sality | 7b23a666b13afaaba8005119e47c2f29f396c08a4d087abd3a0a254d3a6dbbe4

General

Target

FSZJXW.exe
Size

423KB
MD5

480130235a7e456be7d7de31c47e7d07
SHA1

67baa1f65ad6244485ddcf819c64717981e92d2b
SHA256

7b23a666b13afaaba8005119e47c2f29f396c08a4d087abd3a0a254d3a6dbbe4
SHA512

6726ed8447ba254156fc60dfbb6b01e5e89861aab682345577a35d3fbacebc7f7580dab04dad23e09727e67aa5a48f0616a8473a56f2287c4c8f25efab058c1d

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

FSZJXW.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FSZJXW.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	FSZJXW.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	FSZJXW.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

FSZJXW.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FSZJXW.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	FSZJXW.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

FSZJXW.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	FSZJXW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	FSZJXW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	FSZJXW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	FSZJXW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	FSZJXW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	FSZJXW.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3372-130-0x0000000003790000-0x000000000481E000-memory.dmp	upx
behavioral2/memory/3372-131-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3372-132-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3372-133-0x0000000003790000-0x000000000481E000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

FSZJXW.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	FSZJXW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	FSZJXW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	FSZJXW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	FSZJXW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	FSZJXW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	FSZJXW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	FSZJXW.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

FSZJXW.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FSZJXW.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	FSZJXW.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/3372-131-0x0000000000400000-0x00000000004DC000-memory.dmp	autoit_exe
behavioral2/memory/3372-132-0x0000000000400000-0x00000000004DC000-memory.dmp	autoit_exe

Drops file in Windows directory 1 IoCs

Processes:

FSZJXW.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI FSZJXW.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

FSZJXW.exe

pid process

3372 FSZJXW.exe
3372 FSZJXW.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	FSZJXW.exe

pid	process
3372	FSZJXW.exe
3372	FSZJXW.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

FSZJXW.exe

description	pid	process
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe
Token: SeDebugPrivilege	3372	FSZJXW.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

FSZJXW.exe

description	pid	process	target process
PID 3372 wrote to memory of 808	3372	FSZJXW.exe	fontdrvhost.exe
PID 3372 wrote to memory of 816	3372	FSZJXW.exe	fontdrvhost.exe
PID 3372 wrote to memory of 332	3372	FSZJXW.exe	dwm.exe
PID 3372 wrote to memory of 2800	3372	FSZJXW.exe	sihost.exe
PID 3372 wrote to memory of 2812	3372	FSZJXW.exe	svchost.exe
PID 3372 wrote to memory of 2884	3372	FSZJXW.exe	taskhostw.exe
PID 3372 wrote to memory of 744	3372	FSZJXW.exe	Explorer.EXE
PID 3372 wrote to memory of 2896	3372	FSZJXW.exe	svchost.exe
PID 3372 wrote to memory of 3268	3372	FSZJXW.exe	DllHost.exe
PID 3372 wrote to memory of 3360	3372	FSZJXW.exe	StartMenuExperienceHost.exe
PID 3372 wrote to memory of 3424	3372	FSZJXW.exe	RuntimeBroker.exe
PID 3372 wrote to memory of 3520	3372	FSZJXW.exe	SearchApp.exe
PID 3372 wrote to memory of 3696	3372	FSZJXW.exe	RuntimeBroker.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

FSZJXW.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FSZJXW.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	FSZJXW.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:808

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:332

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:816

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2812

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2884

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\FSZJXW.exe
"C:\Users\Admin\AppData\Local\Temp\FSZJXW.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2896

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3268

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3360

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3424

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3520

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

5

T1112

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3372-130-0x0000000003790000-0x000000000481E000-memory.dmp

Filesize
16.6MB

Download
memory/3372-131-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3372-132-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3372-133-0x0000000003790000-0x000000000481E000-memory.dmp

Filesize
16.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads