strongpity | 72239d0cba7a80895957b43d854680fb2fefbaa8b1f68b001ce5905c32ddcde1

Analysis

max time kernel
127s
max time network
127s
platform
windows10_x64
resource
win10v20201028
submitted
20/01/2021, 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinRAR.exe
Size

4.0MB
MD5

c930f328b5b3894feced92d04908b256
SHA1

79eaa3e5457cff7ad64147a4178b0e7aad732101
SHA256

72239d0cba7a80895957b43d854680fb2fefbaa8b1f68b001ce5905c32ddcde1
SHA512

db6d5d81a495874a12b37546541b6a7dce63b43960a5a7a52fa5b3bd87af2067e8aed5daf13c0a6f11f2230b61a369973d18921761a403222054d38ba2fe330f

Score

10^/10

strongpity persistence spyware stealer

Malware Config

Signatures

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 2 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ab9f-7.dat	family_strongpity
behavioral2/files/0x000100000001ab9f-8.dat	family_strongpity

Executes dropped EXE 3 IoCs

pid	Process
696	winrar-x64-600.exe
4208	nvwmisrv.exe
4264	winmsism.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	WinRAR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeyStoreUpdater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndaData\\nvwmisrv.exe"	WinRAR.exe

JavaScript code in executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000200000001ab9a-3.dat	js
behavioral2/files/0x000200000001ab9a-4.dat	js

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
696	winrar-x64-600.exe
696	winrar-x64-600.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 696	644	WinRAR.exe	74
PID 644 wrote to memory of 696	644	WinRAR.exe	74
PID 644 wrote to memory of 4208	644	WinRAR.exe	79
PID 644 wrote to memory of 4208	644	WinRAR.exe	79
PID 644 wrote to memory of 4208	644	WinRAR.exe	79
PID 4208 wrote to memory of 4264	4208	nvwmisrv.exe	81
PID 4208 wrote to memory of 4264	4208	nvwmisrv.exe	81
PID 4208 wrote to memory of 4264	4208	nvwmisrv.exe	81

C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe
  "C:\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:696
- C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
  "C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe
    "C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"
    3⤵
    - Executes dropped EXE
    PID:4264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads