sality | 87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Size

171KB
MD5

a0be233cd1d28feb95aad1a0d81e1ef9
SHA1

71627a96431c3610e7b1c924ddcfe87f9d9e9e92
SHA256

87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c
SHA512

a3b44d34d4fea48b9352cbc83c08e993cc00ba4e5c8fe8ad93d20d8aeeb912e6398f02368c1f7ecd92f1b94a353aaeb44ecd7af428872622478913462531ed3a
SSDEEP

3072:J27BSpMbTehf6qclWYacD8zCHNEjySR0EcQJYCPU85rxVyi6:J27gCbTehiqclWYacozCHNEjyKJN5VVY

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1152-133-0x0000000002340000-0x0000000003370000-memory.dmp	upx
behavioral2/memory/1152-134-0x0000000002340000-0x0000000003370000-memory.dmp	upx
behavioral2/memory/1152-136-0x0000000002340000-0x0000000003370000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
Token: SeDebugPrivilege	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 792	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe	9
PID 1152 wrote to memory of 800	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe	10
PID 1152 wrote to memory of 332	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe	13
PID 1152 wrote to memory of 2488	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe	54
PID 1152 wrote to memory of 2528	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe	53
PID 1152 wrote to memory of 2784	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe	48
PID 1152 wrote to memory of 2016	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe	47
PID 1152 wrote to memory of 3184	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe	46
PID 1152 wrote to memory of 3412	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe	45
PID 1152 wrote to memory of 3500	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe	44
PID 1152 wrote to memory of 3584	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe	23
PID 1152 wrote to memory of 3668	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe	43
PID 1152 wrote to memory of 3840	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe	42
PID 1152 wrote to memory of 4744	1152	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe	39

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:332

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3584

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4744

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3840

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3668

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3500

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3184

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2016
- C:\Users\Admin\AppData\Local\Temp\87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe
  "C:\Users\Admin\AppData\Local\Temp\87e2815ff1fdce78759d84926c5c645f6bc6d83f6659b16667da9f27057f327c.exe"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1152

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2528

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-132-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1152-133-0x0000000002340000-0x0000000003370000-memory.dmp

Filesize
16.2MB

Download
memory/1152-134-0x0000000002340000-0x0000000003370000-memory.dmp

Filesize
16.2MB

Download
memory/1152-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1152-136-0x0000000002340000-0x0000000003370000-memory.dmp

Filesize
16.2MB

Download