Analysis
-
max time kernel
39s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-02-2025 20:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Rootkit.Win32.PePatch.ee.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
23 signatures
60 seconds
General
-
Target
Rootkit.Win32.PePatch.ee.exe
-
Size
623KB
-
MD5
3b1f5494cdc2ed7acc69885560f3929c
-
SHA1
4c36ccd42d869fccb10448e372e68edbc42dd035
-
SHA256
53a7a2bf921af33a9f6f70110da48a6d63d875435e62aac955cf012c528d2b28
-
SHA512
a7434e0b8aad158e5e8edcf98dc58e17683ab8d3f3135c93c57a10db1c6a5f1b5a4e263d74629069bbd4924d421280de5cf2c509bbb95c1bac9d90125acba45f
-
SSDEEP
12288:MqkMloFmTXO+zJrRPfdGU7ZTjQ3rdPzW8ZBFnSRIooScFjxDGvh:MLMX1dRPfdTeWkXnSnoSajGh
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Rootkit.Win32.PePatch.ee.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Rootkit.Win32.PePatch.ee.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Rootkit.Win32.PePatch.ee.exe -
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Rootkit.Win32.PePatch.ee.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Rootkit.Win32.PePatch.ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Rootkit.Win32.PePatch.ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Rootkit.Win32.PePatch.ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Rootkit.Win32.PePatch.ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Rootkit.Win32.PePatch.ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Rootkit.Win32.PePatch.ee.exe -
Executes dropped EXE 3 IoCs
pid Process 2620 TrueURL.exe 5004 11.exe 4068 cn.exe -
Windows security modification 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Rootkit.Win32.PePatch.ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Rootkit.Win32.PePatch.ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Rootkit.Win32.PePatch.ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Rootkit.Win32.PePatch.ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Rootkit.Win32.PePatch.ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Rootkit.Win32.PePatch.ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Rootkit.Win32.PePatch.ee.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Rootkit.Win32.PePatch.ee.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Rootkit.Win32.PePatch.ee.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\V: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\W: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\G: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\M: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\N: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\O: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\Z: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\H: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\K: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\U: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\X: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\Y: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\L: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\Q: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\S: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\T: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\E: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\I: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\J: Rootkit.Win32.PePatch.ee.exe File opened (read-only) \??\P: Rootkit.Win32.PePatch.ee.exe -
resource yara_rule behavioral1/memory/2460-1-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-6-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-4-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-13-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-12-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-14-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/files/0x000c000000023b4a-22.dat upx behavioral1/memory/2460-7-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-8-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-3-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2620-23-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/2460-24-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-25-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-26-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-27-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-28-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-30-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-31-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-32-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-34-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-36-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2620-41-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/2460-43-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-44-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2620-45-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/2460-49-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-51-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-53-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-54-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-56-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-58-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-59-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-62-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-63-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2620-65-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/2460-66-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-67-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-69-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-70-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-71-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-78-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-79-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-81-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2460-83-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2620-91-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/2460-121-0x00000000024B0000-0x000000000353E000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe Rootkit.Win32.PePatch.ee.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe Rootkit.Win32.PePatch.ee.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe Rootkit.Win32.PePatch.ee.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe Rootkit.Win32.PePatch.ee.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe Rootkit.Win32.PePatch.ee.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe Rootkit.Win32.PePatch.ee.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe Rootkit.Win32.PePatch.ee.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe Rootkit.Win32.PePatch.ee.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe Rootkit.Win32.PePatch.ee.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe Rootkit.Win32.PePatch.ee.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe Rootkit.Win32.PePatch.ee.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\uninstal.bat 11.exe File opened for modification C:\Windows\SYSTEM.INI Rootkit.Win32.PePatch.ee.exe File created C:\Windows\cn.exe 11.exe File opened for modification C:\Windows\cn.exe 11.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rootkit.Win32.PePatch.ee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TrueURL.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" cn.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2460 Rootkit.Win32.PePatch.ee.exe 2460 Rootkit.Win32.PePatch.ee.exe 2460 Rootkit.Win32.PePatch.ee.exe 2460 Rootkit.Win32.PePatch.ee.exe 2460 Rootkit.Win32.PePatch.ee.exe 2460 Rootkit.Win32.PePatch.ee.exe 2460 Rootkit.Win32.PePatch.ee.exe 2460 Rootkit.Win32.PePatch.ee.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2620 TrueURL.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe Token: SeDebugPrivilege 2460 Rootkit.Win32.PePatch.ee.exe -
Suspicious use of FindShellTrayWindow 49 IoCs
pid Process 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 4068 cn.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe 2620 TrueURL.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2460 wrote to memory of 780 2460 Rootkit.Win32.PePatch.ee.exe 8 PID 2460 wrote to memory of 784 2460 Rootkit.Win32.PePatch.ee.exe 9 PID 2460 wrote to memory of 336 2460 Rootkit.Win32.PePatch.ee.exe 13 PID 2460 wrote to memory of 2688 2460 Rootkit.Win32.PePatch.ee.exe 47 PID 2460 wrote to memory of 2880 2460 Rootkit.Win32.PePatch.ee.exe 50 PID 2460 wrote to memory of 3040 2460 Rootkit.Win32.PePatch.ee.exe 51 PID 2460 wrote to memory of 3356 2460 Rootkit.Win32.PePatch.ee.exe 55 PID 2460 wrote to memory of 3568 2460 Rootkit.Win32.PePatch.ee.exe 57 PID 2460 wrote to memory of 3776 2460 Rootkit.Win32.PePatch.ee.exe 58 PID 2460 wrote to memory of 3872 2460 Rootkit.Win32.PePatch.ee.exe 59 PID 2460 wrote to memory of 3936 2460 Rootkit.Win32.PePatch.ee.exe 60 PID 2460 wrote to memory of 4024 2460 Rootkit.Win32.PePatch.ee.exe 61 PID 2460 wrote to memory of 3696 2460 Rootkit.Win32.PePatch.ee.exe 62 PID 2460 wrote to memory of 2828 2460 Rootkit.Win32.PePatch.ee.exe 74 PID 2460 wrote to memory of 4576 2460 Rootkit.Win32.PePatch.ee.exe 76 PID 2460 wrote to memory of 2992 2460 Rootkit.Win32.PePatch.ee.exe 81 PID 2460 wrote to memory of 2620 2460 Rootkit.Win32.PePatch.ee.exe 83 PID 2460 wrote to memory of 2620 2460 Rootkit.Win32.PePatch.ee.exe 83 PID 2460 wrote to memory of 2620 2460 Rootkit.Win32.PePatch.ee.exe 83 PID 2460 wrote to memory of 780 2460 Rootkit.Win32.PePatch.ee.exe 8 PID 2460 wrote to memory of 784 2460 Rootkit.Win32.PePatch.ee.exe 9 PID 2460 wrote to memory of 336 2460 Rootkit.Win32.PePatch.ee.exe 13 PID 2460 wrote to memory of 2688 2460 Rootkit.Win32.PePatch.ee.exe 47 PID 2460 wrote to memory of 2880 2460 Rootkit.Win32.PePatch.ee.exe 50 PID 2460 wrote to memory of 3040 2460 Rootkit.Win32.PePatch.ee.exe 51 PID 2460 wrote to memory of 3356 2460 Rootkit.Win32.PePatch.ee.exe 55 PID 2460 wrote to memory of 3568 2460 Rootkit.Win32.PePatch.ee.exe 57 PID 2460 wrote to memory of 3776 2460 Rootkit.Win32.PePatch.ee.exe 58 PID 2460 wrote to memory of 3872 2460 Rootkit.Win32.PePatch.ee.exe 59 PID 2460 wrote to memory of 3936 2460 Rootkit.Win32.PePatch.ee.exe 60 PID 2460 wrote to memory of 4024 2460 Rootkit.Win32.PePatch.ee.exe 61 PID 2460 wrote to memory of 3696 2460 Rootkit.Win32.PePatch.ee.exe 62 PID 2460 wrote to memory of 2828 2460 Rootkit.Win32.PePatch.ee.exe 74 PID 2460 wrote to memory of 4576 2460 Rootkit.Win32.PePatch.ee.exe 76 PID 2460 wrote to memory of 2992 2460 Rootkit.Win32.PePatch.ee.exe 81 PID 2460 wrote to memory of 2620 2460 Rootkit.Win32.PePatch.ee.exe 83 PID 2460 wrote to memory of 2620 2460 Rootkit.Win32.PePatch.ee.exe 83 PID 2460 wrote to memory of 780 2460 Rootkit.Win32.PePatch.ee.exe 8 PID 2460 wrote to memory of 784 2460 Rootkit.Win32.PePatch.ee.exe 9 PID 2460 wrote to memory of 336 2460 Rootkit.Win32.PePatch.ee.exe 13 PID 2460 wrote to memory of 2688 2460 Rootkit.Win32.PePatch.ee.exe 47 PID 2460 wrote to memory of 2880 2460 Rootkit.Win32.PePatch.ee.exe 50 PID 2460 wrote to memory of 3040 2460 Rootkit.Win32.PePatch.ee.exe 51 PID 2460 wrote to memory of 3356 2460 Rootkit.Win32.PePatch.ee.exe 55 PID 2460 wrote to memory of 3568 2460 Rootkit.Win32.PePatch.ee.exe 57 PID 2460 wrote to memory of 3776 2460 Rootkit.Win32.PePatch.ee.exe 58 PID 2460 wrote to memory of 3872 2460 Rootkit.Win32.PePatch.ee.exe 59 PID 2460 wrote to memory of 3936 2460 Rootkit.Win32.PePatch.ee.exe 60 PID 2460 wrote to memory of 4024 2460 Rootkit.Win32.PePatch.ee.exe 61 PID 2460 wrote to memory of 3696 2460 Rootkit.Win32.PePatch.ee.exe 62 PID 2460 wrote to memory of 2828 2460 Rootkit.Win32.PePatch.ee.exe 74 PID 2460 wrote to memory of 4576 2460 Rootkit.Win32.PePatch.ee.exe 76 PID 2460 wrote to memory of 2992 2460 Rootkit.Win32.PePatch.ee.exe 81 PID 2460 wrote to memory of 780 2460 Rootkit.Win32.PePatch.ee.exe 8 PID 2460 wrote to memory of 784 2460 Rootkit.Win32.PePatch.ee.exe 9 PID 2460 wrote to memory of 336 2460 Rootkit.Win32.PePatch.ee.exe 13 PID 2460 wrote to memory of 2688 2460 Rootkit.Win32.PePatch.ee.exe 47 PID 2460 wrote to memory of 2880 2460 Rootkit.Win32.PePatch.ee.exe 50 PID 2460 wrote to memory of 3040 2460 Rootkit.Win32.PePatch.ee.exe 51 PID 2460 wrote to memory of 3356 2460 Rootkit.Win32.PePatch.ee.exe 55 PID 2460 wrote to memory of 3568 2460 Rootkit.Win32.PePatch.ee.exe 57 PID 2460 wrote to memory of 3776 2460 Rootkit.Win32.PePatch.ee.exe 58 PID 2460 wrote to memory of 3872 2460 Rootkit.Win32.PePatch.ee.exe 59 PID 2460 wrote to memory of 3936 2460 Rootkit.Win32.PePatch.ee.exe 60 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Rootkit.Win32.PePatch.ee.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2880
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3040
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\Rootkit.Win32.PePatch.ee.exe"C:\Users\Admin\AppData\Local\Temp\Rootkit.Win32.PePatch.ee.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TrueURL.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TrueURL.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2620
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat4⤵
- System Location Discovery: System Language Discovery
PID:4000
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3776
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3872
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3936
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4024
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3696
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2828
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4576
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵PID:2992
-
C:\Windows\cn.exeC:\Windows\cn.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
PID:4068 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2944
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
747KB
MD5a6cac6c92b3286c77026da7ed15c978f
SHA1c50db57143e3ac103aa79ee3306a2790958ff4c6
SHA256154d02396634e544e47e6e243d3032f9a49f0d67eca6748f415249c4a1299c75
SHA5125f37afe6e0fe85949acafc56b0fba2bc0e4029a61646b77f551b8e5c80391f75d851dee6a9f0eb561330536e83f3084659bc313d3b91ccd8c3b82eae2781306d
-
Filesize
188KB
MD5b9b32a8d8637ff56855b851bea35a7b2
SHA1e5d8b7bfd2f2ab8fca2bf5788eaccfd3ae999aba
SHA2564914d83f66962d97584cc808923d3801631fcbdb02fd20a72cfe56cab3875db9
SHA512fd11c3b6fbd684483cde177be9dd5e86049fb37644b606a783bb3c38014cffd9814318436128b273fc4a0a1dc7be57489692d8463e4fb273c343063bbec1dc09
-
Filesize
152B
MD5575fff18c828a56cdc50734f3d00ce57
SHA1c3451fa0ad1f2b6f7cba5712b4108ff5f1381999
SHA25646b29d6bef482e5f82edc0c30990f9650c819974cce8ffb19119fb1fa59922b3
SHA512808f3d88148e3e52ad49514e82c3648942b77cd96358630e65fa586807085aa6c9b7db4ecc49a9f075063c045529808c2607a0f500fd884ef7b271b49440e68c