sality | 318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585

General

Target

318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
Size

220KB
MD5

a1061ac74f691796b037e9dfe04340d0
SHA1

102ac1988ff14e9afc7c31fff2fd005696032872
SHA256

318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585
SHA512

54adb8ab1194c76b7792d3beb96e23659956c1fa66e55e5339c6512aa0ac2d10d37780de6bbe528dbb75f3d30d456fe87539a66d2bf616e50ce87cd35513d2b2
SSDEEP

6144:WSO2HcRKMtpCT7KAZc3F1HAKwkNDJHXQ1Xc:WFRZtUeAZmFKkfYc

Score

10^/10

sality backdoor evasion persistence trojan upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
5044	netsh.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5112-132-0x0000000002190000-0x00000000031C3000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\U:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\Q:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\P:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\N:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\H:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\G:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\E:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\X:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\V:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\R:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\M:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\J:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\Z:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\T:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\S:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\O:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\K:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\F:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\W:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\L:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened (read-only)	\??\I:	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5112	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
5112	318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe

C:\Users\Admin\AppData\Local\Temp\318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe
"C:\Users\Admin\AppData\Local\Temp\318d032e434438d95e5144a25ba3f8c2aadf7d7b5e4a532ff663946962eae585.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
PID:5112
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  PID:5044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Hidden Files and Directories

1

T1158

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5112-133-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5112-134-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5112-132-0x0000000002190000-0x00000000031C3000-memory.dmp

Filesize
16.2MB

Download
memory/5112-135-0x0000000002190000-0x00000000031C3000-memory.dmp

Filesize
16.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads