sality | 30adfbd6c6f7ee56d645eac5219a1c75caacb1fa395a2ff103450e526ec0bdf3

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	126185670224193695ce9a3fb643871f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	126185670224193695ce9a3fb643871f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	126185670224193695ce9a3fb643871f.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	126185670224193695ce9a3fb643871f.exe

Windows security bypass 2 TTPs 6 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	126185670224193695ce9a3fb643871f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	126185670224193695ce9a3fb643871f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	126185670224193695ce9a3fb643871f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	126185670224193695ce9a3fb643871f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	126185670224193695ce9a3fb643871f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	126185670224193695ce9a3fb643871f.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	126185670224193695ce9a3fb643871f.exe

Disables Task Manager via registry modification
evasion

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4180-2-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-4-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-5-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-11-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-12-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-7-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-13-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-14-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-15-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-16-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-17-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-18-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-46-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-47-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-48-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-50-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-53-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-55-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-62-0x00000000022D0000-0x000000000335E000-memory.dmp	upx
behavioral2/memory/4180-66-0x00000000022D0000-0x000000000335E000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	126185670224193695ce9a3fb643871f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	126185670224193695ce9a3fb643871f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	126185670224193695ce9a3fb643871f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	126185670224193695ce9a3fb643871f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	126185670224193695ce9a3fb643871f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	126185670224193695ce9a3fb643871f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	126185670224193695ce9a3fb643871f.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	126185670224193695ce9a3fb643871f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	126185670224193695ce9a3fb643871f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4180	126185670224193695ce9a3fb643871f.exe
4180	126185670224193695ce9a3fb643871f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe
Token: SeDebugPrivilege	4180	126185670224193695ce9a3fb643871f.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 756	4180	126185670224193695ce9a3fb643871f.exe	8
PID 4180 wrote to memory of 760	4180	126185670224193695ce9a3fb643871f.exe	92
PID 4180 wrote to memory of 64	4180	126185670224193695ce9a3fb643871f.exe	9
PID 4180 wrote to memory of 2564	4180	126185670224193695ce9a3fb643871f.exe	53
PID 4180 wrote to memory of 752	4180	126185670224193695ce9a3fb643871f.exe	52
PID 4180 wrote to memory of 3128	4180	126185670224193695ce9a3fb643871f.exe	51
PID 4180 wrote to memory of 3496	4180	126185670224193695ce9a3fb643871f.exe	48
PID 4180 wrote to memory of 3620	4180	126185670224193695ce9a3fb643871f.exe	47
PID 4180 wrote to memory of 3812	4180	126185670224193695ce9a3fb643871f.exe	46
PID 4180 wrote to memory of 3900	4180	126185670224193695ce9a3fb643871f.exe	45
PID 4180 wrote to memory of 3972	4180	126185670224193695ce9a3fb643871f.exe	44
PID 4180 wrote to memory of 4052	4180	126185670224193695ce9a3fb643871f.exe	43
PID 4180 wrote to memory of 4232	4180	126185670224193695ce9a3fb643871f.exe	42
PID 4180 wrote to memory of 4536	4180	126185670224193695ce9a3fb643871f.exe	40
PID 4180 wrote to memory of 1064	4180	126185670224193695ce9a3fb643871f.exe	26
PID 4180 wrote to memory of 4636	4180	126185670224193695ce9a3fb643871f.exe	18
PID 4180 wrote to memory of 2348	4180	126185670224193695ce9a3fb643871f.exe	17
PID 4180 wrote to memory of 2600	4180	126185670224193695ce9a3fb643871f.exe	16

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	126185670224193695ce9a3fb643871f.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:756

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:64

C:\Users\Admin\AppData\Local\Temp\126185670224193695ce9a3fb643871f.exe
"C:\Users\Admin\AppData\Local\Temp\126185670224193695ce9a3fb643871f.exe"
1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4180

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2600

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:2348

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:4636

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1064

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4536

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4232

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4052

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3972

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3900

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3620

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3496

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:752

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2564

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry