Analysis
-
max time kernel
1200s -
max time network
1203s -
platform
windows7_x64 -
resource
win7-ja-20211014 -
submitted
11-11-2021 17:10
General
-
Target
78556a2fc01c40f64f11c76ef26ec3ff.exe
-
Size
4.9MB
-
MD5
78556a2fc01c40f64f11c76ef26ec3ff
-
SHA1
b66a7117d0e22dc0421337e20612ea08f1b2c9e3
-
SHA256
7d3192cad53f934173187f91d8555065d69e09b4f127275a1d47f9f1f9405c5c
-
SHA512
c001603616e7539612e75707664c5356f3fc16a2e6e9033a77f0d4f3cf2854a71310f194e8d9f41207f41c1b60bd7b8fcd49797ba3cfc96a2d406bc55ab104d3
Malware Config
Signatures
-
StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
-
StrongPity Spyware 3 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 42 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\winpickr.exeC:\Windows\system32\\winpickr.exe update2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\winpickr.exeC:\Windows\SysWOW64\winpickr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\taskeng.exetaskeng.exe {E12A60D0-EB12-4F2E-B5A2-353D9C930E45} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {E44A379A-561B-4522-827A-A10FC1F97283} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\WindowsData\ntuis32.exeMD5
6b0279da0e09514269437f0c7bda9c69
SHA1edf15ad1973450b00762037877974394d27130b9
SHA256ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95
SHA5125556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787
-
C:\ProgramData\Microsoft\WindowsData\ntuis32.exeMD5
6b0279da0e09514269437f0c7bda9c69
SHA1edf15ad1973450b00762037877974394d27130b9
SHA256ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95
SHA5125556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787
-
C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exeMD5
0392a100a1e09ae747e45382deceef4d
SHA1053d176f7d6f5af15291805338b59d3891ba58dc
SHA25618107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622
SHA512ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905
-
C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exeMD5
0392a100a1e09ae747e45382deceef4d
SHA1053d176f7d6f5af15291805338b59d3891ba58dc
SHA25618107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622
SHA512ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905
-
C:\Windows\SysWOW64\winpickr.exeMD5
c66279129816fd2986495f5fcfec8625
SHA144bd7a588f94595b09f41553905dfc0f4e2b564e
SHA2561380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6
SHA5123dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04
-
C:\Windows\SysWOW64\winpickr.exeMD5
c66279129816fd2986495f5fcfec8625
SHA144bd7a588f94595b09f41553905dfc0f4e2b564e
SHA2561380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6
SHA5123dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04
-
\ProgramData\Microsoft\WindowsData\ntuis32.exeMD5
6b0279da0e09514269437f0c7bda9c69
SHA1edf15ad1973450b00762037877974394d27130b9
SHA256ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95
SHA5125556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787
-
\ProgramData\Microsoft\WindowsData\ntuis32.exeMD5
6b0279da0e09514269437f0c7bda9c69
SHA1edf15ad1973450b00762037877974394d27130b9
SHA256ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95
SHA5125556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787
-
\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exeMD5
0392a100a1e09ae747e45382deceef4d
SHA1053d176f7d6f5af15291805338b59d3891ba58dc
SHA25618107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622
SHA512ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905
-
\Users\Admin\AppData\Local\Temp\nsy6856.tmp\InstallOptions.dllMD5
05bf02da51e717f79f6b5cbea7bc0710
SHA107471a64ef4dba9dc19ce68ae6cce683af7df86d
SHA256ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5
SHA512c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6
-
\Users\Admin\AppData\Local\Temp\nsy6856.tmp\InstallOptions.dllMD5
05bf02da51e717f79f6b5cbea7bc0710
SHA107471a64ef4dba9dc19ce68ae6cce683af7df86d
SHA256ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5
SHA512c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6
-
\Users\Admin\AppData\Local\Temp\nsy6856.tmp\LangDLL.dllMD5
ab1db56369412fe8476fefffd11e4cc0
SHA1daad036a83b2ee2fa86d840a34a341100552e723
SHA2566f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b
SHA5128d886643b4fc24adf78f76b663227d6e61863f89e0cbd49548f40dd040666ca94ea46bec9e336850e4f300995d56e6dc85b689c8e09ff46758822d280f06b03d
-
\Users\Admin\AppData\Local\Temp\nsy6856.tmp\System.dllMD5
0d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
\Windows\SysWOW64\winpickr.exeMD5
c66279129816fd2986495f5fcfec8625
SHA144bd7a588f94595b09f41553905dfc0f4e2b564e
SHA2561380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6
SHA5123dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04
-
memory/1172-61-0x0000000000000000-mapping.dmp
-
memory/1192-74-0x0000000000000000-mapping.dmp
-
memory/1608-55-0x0000000074931000-0x0000000074933000-memory.dmpFilesize
8KB
-
memory/1728-76-0x0000000000000000-mapping.dmp
-
memory/1732-57-0x0000000000000000-mapping.dmp