sality | 4590e9e17a98bbd507879b6dfc54a48c5a50d35358d16d634cb3ac42f4e567dd

General

Target

09c8d8b230538ffe18a96cf9d32f8a67.exe
Size

364KB
MD5

09c8d8b230538ffe18a96cf9d32f8a67
SHA1

464edfabed5c214980fdcf3c59db3713ca0cd646
SHA256

4590e9e17a98bbd507879b6dfc54a48c5a50d35358d16d634cb3ac42f4e567dd
SHA512

fcdf266eefc52e5b4f475ed597152d078f25c09de4bac3e3d5cf94c38bb406e8cda742bc227e47eb04599c698c7dd5275c17cd8992d8d72764695c6a25af62b6
SSDEEP

6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPh2BjsEID1f5kw62BurgI97w:EagCkDT2eT1RkwZErDI5

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

09c8d8b230538ffe18a96cf9d32f8a67.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	09c8d8b230538ffe18a96cf9d32f8a67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	09c8d8b230538ffe18a96cf9d32f8a67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	09c8d8b230538ffe18a96cf9d32f8a67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	09c8d8b230538ffe18a96cf9d32f8a67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	09c8d8b230538ffe18a96cf9d32f8a67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	09c8d8b230538ffe18a96cf9d32f8a67.exe

Executes dropped EXE 3 IoCs

Processes:

svchost.exe09c8d8b230538ffe18a96cf9d32f8a67.exesvchost.exe

pid process

1148 svchost.exe
1432 09c8d8b230538ffe18a96cf9d32f8a67.exe
1800 svchost.exe

pid	process
1148	svchost.exe
1432	09c8d8b230538ffe18a96cf9d32f8a67.exe
1800	svchost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1432-61-0x0000000001E10000-0x0000000002ECA000-memory.dmp	upx
behavioral1/memory/1432-66-0x0000000001E10000-0x0000000002ECA000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

1148 svchost.exe

pid	process
1148	svchost.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

09c8d8b230538ffe18a96cf9d32f8a67.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	09c8d8b230538ffe18a96cf9d32f8a67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	09c8d8b230538ffe18a96cf9d32f8a67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	09c8d8b230538ffe18a96cf9d32f8a67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	09c8d8b230538ffe18a96cf9d32f8a67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	09c8d8b230538ffe18a96cf9d32f8a67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	09c8d8b230538ffe18a96cf9d32f8a67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	09c8d8b230538ffe18a96cf9d32f8a67.exe

Drops file in Windows directory 1 IoCs

Processes:

09c8d8b230538ffe18a96cf9d32f8a67.exe

description ioc process

File created C:\Windows\svchost.exe 09c8d8b230538ffe18a96cf9d32f8a67.exe

description	ioc	process
File created	C:\Windows\svchost.exe	09c8d8b230538ffe18a96cf9d32f8a67.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

09c8d8b230538ffe18a96cf9d32f8a67.exesvchost.exe

description	pid	process	target process
PID 604 wrote to memory of 1148	604	09c8d8b230538ffe18a96cf9d32f8a67.exe	svchost.exe
PID 604 wrote to memory of 1148	604	09c8d8b230538ffe18a96cf9d32f8a67.exe	svchost.exe
PID 604 wrote to memory of 1148	604	09c8d8b230538ffe18a96cf9d32f8a67.exe	svchost.exe
PID 604 wrote to memory of 1148	604	09c8d8b230538ffe18a96cf9d32f8a67.exe	svchost.exe
PID 1148 wrote to memory of 1432	1148	svchost.exe	09c8d8b230538ffe18a96cf9d32f8a67.exe
PID 1148 wrote to memory of 1432	1148	svchost.exe	09c8d8b230538ffe18a96cf9d32f8a67.exe
PID 1148 wrote to memory of 1432	1148	svchost.exe	09c8d8b230538ffe18a96cf9d32f8a67.exe
PID 1148 wrote to memory of 1432	1148	svchost.exe	09c8d8b230538ffe18a96cf9d32f8a67.exe

C:\Users\Admin\AppData\Local\Temp\09c8d8b230538ffe18a96cf9d32f8a67.exe
"C:\Users\Admin\AppData\Local\Temp\09c8d8b230538ffe18a96cf9d32f8a67.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\09c8d8b230538ffe18a96cf9d32f8a67.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Local\Temp\09c8d8b230538ffe18a96cf9d32f8a67.exe
"C:\Users\Admin\AppData\Local\Temp\09c8d8b230538ffe18a96cf9d32f8a67.exe"
3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:1432

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:1800

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\09c8d8b230538ffe18a96cf9d32f8a67.exe
Filesize
328KB

MD5
b42ceeac3dffa38c628fbad1a4459bf3

SHA1
2a867fb4886301bbb629d31bffce3f5927c2d634

SHA256
43c5b68fa1e19c4105a1ff006a670701954833707c4f6a2f841ccb9a0af948a8

SHA512
3fa7947111689fc3314a2ef3fe4e8ffdfc23c59764a282e29dcd8fe54791d1269fcf6ae0f7462b5eeee69aee728450aa6a747ccb1229ac010f9fa9a3bed60def

Download Submit
C:\Windows\svchost.exe
Filesize
35KB

MD5
83b4da0c5e91e676c355a34ad0fe73da

SHA1
09322303503ed0a70613110ca72e1bc790348882

SHA256
5ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110

SHA512
20183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08

Download Submit
C:\Windows\svchost.exe
Filesize
35KB

MD5
83b4da0c5e91e676c355a34ad0fe73da

SHA1
09322303503ed0a70613110ca72e1bc790348882

SHA256
5ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110

SHA512
20183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08

Download Submit
C:\Windows\svchost.exe
Filesize
35KB

MD5
83b4da0c5e91e676c355a34ad0fe73da

SHA1
09322303503ed0a70613110ca72e1bc790348882

SHA256
5ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110

SHA512
20183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08

Download Submit
\Users\Admin\AppData\Local\Temp\09c8d8b230538ffe18a96cf9d32f8a67.exe
Filesize
328KB

MD5
b42ceeac3dffa38c628fbad1a4459bf3

SHA1
2a867fb4886301bbb629d31bffce3f5927c2d634

SHA256
43c5b68fa1e19c4105a1ff006a670701954833707c4f6a2f841ccb9a0af948a8

SHA512
3fa7947111689fc3314a2ef3fe4e8ffdfc23c59764a282e29dcd8fe54791d1269fcf6ae0f7462b5eeee69aee728450aa6a747ccb1229ac010f9fa9a3bed60def

Download Submit
memory/1148-62-0x00000000003A0000-0x00000000003F3000-memory.dmp

Filesize
332KB

Download
memory/1148-54-0x0000000000000000-mapping.dmp

Download
memory/1432-60-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/1432-63-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1432-61-0x0000000001E10000-0x0000000002ECA000-memory.dmp

Filesize
16.7MB

Download
memory/1432-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1432-58-0x0000000000000000-mapping.dmp

Download
memory/1432-66-0x0000000001E10000-0x0000000002ECA000-memory.dmp

Filesize
16.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads