Overview

overview

10

Static

static

0e4651625a...98.exe

windows7_x64

10

0e4651625a...98.exe

windows11_x64

10

0e4651625a...98.exe

windows10_x64

10

Resubmissions

21-08-2021 07:25

210821-sc6xvh6ksa 10

14-03-2021 12:03

210314-cpwwfsf7da 10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    21-08-2021 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e4651625abda88df56952b7e97d7fb64a3e1ea97bfe01e931d47381c0952e98.exe

  • Size

    2.4MB

  • MD5

    6d0fd5f76fbe861695b140828aac6443

  • SHA1

    71b54d8219ab3a44ac434c41495c8d0db62a7d3f

  • SHA256

    0e4651625abda88df56952b7e97d7fb64a3e1ea97bfe01e931d47381c0952e98

  • SHA512

    e85fc4cbb64b4abdb1d76322e66ee7a007e8fc13f3dc9bd6d485aa36be345fda2494e44c665768388e3fe5c6aaeafc4d0926a62d69c13a2d06409182711527a6

Score
10/10
strongpitypersistencespywarestealer

Malware Config

Signatures

  • StrongPity

    StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.

    stealerspywarestrongpity
  • StrongPity Spyware 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e4651625abda88df56952b7e97d7fb64a3e1ea97bfe01e931d47381c0952e98.exe
    "C:\Users\Admin\AppData\Local\Temp\0e4651625abda88df56952b7e97d7fb64a3e1ea97bfe01e931d47381c0952e98.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4516
      • C:\Users\Admin\AppData\Local\Temp\is-ATGTK.tmp\fnmsetup.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-ATGTK.tmp\fnmsetup.tmp" /SL5="$70038,1480519,54272,C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"
        3⤵
        • Executes dropped EXE
        PID:4960
    • C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
      "C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4508
      • C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe
        "C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"
        3⤵
        • Executes dropped EXE
        PID:4984
  • C:\Windows\System32\sihclient.exe
    C:\Windows\System32\sihclient.exe /cv AQ4ciwWch0+5spMnjZvMow.0.2
    1⤵
    • Modifies data under HKEY_USERS
    PID:3056
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    1⤵
    • Modifies data under HKEY_USERS
    PID:4588
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
    1⤵
      PID:5100

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
      MD5

      65689075a82a08bb797bb9a5cc2932c9

      SHA1

      a13b3baeedc3456bf8a03e6f7fd43b8ccfabc7e2

      SHA256

      803b09f5863b583114d4db7d19ac0c5f64163c0075992bcfc289d27feea3a3ab

      SHA512

      20a1ac3df849e09fe361d0de8c04f9d8598457e95427a30df9ab74316c2644aa30f782b88b171ffadd7be4b6fc85970ec539d003aa1244434be6a12bbb9b6ee6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
      MD5

      65689075a82a08bb797bb9a5cc2932c9

      SHA1

      a13b3baeedc3456bf8a03e6f7fd43b8ccfabc7e2

      SHA256

      803b09f5863b583114d4db7d19ac0c5f64163c0075992bcfc289d27feea3a3ab

      SHA512

      20a1ac3df849e09fe361d0de8c04f9d8598457e95427a30df9ab74316c2644aa30f782b88b171ffadd7be4b6fc85970ec539d003aa1244434be6a12bbb9b6ee6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\is-ATGTK.tmp\fnmsetup.tmp
      MD5

      8f144bcbcad0417e7823dd8e60218530

      SHA1

      9df092a764b8ad278ed574f00d1c065683eef6ac

      SHA256

      39dfa032878743bba8244c73173c263e669131f0084a38f22c52b1383f627ba0

      SHA512

      e093f69030fee17d8b55bde8337d409e8dfb583c97a81ed37425fb72122318d4c1f996d0d1bca28f24182ff5c8afe2be25eadc27951463ddca5c0abceca2a72d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\is-ATGTK.tmp\fnmsetup.tmp
      MD5

      8f144bcbcad0417e7823dd8e60218530

      SHA1

      9df092a764b8ad278ed574f00d1c065683eef6ac

      SHA256

      39dfa032878743bba8244c73173c263e669131f0084a38f22c52b1383f627ba0

      SHA512

      e093f69030fee17d8b55bde8337d409e8dfb583c97a81ed37425fb72122318d4c1f996d0d1bca28f24182ff5c8afe2be25eadc27951463ddca5c0abceca2a72d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1162761325_0821072528360_0.sft
      MD5

      388cc264ef91a905510d6c996983f0e6

      SHA1

      80c8f2a27e6f27cfdba00b372c28f34327992bdc

      SHA256

      eb293da5b11589713e023decfbe15fd6cdb1c6d802ac62cd1f8b1464cd24b352

      SHA512

      8677ac50026a94d0c323cf3d10c0388512b6feff0065b5343a328b71856ead43a4462ab41384466b24fd2869eb3d1b56354f88e541d4c98f35645cd3cccdf46c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1162761325_0821072528391_0.sft
      MD5

      f7ebb13afe40fbde41afab5bef509549

      SHA1

      daa735b33a733d41d46e57dffec825bd6add7c0d

      SHA256

      5106d80659087dcba4701bedb34845cf9c257e732aa6d76776d99fdf37fb2c8c

      SHA512

      503f33236f585172ad304f1bcb78acdecc82db86d2e95daa8f832396463d616db007b1992d13c019375697aa2ecaf38637df2de281d84a2fcdb8a0ca9d4555a0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1162761325_0821072528407_0.sft
      MD5

      9efa863b1b4ac83046aa725010e59681

      SHA1

      7447531e65b896eefd550a4ec351bf0e3eaf866e

      SHA256

      0c46d7c43b519e9b96971bcf86eac7a13b3e8785ae7ae92e7607c01ecd6b741e

      SHA512

      9b9ddeb27a1f25afb8183516dc92cd74678a6271121e8861e04fd1941872eb0612f3c4afdf2cdb3c711339a1449922d6e6efd353436784d851519ec3f4b0acca

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1162761325_0821072528423_0.sft
      MD5

      7ebc2cf82d7c7e702be7e7e6da5721b3

      SHA1

      ab87604a19ceecc3e9b5fd8436005af526d6e586

      SHA256

      81a445b4842da52811c51f9596a07046fcb466379c41a69218548e787468fb7b

      SHA512

      de7e09d2b2ace4a889e8b76681354e381b225cc3b2c27aca58a05e853f78a134bcabff4907e489e9c45eee33fd49085103d5e2a4ec5a47e2b572f81af51f9679

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1162761325_0821072528438_0.sft
      MD5

      1a3e6d95014d7cf0a676a2a68ce0e62a

      SHA1

      e4833d543d400956a648c0a86f6a8eb6563fe417

      SHA256

      73231d923dabadf72ef3437d54d1d09cd32b4a056793cf1f87fe938c389ef86b

      SHA512

      c917a7e63d50dd66561ed9c756a3005c92601db1f8fc3b760d51a90dac2dafaeffde0701eaff7309a7ee3a091f05d77b7763742e0948a54026ddc5b2998df373

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
      MD5

      0f609dd490b21c85e9c8d1db8995e791

      SHA1

      30d448d7457818e4404b3b5e2079efa3d8d60bc3

      SHA256

      dfd0f4b821438d8a9277728e42ab58bdc2667aa7173892ffd6ede75a5d5645f5

      SHA512

      9f5951dc5c3b20c3faebb3bd0f8ad5c9ad1eba5dda2e45309d25600b5a8eaab90490fb06057e3c92b4ba89af8a61ae103840db3b23a5bc30b37c32d41487f79e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
      MD5

      0f609dd490b21c85e9c8d1db8995e791

      SHA1

      30d448d7457818e4404b3b5e2079efa3d8d60bc3

      SHA256

      dfd0f4b821438d8a9277728e42ab58bdc2667aa7173892ffd6ede75a5d5645f5

      SHA512

      9f5951dc5c3b20c3faebb3bd0f8ad5c9ad1eba5dda2e45309d25600b5a8eaab90490fb06057e3c92b4ba89af8a61ae103840db3b23a5bc30b37c32d41487f79e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe
      MD5

      f050cfe9ded513f1b8e9a4846a0fa3a7

      SHA1

      64cb47c16c5636bdc5046107480aa3c7c97a2bf3

      SHA256

      d9402b75daf385ed652cc1d8c3bf7f3ea306fbc16996dead5a8741eff4f54b2f

      SHA512

      41d3b428696c41ac7dcefbd4fe7dbdb21977597fe906fff2e98ffa5a5bf32096bdad8b535aa0af961482d41a6ce843b4354fc7e5a0baf127f96806f2d53efb49

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe
      MD5

      f050cfe9ded513f1b8e9a4846a0fa3a7

      SHA1

      64cb47c16c5636bdc5046107480aa3c7c97a2bf3

      SHA256

      d9402b75daf385ed652cc1d8c3bf7f3ea306fbc16996dead5a8741eff4f54b2f

      SHA512

      41d3b428696c41ac7dcefbd4fe7dbdb21977597fe906fff2e98ffa5a5bf32096bdad8b535aa0af961482d41a6ce843b4354fc7e5a0baf127f96806f2d53efb49

      Download Submit
    • memory/4508-149-0x0000000000000000-mapping.dmp
      Download
    • memory/4516-159-0x0000000000400000-0x0000000000414000-memory.dmp
      Filesize

      80KB

      Download
    • memory/4516-146-0x0000000000000000-mapping.dmp
      Download
    • memory/4588-166-0x000001F669B60000-0x000001F669B70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4588-167-0x000001F669BE0000-0x000001F669BF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4588-168-0x000001F669FD0000-0x000001F669FD4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/4960-160-0x0000000002320000-0x0000000002321000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4960-156-0x0000000000000000-mapping.dmp
      Download
    • memory/4984-152-0x0000000000000000-mapping.dmp
      Download