Analysis
-
max time kernel
1202s -
max time network
1202s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
11/11/2021, 17:10
Static task
static1
Behavioral task
behavioral1
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win7-ja-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win7-de-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win11
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win10-ja-20211014
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win10-de-20211104
windows10_x64
0 signatures
0 seconds
General
-
Target
78556a2fc01c40f64f11c76ef26ec3ff.exe
-
Size
4.9MB
-
MD5
78556a2fc01c40f64f11c76ef26ec3ff
-
SHA1
b66a7117d0e22dc0421337e20612ea08f1b2c9e3
-
SHA256
7d3192cad53f934173187f91d8555065d69e09b4f127275a1d47f9f1f9405c5c
-
SHA512
c001603616e7539612e75707664c5356f3fc16a2e6e9033a77f0d4f3cf2854a71310f194e8d9f41207f41c1b60bd7b8fcd49797ba3cfc96a2d406bc55ab104d3
Score
10/10
Malware Config
Signatures
-
StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
-
StrongPity Spyware 3 IoCs
resource yara_rule behavioral2/files/0x000600000001221e-59.dat family_strongpity behavioral2/files/0x000600000001221e-62.dat family_strongpity behavioral2/files/0x000600000001221e-66.dat family_strongpity -
Executes dropped EXE 4 IoCs
pid Process 1488 npp.8.1.7.Installer.x64.exe 1476 winpickr.exe 1432 winpickr.exe 744 ntuis32.exe -
Loads dropped DLL 8 IoCs
pid Process 852 78556a2fc01c40f64f11c76ef26ec3ff.exe 852 78556a2fc01c40f64f11c76ef26ec3ff.exe 1488 npp.8.1.7.Installer.x64.exe 1488 npp.8.1.7.Installer.x64.exe 1488 npp.8.1.7.Installer.x64.exe 1488 npp.8.1.7.Installer.x64.exe 1432 winpickr.exe 1432 winpickr.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\winpickr.exe 78556a2fc01c40f64f11c76ef26ec3ff.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 42 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust winpickr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed winpickr.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1432 winpickr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1488 npp.8.1.7.Installer.x64.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 852 wrote to memory of 1488 852 78556a2fc01c40f64f11c76ef26ec3ff.exe 28 PID 852 wrote to memory of 1488 852 78556a2fc01c40f64f11c76ef26ec3ff.exe 28 PID 852 wrote to memory of 1488 852 78556a2fc01c40f64f11c76ef26ec3ff.exe 28 PID 852 wrote to memory of 1488 852 78556a2fc01c40f64f11c76ef26ec3ff.exe 28 PID 852 wrote to memory of 1488 852 78556a2fc01c40f64f11c76ef26ec3ff.exe 28 PID 852 wrote to memory of 1488 852 78556a2fc01c40f64f11c76ef26ec3ff.exe 28 PID 852 wrote to memory of 1488 852 78556a2fc01c40f64f11c76ef26ec3ff.exe 28 PID 852 wrote to memory of 1476 852 78556a2fc01c40f64f11c76ef26ec3ff.exe 29 PID 852 wrote to memory of 1476 852 78556a2fc01c40f64f11c76ef26ec3ff.exe 29 PID 852 wrote to memory of 1476 852 78556a2fc01c40f64f11c76ef26ec3ff.exe 29 PID 852 wrote to memory of 1476 852 78556a2fc01c40f64f11c76ef26ec3ff.exe 29 PID 1432 wrote to memory of 744 1432 winpickr.exe 32 PID 1432 wrote to memory of 744 1432 winpickr.exe 32 PID 1432 wrote to memory of 744 1432 winpickr.exe 32 PID 1432 wrote to memory of 744 1432 winpickr.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1488
-
-
C:\Windows\SysWOW64\winpickr.exeC:\Windows\system32\\winpickr.exe update2⤵
- Executes dropped EXE
PID:1476
-
-
C:\Windows\SysWOW64\winpickr.exeC:\Windows\SysWOW64\winpickr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"2⤵
- Executes dropped EXE
PID:744
-