strongpity | 72239d0cba7a80895957b43d854680fb2fefbaa8b1f68b001ce5905c32ddcde1

Analysis

max time kernel
133s
max time network
132s
platform
windows7_x64
resource
win7v20201028
submitted
20-01-2021 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinRAR.exe
Size

4.0MB
MD5

c930f328b5b3894feced92d04908b256
SHA1

79eaa3e5457cff7ad64147a4178b0e7aad732101
SHA256

72239d0cba7a80895957b43d854680fb2fefbaa8b1f68b001ce5905c32ddcde1
SHA512

db6d5d81a495874a12b37546541b6a7dce63b43960a5a7a52fa5b3bd87af2067e8aed5daf13c0a6f11f2230b61a369973d18921761a403222054d38ba2fe330f

Score

10^/10

strongpity persistence spyware stealer

Malware Config

Signatures

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe	family_strongpity
\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe	family_strongpity
C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe	family_strongpity

Executes dropped EXE 3 IoCs

Processes:

winrar-x64-600.exenvwmisrv.exewinmsism.exe

pid process

1908 winrar-x64-600.exe
2224 nvwmisrv.exe
2264 winmsism.exe
Loads dropped DLL 5 IoCs

Processes:

WinRAR.exenvwmisrv.exe

pid process

1728 WinRAR.exe
1276
1728 WinRAR.exe
1728 WinRAR.exe
2224 nvwmisrv.exe

pid	process
1908	winrar-x64-600.exe
2224	nvwmisrv.exe
2264	winmsism.exe

pid	process
1728	WinRAR.exe
1276
1728	WinRAR.exe
1728	WinRAR.exe
2224	nvwmisrv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WinRAR.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeyStoreUpdater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndaData\\nvwmisrv.exe"	WinRAR.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	WinRAR.exe

JavaScript code in executable 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe	js
C:\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe	js
C:\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe	js
\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe	js

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

winrar-x64-600.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	winrar-x64-600.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

winrar-x64-600.exe

pid process

1908 winrar-x64-600.exe
1908 winrar-x64-600.exe

pid	process
1908	winrar-x64-600.exe
1908	winrar-x64-600.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WinRAR.exenvwmisrv.exe

description	pid	process	target process
PID 1728 wrote to memory of 1908	1728	WinRAR.exe	winrar-x64-600.exe
PID 1728 wrote to memory of 1908	1728	WinRAR.exe	winrar-x64-600.exe
PID 1728 wrote to memory of 1908	1728	WinRAR.exe	winrar-x64-600.exe
PID 1728 wrote to memory of 1908	1728	WinRAR.exe	winrar-x64-600.exe
PID 1728 wrote to memory of 2224	1728	WinRAR.exe	nvwmisrv.exe
PID 1728 wrote to memory of 2224	1728	WinRAR.exe	nvwmisrv.exe
PID 1728 wrote to memory of 2224	1728	WinRAR.exe	nvwmisrv.exe
PID 1728 wrote to memory of 2224	1728	WinRAR.exe	nvwmisrv.exe
PID 2224 wrote to memory of 2264	2224	nvwmisrv.exe	winmsism.exe
PID 2224 wrote to memory of 2264	2224	nvwmisrv.exe	winmsism.exe
PID 2224 wrote to memory of 2264	2224	nvwmisrv.exe	winmsism.exe
PID 2224 wrote to memory of 2264	2224	nvwmisrv.exe	winmsism.exe

C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe
"C:\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
"C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe
"C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"
3⤵
- Executes dropped EXE
PID:2264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3969311338_0120073858027_0.sft

MD5
37f0fb87f79733beebacb8d5964d95ba

SHA1
fb304ba16b55437205f2dc3cd4a77b052923c513

SHA256
294ee6dc47cb85ccdf6efee650a04a90202408c7a717b2f968aeec1e24f78aeb

SHA512
a1f6c22a02fb5a29ee84eb5e46d66864b0c90e302e0ba7dfca8fa8b19007e5cf06dcae619d233fea5dd03f70b338a8d9bbedb70fbe592f9197541d27b862b7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3969311338_0120073858152_0.sft

MD5
95aa5cdae51b70c9d1901bd477766f0f

SHA1
4e46a63f66319c2d3f0b3c83053918e7e08d1f68

SHA256
bf8c63efe1cbd9df19e68f2f4548fabf63476bab3b28bb50ac5fc8fbe0e1d151

SHA512
4d29fe7a6112c45182d40b25fa1acf3cf0332c0adc9273dab1ace1a77199c085dcf3448664901d0f81c949ed3f4b6baa64252967d9f055496222ea15a44e9b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3969311338_0120073858152_1.sft

MD5
3fb1337b6ec54710700bd6577de10b55

SHA1
9ec7494cced409c0fe6bb32cf6f529d836e6f780

SHA256
0ad3858c43b87a10504112c9d37b68b65a9ce5b0aed48691b840de98f473c4e4

SHA512
de9cc02faab6ebc4aa2f80163476ddfac5aaee6a7d034ed0c19744ad832a0d9dc6b22d851669a71f1d059689f7c45c1353a013c6a5daa7d0624c0a195d5cb8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe

MD5
60e9f401ea30605d57cdc821533d9675

SHA1
91b67ecaf9beef5d6e15e3dc2f4e0725d17ccbd2

SHA256
995d1cd140d2b0ea133d057ca846435fc61d8ed7cee8b3240d8f0e428d3137a9

SHA512
2478083b1bec3dd60a6cc849de97a57e103b7d223fc1db32fc34dd50e12cdc184916d7e310953ab9837dbce77ffa2da793d2ee91785b20a784e6abe729fb58d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

MD5
8c24dd49d037121212985c722e1c7d03

SHA1
6080cf16925c33fb0edbeeaf2a549a3749d99c9b

SHA256
9b499b3945d8f979fdbb46342e1fd3dd5b2b5aa4322e9447df13598817c670e1

SHA512
3790a519b479a2c7718cfd51d408563043bc745918e92dc7bfbdc82e61444b719669123568e7dab8142699d350dd66287eb6512fbcaf6f0b35d1e9376d5379d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

MD5
8c24dd49d037121212985c722e1c7d03

SHA1
6080cf16925c33fb0edbeeaf2a549a3749d99c9b

SHA256
9b499b3945d8f979fdbb46342e1fd3dd5b2b5aa4322e9447df13598817c670e1

SHA512
3790a519b479a2c7718cfd51d408563043bc745918e92dc7bfbdc82e61444b719669123568e7dab8142699d350dd66287eb6512fbcaf6f0b35d1e9376d5379d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe

MD5
2498cc397841bfd6543dd869c855d519

SHA1
f7c3343cdc3b2f24762c40347e8ef48db503e5eb

SHA256
702676c3e5471ffb649daf7306b89c8a87936aba3654e262789fc1d3b6653afd

SHA512
7e9a7433f70d5fdc51a2a22b12991791f75340925d1c7faa4cef6efd924c2fa1463f2b772f04d94496baff19e1092a5e9f9c5c0a09be258d2a1319aa1e9fa833

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe

MD5
2498cc397841bfd6543dd869c855d519

SHA1
f7c3343cdc3b2f24762c40347e8ef48db503e5eb

SHA256
702676c3e5471ffb649daf7306b89c8a87936aba3654e262789fc1d3b6653afd

SHA512
7e9a7433f70d5fdc51a2a22b12991791f75340925d1c7faa4cef6efd924c2fa1463f2b772f04d94496baff19e1092a5e9f9c5c0a09be258d2a1319aa1e9fa833

Download Submit
\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe

MD5
60e9f401ea30605d57cdc821533d9675

SHA1
91b67ecaf9beef5d6e15e3dc2f4e0725d17ccbd2

SHA256
995d1cd140d2b0ea133d057ca846435fc61d8ed7cee8b3240d8f0e428d3137a9

SHA512
2478083b1bec3dd60a6cc849de97a57e103b7d223fc1db32fc34dd50e12cdc184916d7e310953ab9837dbce77ffa2da793d2ee91785b20a784e6abe729fb58d4

Download Submit
\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe

MD5
60e9f401ea30605d57cdc821533d9675

SHA1
91b67ecaf9beef5d6e15e3dc2f4e0725d17ccbd2

SHA256
995d1cd140d2b0ea133d057ca846435fc61d8ed7cee8b3240d8f0e428d3137a9

SHA512
2478083b1bec3dd60a6cc849de97a57e103b7d223fc1db32fc34dd50e12cdc184916d7e310953ab9837dbce77ffa2da793d2ee91785b20a784e6abe729fb58d4

Download Submit
\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

MD5
8c24dd49d037121212985c722e1c7d03

SHA1
6080cf16925c33fb0edbeeaf2a549a3749d99c9b

SHA256
9b499b3945d8f979fdbb46342e1fd3dd5b2b5aa4322e9447df13598817c670e1

SHA512
3790a519b479a2c7718cfd51d408563043bc745918e92dc7bfbdc82e61444b719669123568e7dab8142699d350dd66287eb6512fbcaf6f0b35d1e9376d5379d8

Download Submit
\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe

MD5
2498cc397841bfd6543dd869c855d519

SHA1
f7c3343cdc3b2f24762c40347e8ef48db503e5eb

SHA256
702676c3e5471ffb649daf7306b89c8a87936aba3654e262789fc1d3b6653afd

SHA512
7e9a7433f70d5fdc51a2a22b12991791f75340925d1c7faa4cef6efd924c2fa1463f2b772f04d94496baff19e1092a5e9f9c5c0a09be258d2a1319aa1e9fa833

Download Submit
\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe

MD5
2498cc397841bfd6543dd869c855d519

SHA1
f7c3343cdc3b2f24762c40347e8ef48db503e5eb

SHA256
702676c3e5471ffb649daf7306b89c8a87936aba3654e262789fc1d3b6653afd

SHA512
7e9a7433f70d5fdc51a2a22b12991791f75340925d1c7faa4cef6efd924c2fa1463f2b772f04d94496baff19e1092a5e9f9c5c0a09be258d2a1319aa1e9fa833

Download Submit
memory/1908-5-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp

Filesize
8KB

Download
memory/1908-3-0x0000000000000000-mapping.dmp

Download
memory/1964-7-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmp

Filesize
2.5MB

Download
memory/2224-11-0x0000000000000000-mapping.dmp

Download
memory/2264-15-0x0000000000000000-mapping.dmp

Download