sality | 4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	WdExt.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	WdExt.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	@AE428C.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	@AE428C.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	@AE428C.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	WdExt.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	@AE428C.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WdExt.exe

Windows security bypass 2 TTPs 12 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WdExt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	WdExt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	@AE428C.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	@AE428C.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WdExt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	@AE428C.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WdExt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WdExt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WdExt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	@AE428C.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	@AE428C.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	@AE428C.tmp.exe

Executes dropped EXE 3 IoCs

pid	Process
2788	@AE428C.tmp.exe
2524	4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71N.exe
2460	WdExt.exe

Loads dropped DLL 7 IoCs

pid	Process
2136	explorer.exe
2136	explorer.exe
2788	@AE428C.tmp.exe
2136	explorer.exe
1608	cmd.exe
1608	cmd.exe
2460	WdExt.exe

Windows security modification 2 TTPs 14 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	@AE428C.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	@AE428C.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WdExt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	@AE428C.tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	@AE428C.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WdExt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WdExt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WdExt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WdExt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	WdExt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	WdExt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	@AE428C.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	@AE428C.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	@AE428C.tmp.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	@AE428C.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WdExt.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2788-162-0x0000000001E10000-0x0000000002ECA000-memory.dmp	upx
behavioral1/memory/2788-16-0x0000000001E10000-0x0000000002ECA000-memory.dmp	upx
behavioral1/memory/2788-368-0x0000000001E10000-0x0000000002ECA000-memory.dmp	upx
behavioral1/memory/2788-260-0x0000000001E10000-0x0000000002ECA000-memory.dmp	upx
behavioral1/memory/2788-581-0x0000000001E10000-0x0000000002ECA000-memory.dmp	upx
behavioral1/memory/2788-582-0x0000000001E10000-0x0000000002ECA000-memory.dmp	upx
behavioral1/memory/2788-583-0x0000000001E10000-0x0000000002ECA000-memory.dmp	upx
behavioral1/memory/2788-584-0x0000000001E10000-0x0000000002ECA000-memory.dmp	upx
behavioral1/memory/2788-585-0x0000000001E10000-0x0000000002ECA000-memory.dmp	upx
behavioral1/memory/2788-586-0x0000000001E10000-0x0000000002ECA000-memory.dmp	upx
behavioral1/memory/2788-632-0x0000000001E10000-0x0000000002ECA000-memory.dmp	upx
behavioral1/memory/2460-651-0x0000000001E50000-0x0000000002F0A000-memory.dmp	upx
behavioral1/memory/2460-653-0x0000000001E50000-0x0000000002F0A000-memory.dmp	upx
behavioral1/memory/2460-661-0x0000000001E50000-0x0000000002F0A000-memory.dmp	upx
behavioral1/memory/2460-659-0x0000000001E50000-0x0000000002F0A000-memory.dmp	upx
behavioral1/memory/2460-656-0x0000000001E50000-0x0000000002F0A000-memory.dmp	upx
behavioral1/memory/2460-662-0x0000000001E50000-0x0000000002F0A000-memory.dmp	upx
behavioral1/memory/2460-660-0x0000000001E50000-0x0000000002F0A000-memory.dmp	upx
behavioral1/memory/2460-658-0x0000000001E50000-0x0000000002F0A000-memory.dmp	upx
behavioral1/memory/2460-657-0x0000000001E50000-0x0000000002F0A000-memory.dmp	upx
behavioral1/memory/2460-655-0x0000000001E50000-0x0000000002F0A000-memory.dmp	upx
behavioral1/memory/2460-654-0x0000000001E50000-0x0000000002F0A000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\f774a88	WdExt.exe
File created	C:\Windows\f774366	@AE428C.tmp.exe
File opened for modification	C:\Windows\SYSTEM.INI	@AE428C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WdExt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@AE428C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2788	@AE428C.tmp.exe
2788	@AE428C.tmp.exe
2460	WdExt.exe
2460	WdExt.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2788	@AE428C.tmp.exe
Token: SeDebugPrivilege	2460	WdExt.exe
Token: SeDebugPrivilege	2460	WdExt.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 2136	1524	4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71N.exe	30
PID 1524 wrote to memory of 2136	1524	4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71N.exe	30
PID 1524 wrote to memory of 2136	1524	4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71N.exe	30
PID 1524 wrote to memory of 2136	1524	4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71N.exe	30
PID 1524 wrote to memory of 2136	1524	4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71N.exe	30
PID 1524 wrote to memory of 2136	1524	4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71N.exe	30
PID 2136 wrote to memory of 2788	2136	explorer.exe	31
PID 2136 wrote to memory of 2788	2136	explorer.exe	31
PID 2136 wrote to memory of 2788	2136	explorer.exe	31
PID 2136 wrote to memory of 2788	2136	explorer.exe	31
PID 2788 wrote to memory of 1136	2788	@AE428C.tmp.exe	19
PID 2788 wrote to memory of 1188	2788	@AE428C.tmp.exe	20
PID 2788 wrote to memory of 1220	2788	@AE428C.tmp.exe	21
PID 2788 wrote to memory of 1400	2788	@AE428C.tmp.exe	23
PID 2788 wrote to memory of 2136	2788	@AE428C.tmp.exe	30
PID 2788 wrote to memory of 2136	2788	@AE428C.tmp.exe	30
PID 2788 wrote to memory of 2524	2788	@AE428C.tmp.exe	32
PID 2788 wrote to memory of 1608	2788	@AE428C.tmp.exe	33
PID 2788 wrote to memory of 1608	2788	@AE428C.tmp.exe	33
PID 2788 wrote to memory of 1608	2788	@AE428C.tmp.exe	33
PID 2788 wrote to memory of 1608	2788	@AE428C.tmp.exe	33
PID 2788 wrote to memory of 2056	2788	@AE428C.tmp.exe	34
PID 2788 wrote to memory of 2056	2788	@AE428C.tmp.exe	34
PID 2788 wrote to memory of 2056	2788	@AE428C.tmp.exe	34
PID 2788 wrote to memory of 2056	2788	@AE428C.tmp.exe	34
PID 1608 wrote to memory of 2460	1608	cmd.exe	36
PID 1608 wrote to memory of 2460	1608	cmd.exe	36
PID 1608 wrote to memory of 2460	1608	cmd.exe	36
PID 1608 wrote to memory of 2460	1608	cmd.exe	36
PID 2460 wrote to memory of 1136	2460	WdExt.exe	19
PID 2460 wrote to memory of 1188	2460	WdExt.exe	20
PID 2460 wrote to memory of 1220	2460	WdExt.exe	21
PID 2460 wrote to memory of 1400	2460	WdExt.exe	23
PID 2460 wrote to memory of 2788	2460	WdExt.exe	31
PID 2460 wrote to memory of 1608	2460	WdExt.exe	33
PID 2460 wrote to memory of 1608	2460	WdExt.exe	33
PID 2460 wrote to memory of 2056	2460	WdExt.exe	34
PID 2460 wrote to memory of 2056	2460	WdExt.exe	34
PID 2460 wrote to memory of 2500	2460	WdExt.exe	35
PID 2460 wrote to memory of 1760	2460	WdExt.exe	37

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	@AE428C.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WdExt.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1136

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71N.exe
  "C:\Users\Admin\AppData\Local\Temp\4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\@AE428C.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\@AE428C.tmp.exe"
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Checks whether UAC is enabled
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1608
      - C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
        6⤵
        Modifies firewall policy service
        UAC bypass
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Checks whether UAC is enabled
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
        7⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 2460
        8⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
        9⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\wtmps.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wtmps.exe"
        10⤵
        
        PID:548
        
        C:\Windows\SysWOW64\mscaps.exe
        
        "C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe
        11⤵
        
        PID:2792
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71N.exe
      "C:\Users\Admin\AppData\Local\Temp\4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71N.exe"
      4⤵
      Executes dropped EXE
      PID:2524

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-994706522-7096197246012100831950288475402618568-1896721521718841613-1804508761"
1⤵
PID:2500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1152279691512627171-1133658226-16699621-643234266-763845265583778070193507562"
1⤵
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry