strongpity | 7d3192cad53f934173187f91d8555065d69e09b4f127275a1d47f9f1f9405c5c

Analysis

max time kernel
1200s
max time network
1203s
platform
windows7_x64
resource
win7-ja-20211014
submitted
11/11/2021, 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78556a2fc01c40f64f11c76ef26ec3ff.exe
Size

4.9MB
MD5

78556a2fc01c40f64f11c76ef26ec3ff
SHA1

b66a7117d0e22dc0421337e20612ea08f1b2c9e3
SHA256

7d3192cad53f934173187f91d8555065d69e09b4f127275a1d47f9f1f9405c5c
SHA512

c001603616e7539612e75707664c5356f3fc16a2e6e9033a77f0d4f3cf2854a71310f194e8d9f41207f41c1b60bd7b8fcd49797ba3cfc96a2d406bc55ab104d3

Score

10^/10

strongpity spyware stealer

Malware Config

Signatures

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 3 IoCs

resource	yara_rule
behavioral1/files/0x0005000000012634-60.dat	family_strongpity
behavioral1/files/0x0005000000012634-62.dat	family_strongpity
behavioral1/files/0x0005000000012634-65.dat	family_strongpity

Executes dropped EXE 4 IoCs

pid	Process
1732	npp.8.1.7.Installer.x64.exe
1172	winpickr.exe
1048	winpickr.exe
1192	ntuis32.exe

Loads dropped DLL 8 IoCs

pid	Process
1608	78556a2fc01c40f64f11c76ef26ec3ff.exe
1608	78556a2fc01c40f64f11c76ef26ec3ff.exe
1732	npp.8.1.7.Installer.x64.exe
1732	npp.8.1.7.Installer.x64.exe
1732	npp.8.1.7.Installer.x64.exe
1732	npp.8.1.7.Installer.x64.exe
1048	winpickr.exe
1048	winpickr.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winpickr.exe	78556a2fc01c40f64f11c76ef26ec3ff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	winpickr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\LanguageList = 6a0061002d004a00500000006a006100000065006e002d0055005300000065006e0000000000	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	winpickr.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1048	winpickr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1732	npp.8.1.7.Installer.x64.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1732	1608	78556a2fc01c40f64f11c76ef26ec3ff.exe	28
PID 1608 wrote to memory of 1732	1608	78556a2fc01c40f64f11c76ef26ec3ff.exe	28
PID 1608 wrote to memory of 1732	1608	78556a2fc01c40f64f11c76ef26ec3ff.exe	28
PID 1608 wrote to memory of 1732	1608	78556a2fc01c40f64f11c76ef26ec3ff.exe	28
PID 1608 wrote to memory of 1732	1608	78556a2fc01c40f64f11c76ef26ec3ff.exe	28
PID 1608 wrote to memory of 1732	1608	78556a2fc01c40f64f11c76ef26ec3ff.exe	28
PID 1608 wrote to memory of 1732	1608	78556a2fc01c40f64f11c76ef26ec3ff.exe	28
PID 1608 wrote to memory of 1172	1608	78556a2fc01c40f64f11c76ef26ec3ff.exe	29
PID 1608 wrote to memory of 1172	1608	78556a2fc01c40f64f11c76ef26ec3ff.exe	29
PID 1608 wrote to memory of 1172	1608	78556a2fc01c40f64f11c76ef26ec3ff.exe	29
PID 1608 wrote to memory of 1172	1608	78556a2fc01c40f64f11c76ef26ec3ff.exe	29
PID 1048 wrote to memory of 1192	1048	winpickr.exe	32
PID 1048 wrote to memory of 1192	1048	winpickr.exe	32
PID 1048 wrote to memory of 1192	1048	winpickr.exe	32
PID 1048 wrote to memory of 1192	1048	winpickr.exe	32
PID 916 wrote to memory of 1728	916	taskeng.exe	35
PID 916 wrote to memory of 1728	916	taskeng.exe	35
PID 916 wrote to memory of 1728	916	taskeng.exe	35

C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe
"C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe
  "C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1732
- C:\Windows\SysWOW64\winpickr.exe
  C:\Windows\system32\\winpickr.exe update
  2⤵
  - Executes dropped EXE
  PID:1172

C:\Windows\SysWOW64\winpickr.exe
C:\Windows\SysWOW64\winpickr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048
- C:\ProgramData\Microsoft\WindowsData\ntuis32.exe
  "C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"
  2⤵
  - Executes dropped EXE
  PID:1192

C:\Windows\system32\taskeng.exe
taskeng.exe {E12A60D0-EB12-4F2E-B5A2-353D9C930E45} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1932

C:\Windows\system32\taskeng.exe
taskeng.exe {E44A379A-561B-4522-827A-A10FC1F97283} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:916
- C:\Program Files\Mozilla Firefox\default-browser-agent.exe
  "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
  2⤵
  PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1608-55-0x0000000074931000-0x0000000074933000-memory.dmp

Filesize
8KB

Download