strongpity | 2de28557ea0e115aebade74c985b66ba8a711f519506209aea71f80d72e81f6d

Analysis

max time kernel
139s
max time network
147s
platform
windows10_x64
resource
win10v20210408
submitted
20/04/2021, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

strong/49888f78b5a0576937daeccd73baed86adb6b16a8b0e5ac519f475c73aec0549.exe
Size

8.0MB
MD5

bdc36abd3281828ed833db0f552a8ab7
SHA1

97505836182d8a9b7ce3a543def7a9417bdc5d52
SHA256

49888f78b5a0576937daeccd73baed86adb6b16a8b0e5ac519f475c73aec0549
SHA512

ff9406167669c033f45d4ca80d861370a2f84d31667a5b00b1cd84669606232be18caf6ac8598f1f23d398f3c6830ff98f31251c27a5b772e1f16dc693152e94

Score

10^/10

strongpity discovery persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 2 IoCs

resource	yara_rule
behavioral4/files/0x000100000001ab4a-123.dat	family_strongpity
behavioral4/files/0x000100000001ab4a-124.dat	family_strongpity

Executes dropped EXE 4 IoCs

pid	Process
3900	winrar-x64-600.exe
4232	nvwmisrv.exe
4292	winmsism.exe
4416	uninstall.exe

Loads dropped DLL 1 IoCs

pid	Process
8	Process not Found

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	49888f78b5a0576937daeccd73baed86adb6b16a8b0e5ac519f475c73aec0549.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeyStoreUpdater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndaData\\nvwmisrv.exe"	49888f78b5a0576937daeccd73baed86adb6b16a8b0e5ac519f475c73aec0549.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 48 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259416765	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-600.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-600.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-600.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r02	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r10	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r29	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r09	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r23	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r01	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r09\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r21\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r26	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r28\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r04\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r12\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r19	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files\\WinRAR\\zipnew.dat"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r08\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r11\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r12	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r17	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r22\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r00\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r07\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r05	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3900	winrar-x64-600.exe
3900	winrar-x64-600.exe
4416	uninstall.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 3900	896	49888f78b5a0576937daeccd73baed86adb6b16a8b0e5ac519f475c73aec0549.exe	74
PID 896 wrote to memory of 3900	896	49888f78b5a0576937daeccd73baed86adb6b16a8b0e5ac519f475c73aec0549.exe	74
PID 896 wrote to memory of 4232	896	49888f78b5a0576937daeccd73baed86adb6b16a8b0e5ac519f475c73aec0549.exe	79
PID 896 wrote to memory of 4232	896	49888f78b5a0576937daeccd73baed86adb6b16a8b0e5ac519f475c73aec0549.exe	79
PID 896 wrote to memory of 4232	896	49888f78b5a0576937daeccd73baed86adb6b16a8b0e5ac519f475c73aec0549.exe	79
PID 4232 wrote to memory of 4292	4232	nvwmisrv.exe	81
PID 4232 wrote to memory of 4292	4232	nvwmisrv.exe	81
PID 4232 wrote to memory of 4292	4232	nvwmisrv.exe	81
PID 3900 wrote to memory of 4416	3900	winrar-x64-600.exe	82
PID 3900 wrote to memory of 4416	3900	winrar-x64-600.exe	82

C:\Users\Admin\AppData\Local\Temp\strong\49888f78b5a0576937daeccd73baed86adb6b16a8b0e5ac519f475c73aec0549.exe
"C:\Users\Admin\AppData\Local\Temp\strong\49888f78b5a0576937daeccd73baed86adb6b16a8b0e5ac519f475c73aec0549.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:896
- C:\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe
  "C:\Users\Admin\AppData\Local\Temp\winrar-x64-600.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Program Files\WinRAR\uninstall.exe
    "C:\Program Files\WinRAR\uninstall.exe" /setup
    3⤵
    - Modifies system executable filetype association
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:4416
- C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
  "C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe
    "C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"
    3⤵
    - Executes dropped EXE
    PID:4292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4708

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:4748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads