Analysis
-
max time kernel
144s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2023 17:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.92adddbd2e93097b8b3794a979a3cc40.exe
Resource
win7-20231020-en
windows7-x64
17 signatures
150 seconds
General
-
Target
NEAS.92adddbd2e93097b8b3794a979a3cc40.exe
-
Size
648KB
-
MD5
92adddbd2e93097b8b3794a979a3cc40
-
SHA1
efe62bb9cc14831b1b00b1b2e14d3ebd982edc71
-
SHA256
458f64a52861752a369d724e3083f7154b96a7918860a7dad1cb9475929ade18
-
SHA512
828039f95c1eaf655204119db8e1ef12ebc9358f15d9ba0555aa65af894ae9a56b669cb3ba61ec9f63aee1014a12d4973488143773475356a161aacea59fd0ca
-
SSDEEP
12288:Qikxc69yX030T4r0FMx2PWn4u02K/wkUzOvY:Qm00u0FMx2+42KrSX
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" schedl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" schedl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" schedl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" schedl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" schedl.exe -
Deletes itself 1 IoCs
pid Process 3388 schedl.exe -
Executes dropped EXE 1 IoCs
pid Process 3388 schedl.exe -
resource yara_rule behavioral2/memory/4092-4-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-3-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-5-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-7-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-9-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-13-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-14-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-15-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-16-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-17-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-19-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-18-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-20-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-22-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-23-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-25-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-26-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-27-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-29-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-30-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-32-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-34-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-37-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-39-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-40-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-41-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-43-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-54-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-55-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-63-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-66-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-68-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-70-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-72-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-74-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-80-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-82-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/4092-117-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/3388-119-0x0000000003CF0000-0x0000000004D7E000-memory.dmp upx behavioral2/memory/3388-161-0x0000000003CF0000-0x0000000004D7E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" schedl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" schedl.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc schedl.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\schedl = "C:\\Windows\\Help\\schedl.exe" schedl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" schedl.exe -
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\L: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\P: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\S: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\R: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\W: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\Z: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\E: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\I: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\J: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\M: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\Q: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\T: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\U: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\V: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\G: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\H: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\K: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\X: NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File opened (read-only) \??\E: schedl.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Program Files (x86).exe schedl.exe File opened for modification C:\Program Files (x86)\Program Files (x86).exe schedl.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File created C:\Program Files\Program Files.exe schedl.exe File opened for modification C:\Program Files\Program Files.exe schedl.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Help\schedl.exe NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File created C:\Windows\Windows.exe schedl.exe File opened for modification C:\Windows\Windows.exe schedl.exe File opened for modification C:\Windows\SYSTEM.INI NEAS.92adddbd2e93097b8b3794a979a3cc40.exe File created C:\Windows\Help\schedl.exe NEAS.92adddbd2e93097b8b3794a979a3cc40.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 3388 schedl.exe 3388 schedl.exe 3388 schedl.exe 3388 schedl.exe 3388 schedl.exe 3388 schedl.exe 3388 schedl.exe 3388 schedl.exe 3388 schedl.exe 3388 schedl.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 3388 schedl.exe 3388 schedl.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 3388 schedl.exe Token: SeDebugPrivilege 3388 schedl.exe Token: SeDebugPrivilege 3388 schedl.exe Token: SeDebugPrivilege 3388 schedl.exe Token: SeDebugPrivilege 3388 schedl.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Token: SeDebugPrivilege 3388 schedl.exe Token: SeDebugPrivilege 3388 schedl.exe Token: SeDebugPrivilege 3388 schedl.exe Token: SeDebugPrivilege 3388 schedl.exe Token: SeDebugPrivilege 3388 schedl.exe Token: SeDebugPrivilege 3388 schedl.exe Token: SeDebugPrivilege 3388 schedl.exe Token: SeDebugPrivilege 3388 schedl.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 3388 schedl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4092 wrote to memory of 816 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 1 PID 4092 wrote to memory of 824 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 71 PID 4092 wrote to memory of 380 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 2 PID 4092 wrote to memory of 2844 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 37 PID 4092 wrote to memory of 2880 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 36 PID 4092 wrote to memory of 2972 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 34 PID 4092 wrote to memory of 3376 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 30 PID 4092 wrote to memory of 3508 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 29 PID 4092 wrote to memory of 3720 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 28 PID 4092 wrote to memory of 3812 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 27 PID 4092 wrote to memory of 3920 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 7 PID 4092 wrote to memory of 4016 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 26 PID 4092 wrote to memory of 2252 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 25 PID 4092 wrote to memory of 4140 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 23 PID 4092 wrote to memory of 3604 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 14 PID 4092 wrote to memory of 4696 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 11 PID 4092 wrote to memory of 3420 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 10 PID 4092 wrote to memory of 1792 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 81 PID 4092 wrote to memory of 4940 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 83 PID 4092 wrote to memory of 816 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 1 PID 4092 wrote to memory of 824 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 71 PID 4092 wrote to memory of 380 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 2 PID 4092 wrote to memory of 2844 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 37 PID 4092 wrote to memory of 2880 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 36 PID 4092 wrote to memory of 2972 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 34 PID 4092 wrote to memory of 3376 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 30 PID 4092 wrote to memory of 3508 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 29 PID 4092 wrote to memory of 3720 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 28 PID 4092 wrote to memory of 3812 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 27 PID 4092 wrote to memory of 3920 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 7 PID 4092 wrote to memory of 4016 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 26 PID 4092 wrote to memory of 2252 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 25 PID 4092 wrote to memory of 4140 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 23 PID 4092 wrote to memory of 3604 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 14 PID 4092 wrote to memory of 4696 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 11 PID 4092 wrote to memory of 3420 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 10 PID 4092 wrote to memory of 1792 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 81 PID 4092 wrote to memory of 4940 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 83 PID 4092 wrote to memory of 816 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 1 PID 4092 wrote to memory of 824 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 71 PID 4092 wrote to memory of 380 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 2 PID 4092 wrote to memory of 2844 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 37 PID 4092 wrote to memory of 2880 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 36 PID 4092 wrote to memory of 2972 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 34 PID 4092 wrote to memory of 3376 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 30 PID 4092 wrote to memory of 3508 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 29 PID 4092 wrote to memory of 3720 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 28 PID 4092 wrote to memory of 3812 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 27 PID 4092 wrote to memory of 3920 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 7 PID 4092 wrote to memory of 4016 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 26 PID 4092 wrote to memory of 2252 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 25 PID 4092 wrote to memory of 4140 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 23 PID 4092 wrote to memory of 3604 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 14 PID 4092 wrote to memory of 4696 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 11 PID 4092 wrote to memory of 3420 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 10 PID 4092 wrote to memory of 4940 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 83 PID 4092 wrote to memory of 3388 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 85 PID 4092 wrote to memory of 3388 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 85 PID 4092 wrote to memory of 3388 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 85 PID 4092 wrote to memory of 816 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 1 PID 4092 wrote to memory of 824 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 71 PID 4092 wrote to memory of 380 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 2 PID 4092 wrote to memory of 2844 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 37 PID 4092 wrote to memory of 2880 4092 NEAS.92adddbd2e93097b8b3794a979a3cc40.exe 36 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.92adddbd2e93097b8b3794a979a3cc40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" schedl.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:816
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3920
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3420
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4696
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3604
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4140
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2252
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4016
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3812
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3720
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3508
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\NEAS.92adddbd2e93097b8b3794a979a3cc40.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.92adddbd2e93097b8b3794a979a3cc40.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4092 -
C:\Windows\Help\schedl.exeC:\Windows\Help\schedl.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3388
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2880
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2844
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:824
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1792
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4940
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4444
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:936
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3176
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
648KB
MD592adddbd2e93097b8b3794a979a3cc40
SHA1efe62bb9cc14831b1b00b1b2e14d3ebd982edc71
SHA256458f64a52861752a369d724e3083f7154b96a7918860a7dad1cb9475929ade18
SHA512828039f95c1eaf655204119db8e1ef12ebc9358f15d9ba0555aa65af894ae9a56b669cb3ba61ec9f63aee1014a12d4973488143773475356a161aacea59fd0ca
-
Filesize
648KB
MD592adddbd2e93097b8b3794a979a3cc40
SHA1efe62bb9cc14831b1b00b1b2e14d3ebd982edc71
SHA256458f64a52861752a369d724e3083f7154b96a7918860a7dad1cb9475929ade18
SHA512828039f95c1eaf655204119db8e1ef12ebc9358f15d9ba0555aa65af894ae9a56b669cb3ba61ec9f63aee1014a12d4973488143773475356a161aacea59fd0ca
-
Filesize
648KB
MD592adddbd2e93097b8b3794a979a3cc40
SHA1efe62bb9cc14831b1b00b1b2e14d3ebd982edc71
SHA256458f64a52861752a369d724e3083f7154b96a7918860a7dad1cb9475929ade18
SHA512828039f95c1eaf655204119db8e1ef12ebc9358f15d9ba0555aa65af894ae9a56b669cb3ba61ec9f63aee1014a12d4973488143773475356a161aacea59fd0ca
-
Filesize
257B
MD5795f6c90c9aefb08bdffcafc08bed761
SHA1e2fd36fc5d1971efeff2f8c16a91166dfd8d218e
SHA256ab1824df206d571abfcdeb002a1601cac0d639d43813fdca7623a19c2bcc6fc3
SHA512cdae827d82a9dde806324c378d6f718d16950e8ba214ea187049be451d02ba909dd111a3fcbe493ef75cec16f4283a8ebf434948f1498abefd9a696ff649f0cb
-
Filesize
100KB
MD5dccf32eaa4838c5b20e4d8c244f07f3c
SHA1900d1fa03d71dfa5e7919701b450761548c242ea
SHA2565bdc875ab69f426a9423126fa4e43bad4f8de61b47489edac8aa8020c6b8a0f6
SHA512db8b3719f9aec5bfa5faff656008e769097a693b8bd9a8c91ed99941752bf8a33fc34ccb6e0d5ffdce20e78d979f56dffc5976385d691e9eb3baef88334c91fd