strongpity | 72239d0cba7a80895957b43d854680fb2fefbaa8b1f68b001ce5905c32ddcde1

Analysis

max time kernel
127s
max time network
127s
platform
windows10_x64
resource
win10v20201028
submitted
20-01-2021 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinRAR.exe
Size

4.0MB
MD5

c930f328b5b3894feced92d04908b256
SHA1

79eaa3e5457cff7ad64147a4178b0e7aad732101
SHA256

72239d0cba7a80895957b43d854680fb2fefbaa8b1f68b001ce5905c32ddcde1
SHA512

db6d5d81a495874a12b37546541b6a7dce63b43960a5a7a52fa5b3bd87af2067e8aed5daf13c0a6f11f2230b61a369973d18921761a403222054d38ba2fe330f

Score

10^/10

strongpity persistence spyware stealer

Malware Config

Signatures

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe	family_strongpity
C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe	family_strongpity

Executes dropped EXE 3 IoCs

Processes:

winrar-x64-600.exenvwmisrv.exewinmsism.exe

pid process

696 winrar-x64-600.exe
4208 nvwmisrv.exe
4264 winmsism.exe

pid	process
696	winrar-x64-600.exe
4208	nvwmisrv.exe
4264	winmsism.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WinRAR.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	WinRAR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeyStoreUpdater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndaData\\nvwmisrv.exe"	WinRAR.exe

JavaScript code in executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe	js
C:\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe	js

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

winrar-x64-600.exe

pid process

696 winrar-x64-600.exe
696 winrar-x64-600.exe

pid	process
696	winrar-x64-600.exe
696	winrar-x64-600.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WinRAR.exenvwmisrv.exe

description	pid	process	target process
PID 644 wrote to memory of 696	644	WinRAR.exe	winrar-x64-600.exe
PID 644 wrote to memory of 696	644	WinRAR.exe	winrar-x64-600.exe
PID 644 wrote to memory of 4208	644	WinRAR.exe	nvwmisrv.exe
PID 644 wrote to memory of 4208	644	WinRAR.exe	nvwmisrv.exe
PID 644 wrote to memory of 4208	644	WinRAR.exe	nvwmisrv.exe
PID 4208 wrote to memory of 4264	4208	nvwmisrv.exe	winmsism.exe
PID 4208 wrote to memory of 4264	4208	nvwmisrv.exe	winmsism.exe
PID 4208 wrote to memory of 4264	4208	nvwmisrv.exe	winmsism.exe

C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe
"C:\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:696

C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
"C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208

C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe
"C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"
3⤵
- Executes dropped EXE
PID:4264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3158760404_0120084558401_0.sft

MD5
734477db777dda9e45ba3860c2a25be6

SHA1
b01ec5f09b23fe836db3532056bcaa619dcfdade

SHA256
5244b8e051f1a930f5516b4a4bd437a612c6876d7c21e1d893ab05e7cbdf17f2

SHA512
cd2b98a9f1c6dae2c3fdb093586a6ee6de94cac09b60c3bc659bc5bd76be75ef13105b54bf0573c02dd3f3aa352e5df4ab5d455f1a90a6a052de6156fa8a13aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3158760404_0120084558401_1.sft

MD5
45a5da4f0d1cfe360e2d2867083d9389

SHA1
a493fae4af4495171575033d055882398a23dfbf

SHA256
026fa43b3c220d14113fefb7cb02f56fcfc4f14564f997e8971932fa653770e0

SHA512
99936db59adaac162fdecab2b9323050f2974d1dbcb6b3fe99b5ab99a8781ae75a3ccfaeb7300162c92f2a75c20784d00027dbf063bc6739d2f0171320dc0bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3158760404_0120084558401_2.sft

MD5
70c13bc39b88f77ce686efc2aa80b782

SHA1
a9e5f3067208eaf072053d9a3cfcf883c45a2cbc

SHA256
0ec44026bdd7de7d9646edcf021e0ff5f0723f561719bf9b9e68fc53166ef1c0

SHA512
5c292a531bd0d31ce502251e078bafd72fc71dd8e1caf3d7824183aa3eb1f771b83482c9c37df1943879a5b40e39404bb2b99961386d310b4211e23b122c11d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe

MD5
60e9f401ea30605d57cdc821533d9675

SHA1
91b67ecaf9beef5d6e15e3dc2f4e0725d17ccbd2

SHA256
995d1cd140d2b0ea133d057ca846435fc61d8ed7cee8b3240d8f0e428d3137a9

SHA512
2478083b1bec3dd60a6cc849de97a57e103b7d223fc1db32fc34dd50e12cdc184916d7e310953ab9837dbce77ffa2da793d2ee91785b20a784e6abe729fb58d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe

MD5
60e9f401ea30605d57cdc821533d9675

SHA1
91b67ecaf9beef5d6e15e3dc2f4e0725d17ccbd2

SHA256
995d1cd140d2b0ea133d057ca846435fc61d8ed7cee8b3240d8f0e428d3137a9

SHA512
2478083b1bec3dd60a6cc849de97a57e103b7d223fc1db32fc34dd50e12cdc184916d7e310953ab9837dbce77ffa2da793d2ee91785b20a784e6abe729fb58d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

MD5
8c24dd49d037121212985c722e1c7d03

SHA1
6080cf16925c33fb0edbeeaf2a549a3749d99c9b

SHA256
9b499b3945d8f979fdbb46342e1fd3dd5b2b5aa4322e9447df13598817c670e1

SHA512
3790a519b479a2c7718cfd51d408563043bc745918e92dc7bfbdc82e61444b719669123568e7dab8142699d350dd66287eb6512fbcaf6f0b35d1e9376d5379d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

MD5
8c24dd49d037121212985c722e1c7d03

SHA1
6080cf16925c33fb0edbeeaf2a549a3749d99c9b

SHA256
9b499b3945d8f979fdbb46342e1fd3dd5b2b5aa4322e9447df13598817c670e1

SHA512
3790a519b479a2c7718cfd51d408563043bc745918e92dc7bfbdc82e61444b719669123568e7dab8142699d350dd66287eb6512fbcaf6f0b35d1e9376d5379d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe

MD5
2498cc397841bfd6543dd869c855d519

SHA1
f7c3343cdc3b2f24762c40347e8ef48db503e5eb

SHA256
702676c3e5471ffb649daf7306b89c8a87936aba3654e262789fc1d3b6653afd

SHA512
7e9a7433f70d5fdc51a2a22b12991791f75340925d1c7faa4cef6efd924c2fa1463f2b772f04d94496baff19e1092a5e9f9c5c0a09be258d2a1319aa1e9fa833

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe

MD5
2498cc397841bfd6543dd869c855d519

SHA1
f7c3343cdc3b2f24762c40347e8ef48db503e5eb

SHA256
702676c3e5471ffb649daf7306b89c8a87936aba3654e262789fc1d3b6653afd

SHA512
7e9a7433f70d5fdc51a2a22b12991791f75340925d1c7faa4cef6efd924c2fa1463f2b772f04d94496baff19e1092a5e9f9c5c0a09be258d2a1319aa1e9fa833

Download Submit
memory/696-2-0x0000000000000000-mapping.dmp

Download
memory/4208-6-0x0000000000000000-mapping.dmp

Download
memory/4264-9-0x0000000000000000-mapping.dmp

Download