sality | e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe

Windows security bypass 2 TTPs 6 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
628	kb888111xpsp1.exe
860	update.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1096-55-0x0000000001F70000-0x0000000002FFE000-memory.dmp	upx
behavioral1/memory/1096-58-0x0000000001F70000-0x0000000002FFE000-memory.dmp	upx
behavioral1/memory/1096-83-0x0000000001F70000-0x0000000002FFE000-memory.dmp	upx

Loads dropped DLL 10 IoCs

pid	Process
1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
628	kb888111xpsp1.exe
628	kb888111xpsp1.exe
628	kb888111xpsp1.exe
628	kb888111xpsp1.exe
860	update.exe
860	update.exe
860	update.exe
860	update.exe

Windows security modification 2 TTPs 7 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\setupapi.log	update.exe
File opened for modification	\??\c:\windows\KB888111.log	update.exe
File opened for modification	C:\Windows\SYSTEM.INI	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
Token: SeDebugPrivilege	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1144	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe	13
PID 1096 wrote to memory of 1240	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe	12
PID 1096 wrote to memory of 1276	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe	11
PID 1096 wrote to memory of 628	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe	28
PID 1096 wrote to memory of 628	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe	28
PID 1096 wrote to memory of 628	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe	28
PID 1096 wrote to memory of 628	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe	28
PID 1096 wrote to memory of 628	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe	28
PID 1096 wrote to memory of 628	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe	28
PID 1096 wrote to memory of 628	1096	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe	28
PID 628 wrote to memory of 860	628	kb888111xpsp1.exe	29
PID 628 wrote to memory of 860	628	kb888111xpsp1.exe	29
PID 628 wrote to memory of 860	628	kb888111xpsp1.exe	29
PID 628 wrote to memory of 860	628	kb888111xpsp1.exe	29
PID 628 wrote to memory of 860	628	kb888111xpsp1.exe	29
PID 628 wrote to memory of 860	628	kb888111xpsp1.exe	29
PID 628 wrote to memory of 860	628	kb888111xpsp1.exe	29

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276
- C:\Users\Admin\AppData\Local\Temp\e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe
  "C:\Users\Admin\AppData\Local\Temp\e6499ae93f94591837359fce76b09c36f3e225fab2c5e7deed7952845da3ea62.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Loads dropped DLL
  - Windows security modification
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\kb888111xpsp1.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\kb888111xpsp1.exe" /passive /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:628
  - - \??\c:\86c73415af696209de5e9aba3a0740\update\update.exe
      c:\86c73415af696209de5e9aba3a0740\update\update.exe /passive /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      PID:860

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1240

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry