strongpity | 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847

Analysis

max time kernel
143s
max time network
147s
platform
windows10_x64
resource
win10v20201028
submitted
09-04-2021 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe
Size

4.8MB
MD5

cd808dc04c0f37c12e86183d4ef05b62
SHA1

da9a80127e455854c5b7d4eaec8f7f48b22e3e3d
SHA256

4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847
SHA512

4d9fd6ce526ff3e0d0614fc8e13e6d314b95501e240dd7a479106b646c559171f614a7ed4d44a4b71f8f1c02fc07f01e5f51a7d5f977a8fc6cdc86643b8644e9

Score

10^/10

strongpity persistence spyware stealer

Malware Config

Signatures

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe	family_strongpity
C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe	family_strongpity

Executes dropped EXE 4 IoCs

Processes:

fnmsetup.exenvwmisrv.exewinmsism.exefnmsetup.tmp

pid process

4892 fnmsetup.exe
4908 nvwmisrv.exe
5044 winmsism.exe
5088 fnmsetup.tmp

pid	process
4892	fnmsetup.exe
4908	nvwmisrv.exe
5044	winmsism.exe
5088	fnmsetup.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\CUpdateTask = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndaData\\nvwmisrv.exe"	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exenvwmisrv.exefnmsetup.exe

description	pid	process	target process
PID 4696 wrote to memory of 4892	4696	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe	fnmsetup.exe
PID 4696 wrote to memory of 4892	4696	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe	fnmsetup.exe
PID 4696 wrote to memory of 4892	4696	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe	fnmsetup.exe
PID 4696 wrote to memory of 4908	4696	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe	nvwmisrv.exe
PID 4696 wrote to memory of 4908	4696	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe	nvwmisrv.exe
PID 4696 wrote to memory of 4908	4696	4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe	nvwmisrv.exe
PID 4908 wrote to memory of 5044	4908	nvwmisrv.exe	winmsism.exe
PID 4908 wrote to memory of 5044	4908	nvwmisrv.exe	winmsism.exe
PID 4908 wrote to memory of 5044	4908	nvwmisrv.exe	winmsism.exe
PID 4892 wrote to memory of 5088	4892	fnmsetup.exe	fnmsetup.tmp
PID 4892 wrote to memory of 5088	4892	fnmsetup.exe	fnmsetup.tmp
PID 4892 wrote to memory of 5088	4892	fnmsetup.exe	fnmsetup.tmp

C:\Users\Admin\AppData\Local\Temp\4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe
"C:\Users\Admin\AppData\Local\Temp\4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4696

C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
"C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892

C:\Users\Admin\AppData\Local\Temp\is-0P9HP.tmp\fnmsetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0P9HP.tmp\fnmsetup.tmp" /SL5="$501CC,1480519,54272,C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"
3⤵
- Executes dropped EXE
PID:5088

C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
"C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908

C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe
"C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"
3⤵
- Executes dropped EXE
PID:5044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe

MD5
65689075a82a08bb797bb9a5cc2932c9

SHA1
a13b3baeedc3456bf8a03e6f7fd43b8ccfabc7e2

SHA256
803b09f5863b583114d4db7d19ac0c5f64163c0075992bcfc289d27feea3a3ab

SHA512
20a1ac3df849e09fe361d0de8c04f9d8598457e95427a30df9ab74316c2644aa30f782b88b171ffadd7be4b6fc85970ec539d003aa1244434be6a12bbb9b6ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe

MD5
65689075a82a08bb797bb9a5cc2932c9

SHA1
a13b3baeedc3456bf8a03e6f7fd43b8ccfabc7e2

SHA256
803b09f5863b583114d4db7d19ac0c5f64163c0075992bcfc289d27feea3a3ab

SHA512
20a1ac3df849e09fe361d0de8c04f9d8598457e95427a30df9ab74316c2644aa30f782b88b171ffadd7be4b6fc85970ec539d003aa1244434be6a12bbb9b6ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0P9HP.tmp\fnmsetup.tmp

MD5
8f144bcbcad0417e7823dd8e60218530

SHA1
9df092a764b8ad278ed574f00d1c065683eef6ac

SHA256
39dfa032878743bba8244c73173c263e669131f0084a38f22c52b1383f627ba0

SHA512
e093f69030fee17d8b55bde8337d409e8dfb583c97a81ed37425fb72122318d4c1f996d0d1bca28f24182ff5c8afe2be25eadc27951463ddca5c0abceca2a72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0P9HP.tmp\fnmsetup.tmp

MD5
8f144bcbcad0417e7823dd8e60218530

SHA1
9df092a764b8ad278ed574f00d1c065683eef6ac

SHA256
39dfa032878743bba8244c73173c263e669131f0084a38f22c52b1383f627ba0

SHA512
e093f69030fee17d8b55bde8337d409e8dfb583c97a81ed37425fb72122318d4c1f996d0d1bca28f24182ff5c8afe2be25eadc27951463ddca5c0abceca2a72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_2985839553_0409203032425_0.sft

MD5
9d7d0d98bf01e990a1d8e314df7720c6

SHA1
cd01ebeb6313bf25f76526a64a781b1b36b8bb2c

SHA256
8a9864c03bcb601f912fed943c410580ca64ca5039da58bc00af399588044678

SHA512
7077fd963f1660900613f44025ddedc5c5f3c584a82dabce65f73e3e3bd47d919847a425c2a1933077dd662a85dda331d47c3f9168c28ba848904e2735d39c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_2985839553_0409203032425_1.sft

MD5
910bada8b67c5904c58f8aa44f1791ba

SHA1
6aa035be811f96e689e3629bcd4ce58dde50802c

SHA256
1f80eddf6b6cc12b6c347d34c4a9daaf74bef917f0152d0e3ebf24392b107278

SHA512
1f16a6e8be4abefb8e9e41b12f6c2752bdb025e0e59a48bc9d0a30f99ad28911d76eaf5770ebcaf79e53f4157671fdaa875cf8eb040d52bc0c196ca233ab2ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_2985839553_0409203032425_2.sft

MD5
2eaf66f44000e8c9ddfe6c0352cc879a

SHA1
5b28ca5525182355b029ad0e04ab06f206c8ebd2

SHA256
edcbf96f79e308bff3434a38e5fad10480a53c80402d9e00e386bd0c73251691

SHA512
06fa98ceef30123c0a89e25dd0e0f7d1acb1640089b6e60e6da6e435430bef23f0adc59308f720afe96112bb0377d7d348e60c7bd3484383a01f58fb6fb6a9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_2985839553_0409203032480_0.sft

MD5
4c0faeb57ff82570ccdd1b2a1a761f45

SHA1
9bf537d427c4afb3270e8520d9295c33c616016f

SHA256
d6164771258a96853218769f0fcffad790b3962f570c4c9d139b9a7220d9fc67

SHA512
53583131c051a5ffeb277f5e6ed711cc450a7b8837e9d38570dc40915088e31d3086d4d4ef6931a22446c9e9962ddc86a65128fd579b8986c079c88b77791472

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_2985839553_0409203032480_1.sft

MD5
2f9d9179e2f7d0a47c21dd1dd87576d2

SHA1
a183e882d363b29549599976ebe2d333eff55cc1

SHA256
e68ed0e1c57f0c95b79a04304e9dbc2231bc7c10d2eb619c5dff91ed25e54f59

SHA512
5002597bbe023776e9108f1500e5bf352efb2bfabca06a1eabf98073d0783b1804f743561991858773bc41ddfa77360cb666fe1dd12cb7afa4b8c7536122ff50

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_2985839553_0409203032480_2.sft

MD5
2903551b81d7f9d212c8e68133e1a1cb

SHA1
e90af48fbb774038b7ce07c4bb4bfd1ed67cb896

SHA256
b567aa3f21fa95a7e0455aaa5e637a243495afbfe04eece507e5551abb559c25

SHA512
047cd2c2c31843c2b0183d21adc95f40fff8cda6805692bcde147072f56c3685036b9aeee7d5963aad9e932f63f95cef387ffe50d8b882cef3e971e483f8c5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe

MD5
0f609dd490b21c85e9c8d1db8995e791

SHA1
30d448d7457818e4404b3b5e2079efa3d8d60bc3

SHA256
dfd0f4b821438d8a9277728e42ab58bdc2667aa7173892ffd6ede75a5d5645f5

SHA512
9f5951dc5c3b20c3faebb3bd0f8ad5c9ad1eba5dda2e45309d25600b5a8eaab90490fb06057e3c92b4ba89af8a61ae103840db3b23a5bc30b37c32d41487f79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe

MD5
0f609dd490b21c85e9c8d1db8995e791

SHA1
30d448d7457818e4404b3b5e2079efa3d8d60bc3

SHA256
dfd0f4b821438d8a9277728e42ab58bdc2667aa7173892ffd6ede75a5d5645f5

SHA512
9f5951dc5c3b20c3faebb3bd0f8ad5c9ad1eba5dda2e45309d25600b5a8eaab90490fb06057e3c92b4ba89af8a61ae103840db3b23a5bc30b37c32d41487f79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

MD5
f050cfe9ded513f1b8e9a4846a0fa3a7

SHA1
64cb47c16c5636bdc5046107480aa3c7c97a2bf3

SHA256
d9402b75daf385ed652cc1d8c3bf7f3ea306fbc16996dead5a8741eff4f54b2f

SHA512
41d3b428696c41ac7dcefbd4fe7dbdb21977597fe906fff2e98ffa5a5bf32096bdad8b535aa0af961482d41a6ce843b4354fc7e5a0baf127f96806f2d53efb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

MD5
f050cfe9ded513f1b8e9a4846a0fa3a7

SHA1
64cb47c16c5636bdc5046107480aa3c7c97a2bf3

SHA256
d9402b75daf385ed652cc1d8c3bf7f3ea306fbc16996dead5a8741eff4f54b2f

SHA512
41d3b428696c41ac7dcefbd4fe7dbdb21977597fe906fff2e98ffa5a5bf32096bdad8b535aa0af961482d41a6ce843b4354fc7e5a0baf127f96806f2d53efb49

Download Submit
memory/4892-121-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4892-114-0x0000000000000000-mapping.dmp

Download
memory/4908-115-0x0000000000000000-mapping.dmp

Download
memory/5044-120-0x0000000000000000-mapping.dmp

Download
memory/5088-125-0x0000000000000000-mapping.dmp

Download
memory/5088-128-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download