strongpity | 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7v20201028
submitted
09-04-2021 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe
Size

4.8MB
MD5

cd808dc04c0f37c12e86183d4ef05b62
SHA1

da9a80127e455854c5b7d4eaec8f7f48b22e3e3d
SHA256

4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847
SHA512

4d9fd6ce526ff3e0d0614fc8e13e6d314b95501e240dd7a479106b646c559171f614a7ed4d44a4b71f8f1c02fc07f01e5f51a7d5f977a8fc6cdc86643b8644e9

Score

10^/10

strongpity persistence spyware stealer

Malware Config

Signatures

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe	family_strongpity
\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe	family_strongpity
C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe	family_strongpity

Executes dropped EXE 4 IoCs

Processes:

fnmsetup.exenvwmisrv.exewinmsism.exefnmsetup.tmp

pid process

1228 fnmsetup.exe
884 nvwmisrv.exe
1952 winmsism.exe
1964 fnmsetup.tmp

pid	process
1228	fnmsetup.exe
884	nvwmisrv.exe
1952	winmsism.exe
1964	fnmsetup.tmp

Loads dropped DLL 7 IoCs

Processes:

4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exenvwmisrv.exefnmsetup.exefnmsetup.tmp

pid	process
1336	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe
1336	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe
1336	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe
884	nvwmisrv.exe
1228	fnmsetup.exe
1964	fnmsetup.tmp
1964	fnmsetup.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\CUpdateTask = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndaData\\nvwmisrv.exe"	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

fnmsetup.tmp

pid process

1964 fnmsetup.tmp

pid	process
1964	fnmsetup.tmp

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exenvwmisrv.exefnmsetup.exe

description	pid	process	target process
PID 1336 wrote to memory of 1228	1336	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe	fnmsetup.exe
PID 1336 wrote to memory of 1228	1336	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe	fnmsetup.exe
PID 1336 wrote to memory of 1228	1336	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe	fnmsetup.exe
PID 1336 wrote to memory of 1228	1336	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe	fnmsetup.exe
PID 1336 wrote to memory of 1228	1336	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe	fnmsetup.exe
PID 1336 wrote to memory of 1228	1336	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe	fnmsetup.exe
PID 1336 wrote to memory of 1228	1336	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe	fnmsetup.exe
PID 1336 wrote to memory of 884	1336	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe	nvwmisrv.exe
PID 1336 wrote to memory of 884	1336	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe	nvwmisrv.exe
PID 1336 wrote to memory of 884	1336	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe	nvwmisrv.exe
PID 1336 wrote to memory of 884	1336	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe	nvwmisrv.exe
PID 884 wrote to memory of 1952	884	nvwmisrv.exe	winmsism.exe
PID 884 wrote to memory of 1952	884	nvwmisrv.exe	winmsism.exe
PID 884 wrote to memory of 1952	884	nvwmisrv.exe	winmsism.exe
PID 884 wrote to memory of 1952	884	nvwmisrv.exe	winmsism.exe
PID 1228 wrote to memory of 1964	1228	fnmsetup.exe	fnmsetup.tmp
PID 1228 wrote to memory of 1964	1228	fnmsetup.exe	fnmsetup.tmp
PID 1228 wrote to memory of 1964	1228	fnmsetup.exe	fnmsetup.tmp
PID 1228 wrote to memory of 1964	1228	fnmsetup.exe	fnmsetup.tmp
PID 1228 wrote to memory of 1964	1228	fnmsetup.exe	fnmsetup.tmp
PID 1228 wrote to memory of 1964	1228	fnmsetup.exe	fnmsetup.tmp
PID 1228 wrote to memory of 1964	1228	fnmsetup.exe	fnmsetup.tmp

C:\Users\Admin\AppData\Local\Temp\4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe
"C:\Users\Admin\AppData\Local\Temp\4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
"C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\is-NQ0VJ.tmp\fnmsetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NQ0VJ.tmp\fnmsetup.tmp" /SL5="$5012E,1480519,54272,C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1964

C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
"C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884

C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe
"C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"
3⤵
- Executes dropped EXE
PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe

MD5
65689075a82a08bb797bb9a5cc2932c9

SHA1
a13b3baeedc3456bf8a03e6f7fd43b8ccfabc7e2

SHA256
803b09f5863b583114d4db7d19ac0c5f64163c0075992bcfc289d27feea3a3ab

SHA512
20a1ac3df849e09fe361d0de8c04f9d8598457e95427a30df9ab74316c2644aa30f782b88b171ffadd7be4b6fc85970ec539d003aa1244434be6a12bbb9b6ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe

MD5
65689075a82a08bb797bb9a5cc2932c9

SHA1
a13b3baeedc3456bf8a03e6f7fd43b8ccfabc7e2

SHA256
803b09f5863b583114d4db7d19ac0c5f64163c0075992bcfc289d27feea3a3ab

SHA512
20a1ac3df849e09fe361d0de8c04f9d8598457e95427a30df9ab74316c2644aa30f782b88b171ffadd7be4b6fc85970ec539d003aa1244434be6a12bbb9b6ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NQ0VJ.tmp\fnmsetup.tmp

MD5
8f144bcbcad0417e7823dd8e60218530

SHA1
9df092a764b8ad278ed574f00d1c065683eef6ac

SHA256
39dfa032878743bba8244c73173c263e669131f0084a38f22c52b1383f627ba0

SHA512
e093f69030fee17d8b55bde8337d409e8dfb583c97a81ed37425fb72122318d4c1f996d0d1bca28f24182ff5c8afe2be25eadc27951463ddca5c0abceca2a72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_2187226457_0409203032816_0.sft

MD5
0d5ff8dc4d8030cc1049e67617e2f899

SHA1
a66f325edceb050c309316d25e9498827d48a9ca

SHA256
1bd8ec6607a6cbea0eefe63a582398f61c116a9b566bf8e86b31d21ae112e4f8

SHA512
0bcdbd7b864a66f089f4e98fd3eac0e172dee39d2fc62dd7d2e264f4c444061722e41b7d8b021e4cc089912f6c75c0a57981c622b01f6596f81d1cde57a9f822

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_2187226457_0409203032816_1.sft

MD5
e5e27b312405c6c232b16763e072b28a

SHA1
565cb59e7a20e3ec09f436db865b8a4a95c56a9b

SHA256
29f436f58d6bd7792acccf3d13419f5102510831656478f6dce7f3049c575aa3

SHA512
a391f06fe0b1a11602ecd5c85c956832c87715ba316e9cf12891f7ad9236a0c6f78e8bc9c738c4a6b8067a331424dbd30fb3239ab34db91b1fd5b5aa19f6791f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_2187226457_0409203032816_2.sft

MD5
7b4b19dd5060a9e62b74db16e93704a0

SHA1
6b77ba2c7b6cd9616fc321607d8a4f119457ec48

SHA256
2017231423ec93d52629cc0511664abcb78d6ac758fc1cab9551ad4ab0a947a3

SHA512
26a1127bf737a9c20b36184607cfe699fc2d1379c796fc87521c2f34256ec9065acbb0e6dcd5ac3a3729f2176acc0db4079a861ac947e69dc49245115ef1ca7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_2187226457_0409203032816_3.sft

MD5
413f57d5f1a48a44f5109ac2fe1c9122

SHA1
4b93d51155b80795f63d1d24d5a2ce4770a8544d

SHA256
a525d614cc62f4ea70357266e162320cbbd5f0b89c4c94790b05fcdcae0c5b6d

SHA512
66c59e6ce7674a8d42decc87b9902d128aa4f81f16014b2333417441168a280585a51a5a73e7e967cbde8bf95d8cfe2e03ed42ad7217887d3861ecd710fc4cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_2187226457_0409203032816_4.sft

MD5
a22ce5b8ea9cb232a95fd34bbbbda979

SHA1
524b47521fc34622ae5a2b5f79589d3aa4eac16b

SHA256
9243cfbc32b1d8e30c2f47d7cacf492cbc92146fc1334cb2247622308faf9a4c

SHA512
7953eaf71816d80bd77619fee8d5f44d25dd5055db2b30ef62f5017238a85f1d72666f54a6d46b1c89c77a3eb57d4d3e147cde22bedf932bfa8993b6a3829d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_2187226457_0409203032816_5.sft

MD5
3a956d13d8c65193e60eda8a22483303

SHA1
cfd9de6328bc44a246f325088bac9bae9076a6f6

SHA256
cb55efb989390ea8ef6607aa0f4622e8c681d8519859594660a276d6a928647c

SHA512
22268c0d61a849b0ac8d65581760355af529bc80da52347017b7bef53cba6875165eb6fe7daa34f683ef5107d2f0275c66b2ed07259cf10acfeec5be5fca764d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe

MD5
0f609dd490b21c85e9c8d1db8995e791

SHA1
30d448d7457818e4404b3b5e2079efa3d8d60bc3

SHA256
dfd0f4b821438d8a9277728e42ab58bdc2667aa7173892ffd6ede75a5d5645f5

SHA512
9f5951dc5c3b20c3faebb3bd0f8ad5c9ad1eba5dda2e45309d25600b5a8eaab90490fb06057e3c92b4ba89af8a61ae103840db3b23a5bc30b37c32d41487f79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

MD5
f050cfe9ded513f1b8e9a4846a0fa3a7

SHA1
64cb47c16c5636bdc5046107480aa3c7c97a2bf3

SHA256
d9402b75daf385ed652cc1d8c3bf7f3ea306fbc16996dead5a8741eff4f54b2f

SHA512
41d3b428696c41ac7dcefbd4fe7dbdb21977597fe906fff2e98ffa5a5bf32096bdad8b535aa0af961482d41a6ce843b4354fc7e5a0baf127f96806f2d53efb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

MD5
f050cfe9ded513f1b8e9a4846a0fa3a7

SHA1
64cb47c16c5636bdc5046107480aa3c7c97a2bf3

SHA256
d9402b75daf385ed652cc1d8c3bf7f3ea306fbc16996dead5a8741eff4f54b2f

SHA512
41d3b428696c41ac7dcefbd4fe7dbdb21977597fe906fff2e98ffa5a5bf32096bdad8b535aa0af961482d41a6ce843b4354fc7e5a0baf127f96806f2d53efb49

Download Submit
\Users\Admin\AppData\Local\Temp\fnmsetup.exe

MD5
65689075a82a08bb797bb9a5cc2932c9

SHA1
a13b3baeedc3456bf8a03e6f7fd43b8ccfabc7e2

SHA256
803b09f5863b583114d4db7d19ac0c5f64163c0075992bcfc289d27feea3a3ab

SHA512
20a1ac3df849e09fe361d0de8c04f9d8598457e95427a30df9ab74316c2644aa30f782b88b171ffadd7be4b6fc85970ec539d003aa1244434be6a12bbb9b6ee6

Download Submit
\Users\Admin\AppData\Local\Temp\is-19TQ1.tmp\_isetup\_shfoldr.dll

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-19TQ1.tmp\_isetup\_shfoldr.dll

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-NQ0VJ.tmp\fnmsetup.tmp

MD5
8f144bcbcad0417e7823dd8e60218530

SHA1
9df092a764b8ad278ed574f00d1c065683eef6ac

SHA256
39dfa032878743bba8244c73173c263e669131f0084a38f22c52b1383f627ba0

SHA512
e093f69030fee17d8b55bde8337d409e8dfb583c97a81ed37425fb72122318d4c1f996d0d1bca28f24182ff5c8afe2be25eadc27951463ddca5c0abceca2a72d

Download Submit
\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe

MD5
0f609dd490b21c85e9c8d1db8995e791

SHA1
30d448d7457818e4404b3b5e2079efa3d8d60bc3

SHA256
dfd0f4b821438d8a9277728e42ab58bdc2667aa7173892ffd6ede75a5d5645f5

SHA512
9f5951dc5c3b20c3faebb3bd0f8ad5c9ad1eba5dda2e45309d25600b5a8eaab90490fb06057e3c92b4ba89af8a61ae103840db3b23a5bc30b37c32d41487f79e

Download Submit
\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe

MD5
0f609dd490b21c85e9c8d1db8995e791

SHA1
30d448d7457818e4404b3b5e2079efa3d8d60bc3

SHA256
dfd0f4b821438d8a9277728e42ab58bdc2667aa7173892ffd6ede75a5d5645f5

SHA512
9f5951dc5c3b20c3faebb3bd0f8ad5c9ad1eba5dda2e45309d25600b5a8eaab90490fb06057e3c92b4ba89af8a61ae103840db3b23a5bc30b37c32d41487f79e

Download Submit
\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

MD5
f050cfe9ded513f1b8e9a4846a0fa3a7

SHA1
64cb47c16c5636bdc5046107480aa3c7c97a2bf3

SHA256
d9402b75daf385ed652cc1d8c3bf7f3ea306fbc16996dead5a8741eff4f54b2f

SHA512
41d3b428696c41ac7dcefbd4fe7dbdb21977597fe906fff2e98ffa5a5bf32096bdad8b535aa0af961482d41a6ce843b4354fc7e5a0baf127f96806f2d53efb49

Download Submit
memory/884-65-0x0000000000000000-mapping.dmp

Download
memory/1228-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1228-66-0x0000000075DE1000-0x0000000075DE3000-memory.dmp

Filesize
8KB

Download
memory/1228-61-0x0000000000000000-mapping.dmp

Download
memory/1952-72-0x0000000000000000-mapping.dmp

Download
memory/1964-75-0x0000000000000000-mapping.dmp

Download
memory/1964-81-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download