Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09/04/2021, 20:34

General

  • Target

    4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe

  • Size

    4.8MB

  • MD5

    cd808dc04c0f37c12e86183d4ef05b62

  • SHA1

    da9a80127e455854c5b7d4eaec8f7f48b22e3e3d

  • SHA256

    4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847

  • SHA512

    4d9fd6ce526ff3e0d0614fc8e13e6d314b95501e240dd7a479106b646c559171f614a7ed4d44a4b71f8f1c02fc07f01e5f51a7d5f977a8fc6cdc86643b8644e9

Malware Config

Signatures

  • StrongPity

    StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.

  • StrongPity Spyware 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1228
      • C:\Users\Admin\AppData\Local\Temp\is-NQ0VJ.tmp\fnmsetup.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-NQ0VJ.tmp\fnmsetup.tmp" /SL5="$5012E,1480519,54272,C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1964
    • C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
      "C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe
        "C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"
        3⤵
        • Executes dropped EXE
        PID:1952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1228-68-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/1228-66-0x0000000075DE1000-0x0000000075DE3000-memory.dmp

    Filesize

    8KB

  • memory/1964-81-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB