sality | f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f

Analysis

max time kernel
135s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe
Size

2.8MB
MD5

8f590e98c6e7ecde08638a7fe8a2a559
SHA1

b7b8f19ed6d4b65a766f1aa5c9751a6826cc8e8d
SHA256

f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f
SHA512

d97df492be9d418a17f693247579bf31a529f79788aca81357aebb4d520e3b4c7ee0183fb05c239465bc0e47a2a27c3a8b7d7780eb93978d44773a223921a60f
SSDEEP

49152:Z6AX9jq67rEmB7oT4PQlTD2G3mGF4b6KzgLwzc:dcYEmB7oT4m2CfF4u6gLw4

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe

UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral2/memory/1492-1-0x0000000002760000-0x000000000381A000-memory.dmp upx
behavioral2/memory/1492-6-0x0000000002760000-0x000000000381A000-memory.dmp upx

resource	yara_rule
behavioral2/memory/1492-1-0x0000000002760000-0x000000000381A000-memory.dmp	upx
behavioral2/memory/1492-6-0x0000000002760000-0x000000000381A000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe

Drops file in Windows directory 2 IoCs

Processes:

f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe

description	ioc	process
File created	C:\Windows\e57d1b7	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe
File opened for modification	C:\Windows\SYSTEM.INI	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe

C:\Users\Admin\AppData\Local\Temp\f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe
"C:\Users\Admin\AppData\Local\Temp\f693e0739fec39b9910dfca86053c0a756f31631eed79818330ef7796f41170f.exe"
1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1036,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:8
1⤵
PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1492-0-0x0000000000400000-0x0000000000718000-memory.dmp

Filesize
3.1MB

Download
memory/1492-1-0x0000000002760000-0x000000000381A000-memory.dmp

Filesize
16.7MB

Download
memory/1492-5-0x0000000000400000-0x0000000000718000-memory.dmp

Filesize
3.1MB

Download
memory/1492-6-0x0000000002760000-0x000000000381A000-memory.dmp

Filesize
16.7MB

Download