Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09/04/2021, 20:34
Static task
static1
Behavioral task
behavioral1
Sample
4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe
Resource
win10v20201028
General
-
Target
4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe
-
Size
4.8MB
-
MD5
cd808dc04c0f37c12e86183d4ef05b62
-
SHA1
da9a80127e455854c5b7d4eaec8f7f48b22e3e3d
-
SHA256
4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847
-
SHA512
4d9fd6ce526ff3e0d0614fc8e13e6d314b95501e240dd7a479106b646c559171f614a7ed4d44a4b71f8f1c02fc07f01e5f51a7d5f977a8fc6cdc86643b8644e9
Malware Config
Signatures
-
StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
-
StrongPity Spyware 3 IoCs
resource yara_rule behavioral1/files/0x00030000000130d2-63.dat family_strongpity behavioral1/files/0x00030000000130d2-64.dat family_strongpity behavioral1/files/0x00030000000130d2-67.dat family_strongpity -
Executes dropped EXE 4 IoCs
pid Process 1228 fnmsetup.exe 884 nvwmisrv.exe 1952 winmsism.exe 1964 fnmsetup.tmp -
Loads dropped DLL 7 IoCs
pid Process 1336 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe 1336 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe 1336 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe 884 nvwmisrv.exe 1228 fnmsetup.exe 1964 fnmsetup.tmp 1964 fnmsetup.tmp -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\CUpdateTask = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndaData\\nvwmisrv.exe" 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1964 fnmsetup.tmp -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1336 wrote to memory of 1228 1336 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe 26 PID 1336 wrote to memory of 1228 1336 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe 26 PID 1336 wrote to memory of 1228 1336 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe 26 PID 1336 wrote to memory of 1228 1336 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe 26 PID 1336 wrote to memory of 1228 1336 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe 26 PID 1336 wrote to memory of 1228 1336 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe 26 PID 1336 wrote to memory of 1228 1336 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe 26 PID 1336 wrote to memory of 884 1336 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe 27 PID 1336 wrote to memory of 884 1336 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe 27 PID 1336 wrote to memory of 884 1336 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe 27 PID 1336 wrote to memory of 884 1336 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe 27 PID 884 wrote to memory of 1952 884 nvwmisrv.exe 29 PID 884 wrote to memory of 1952 884 nvwmisrv.exe 29 PID 884 wrote to memory of 1952 884 nvwmisrv.exe 29 PID 884 wrote to memory of 1952 884 nvwmisrv.exe 29 PID 1228 wrote to memory of 1964 1228 fnmsetup.exe 30 PID 1228 wrote to memory of 1964 1228 fnmsetup.exe 30 PID 1228 wrote to memory of 1964 1228 fnmsetup.exe 30 PID 1228 wrote to memory of 1964 1228 fnmsetup.exe 30 PID 1228 wrote to memory of 1964 1228 fnmsetup.exe 30 PID 1228 wrote to memory of 1964 1228 fnmsetup.exe 30 PID 1228 wrote to memory of 1964 1228 fnmsetup.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe"C:\Users\Admin\AppData\Local\Temp\4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\is-NQ0VJ.tmp\fnmsetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-NQ0VJ.tmp\fnmsetup.tmp" /SL5="$5012E,1480519,54272,C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1964
-
-
-
C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"3⤵
- Executes dropped EXE
PID:1952
-
-