce6b9a0e73cd3daf3a4c5127db792cdc
SHA256231b8c569827f7a9d8c3936f82f1b81b3edabda5bad11ad7c27a21590c6971b2
SHA5124d48d48e73fb7dd64631f3d175a07b7817f81fa69af5295a2341fc125e2ebd3b599e2b11d74f4b0ef6ccb7830648a2194c46d843a8f703f733b154ed457de7a6
-
C:\Windows\SYSTEM.INIFilesize
257B
MD558472c7dea9e03c43aa612b05fc75484
SHA1ec207acf1b660b041cd454d07b9ee37a30f5c3a2
SHA2564766ab3dd00d0f85f6f24c65cf5b57e0c04309483242f77a3d6c89571afe41cb
SHA5123a4835eb4c664b9809c306558d36d7d09c7dd6bb13135668a7422c91f0896fc372278a7df14983bc8cc73027c4bf0bdd97ab93dea07c38d722a833dfa5f66e76
-
memory/3268-145-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/3268-138-0x0000000002B50000-0x0000000003BDE000-memory.dmpFilesize
16.6MB
-
memory/3268-135-0x0000000002B50000-0x0000000003BDE000-memory.dmpFilesize
16.6MB
-
memory/3268-147-0x0000000002B50000-0x0000000003BDE000-memory.dmpFilesize
16.6MB
-
memory/3268-137-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/3364-140-0x0000000000000000-mapping.dmp
-
memory/3364-146-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/3364-148-0x0000000003120000-0x00000000041AE000-memory.dmpFilesize
16.6MB
-
memory/3364-150-0x0000000003120000-0x00000000041AE000-memory.dmpFilesize
16.6MB
-
memory/3364-151-0x0000000003120000-0x00000000041AE000-memory.dmpFilesize
16.6MB
-
memory/3364-152-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB