sality | 0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca

Analysis

max time kernel
92s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Size

505KB
MD5

13162c54c4d8e425799ab947e57df82b
SHA1

02e7518ebc738d1be6c6079701b47d12f76ee33b
SHA256

0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca
SHA512

f7aad4cde66b4414ef7a5fb7e09032d4423932a5803d366876fb7d1e6686c8e48329a8d7d59c1c8eb88bd77a92ed7f6f7a7ae0d02cf981a2554b5f12118da57f
SSDEEP

12288:FMsi9TgKPChlEiYOAkycjo+ZToV0vloD29/:FQgKCYLtcPo+o29/

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1732-5-0x0000000002270000-0x000000000332A000-memory.dmp	upx
behavioral2/memory/1732-6-0x0000000002270000-0x000000000332A000-memory.dmp	upx
behavioral2/memory/1732-8-0x0000000002270000-0x000000000332A000-memory.dmp	upx
behavioral2/memory/1732-4-0x0000000002270000-0x000000000332A000-memory.dmp	upx
behavioral2/memory/1732-3-0x0000000002270000-0x000000000332A000-memory.dmp	upx
behavioral2/memory/1732-9-0x0000000002270000-0x000000000332A000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

Drops file in Windows directory 2 IoCs

Processes:

0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

description	ioc	process
File created	C:\Windows\e57516c	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
File opened for modification	C:\Windows\SYSTEM.INI	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

pid process

1732 0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
1732 0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

pid	process
1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

description	pid	process
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
Token: SeDebugPrivilege	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

description	pid	process	target process
PID 1732 wrote to memory of 784	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe	fontdrvhost.exe
PID 1732 wrote to memory of 792	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe	fontdrvhost.exe
PID 1732 wrote to memory of 1020	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe	dwm.exe
PID 1732 wrote to memory of 2580	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe	sihost.exe
PID 1732 wrote to memory of 2592	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe	svchost.exe
PID 1732 wrote to memory of 2900	1732	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe	taskhostw.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1020

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2592

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
"C:\Users\Admin\AppData\Local\Temp\0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe"
1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1732-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1732-5-0x0000000002270000-0x000000000332A000-memory.dmp

Filesize
16.7MB

Download
memory/1732-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1732-6-0x0000000002270000-0x000000000332A000-memory.dmp

Filesize
16.7MB

Download
memory/1732-8-0x0000000002270000-0x000000000332A000-memory.dmp

Filesize
16.7MB

Download
memory/1732-4-0x0000000002270000-0x000000000332A000-memory.dmp

Filesize
16.7MB

Download
memory/1732-3-0x0000000002270000-0x000000000332A000-memory.dmp

Filesize
16.7MB

Download
memory/1732-9-0x0000000002270000-0x000000000332A000-memory.dmp

Filesize
16.7MB

Download