Analysis

  • max time kernel
    1200s
  • max time network
    1200s
  • platform
    windows7_x64
  • resource
    win7-de-20211104
  • submitted
    11-11-2021 17:10

General

  • Target

    78556a2fc01c40f64f11c76ef26ec3ff.exe

  • Size

    4.9MB

  • MD5

    78556a2fc01c40f64f11c76ef26ec3ff

  • SHA1

    b66a7117d0e22dc0421337e20612ea08f1b2c9e3

  • SHA256

    7d3192cad53f934173187f91d8555065d69e09b4f127275a1d47f9f1f9405c5c

  • SHA512

    c001603616e7539612e75707664c5356f3fc16a2e6e9033a77f0d4f3cf2854a71310f194e8d9f41207f41c1b60bd7b8fcd49797ba3cfc96a2d406bc55ab104d3

Malware Config

Signatures

  • StrongPity

    StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.

  • StrongPity Spyware 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe
    "C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe
      "C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1716
    • C:\Windows\SysWOW64\winpickr.exe
      C:\Windows\system32\\winpickr.exe update
      2⤵
      • Executes dropped EXE
      PID:884
  • C:\Windows\SysWOW64\winpickr.exe
    C:\Windows\SysWOW64\winpickr.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\ProgramData\Microsoft\WindowsData\ntuis32.exe
      "C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"
      2⤵
      • Executes dropped EXE
      PID:432
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {6EB47578-4D0A-4718-A118-6B0DBCF0F378} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
      PID:1536
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {A22B9DB5-2529-4F2C-A02A-EF67BDD9081F} S-1-5-21-103686315-404690609-2047157615-1000:EDWYFHKN\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Program Files\Mozilla Firefox\default-browser-agent.exe
        "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
        2⤵
          PID:1408
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {EC87D3BF-009E-4D21-A958-282D828332BD} S-1-5-21-103686315-404690609-2047157615-1000:EDWYFHKN\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1436
        • C:\Program Files\Mozilla Firefox\default-browser-agent.exe
          "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
          2⤵
            PID:1636

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\WindowsData\ntuis32.exe

          MD5

          6b0279da0e09514269437f0c7bda9c69

          SHA1

          edf15ad1973450b00762037877974394d27130b9

          SHA256

          ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95

          SHA512

          5556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787

        • C:\ProgramData\Microsoft\WindowsData\ntuis32.exe

          MD5

          6b0279da0e09514269437f0c7bda9c69

          SHA1

          edf15ad1973450b00762037877974394d27130b9

          SHA256

          ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95

          SHA512

          5556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787

        • C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe

          MD5

          0392a100a1e09ae747e45382deceef4d

          SHA1

          053d176f7d6f5af15291805338b59d3891ba58dc

          SHA256

          18107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622

          SHA512

          ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905

        • C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe

          MD5

          0392a100a1e09ae747e45382deceef4d

          SHA1

          053d176f7d6f5af15291805338b59d3891ba58dc

          SHA256

          18107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622

          SHA512

          ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905

        • C:\Windows\SysWOW64\winpickr.exe

          MD5

          c66279129816fd2986495f5fcfec8625

          SHA1

          44bd7a588f94595b09f41553905dfc0f4e2b564e

          SHA256

          1380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6

          SHA512

          3dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04

        • C:\Windows\SysWOW64\winpickr.exe

          MD5

          c66279129816fd2986495f5fcfec8625

          SHA1

          44bd7a588f94595b09f41553905dfc0f4e2b564e

          SHA256

          1380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6

          SHA512

          3dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04

        • \ProgramData\Microsoft\WindowsData\ntuis32.exe

          MD5

          6b0279da0e09514269437f0c7bda9c69

          SHA1

          edf15ad1973450b00762037877974394d27130b9

          SHA256

          ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95

          SHA512

          5556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787

        • \ProgramData\Microsoft\WindowsData\ntuis32.exe

          MD5

          6b0279da0e09514269437f0c7bda9c69

          SHA1

          edf15ad1973450b00762037877974394d27130b9

          SHA256

          ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95

          SHA512

          5556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787

        • \Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe

          MD5

          0392a100a1e09ae747e45382deceef4d

          SHA1

          053d176f7d6f5af15291805338b59d3891ba58dc

          SHA256

          18107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622

          SHA512

          ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905

        • \Users\Admin\AppData\Local\Temp\nstCEA7.tmp\InstallOptions.dll

          MD5

          05bf02da51e717f79f6b5cbea7bc0710

          SHA1

          07471a64ef4dba9dc19ce68ae6cce683af7df86d

          SHA256

          ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5

          SHA512

          c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6

        • \Users\Admin\AppData\Local\Temp\nstCEA7.tmp\InstallOptions.dll

          MD5

          05bf02da51e717f79f6b5cbea7bc0710

          SHA1

          07471a64ef4dba9dc19ce68ae6cce683af7df86d

          SHA256

          ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5

          SHA512

          c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6

        • \Users\Admin\AppData\Local\Temp\nstCEA7.tmp\LangDLL.dll

          MD5

          ab1db56369412fe8476fefffd11e4cc0

          SHA1

          daad036a83b2ee2fa86d840a34a341100552e723

          SHA256

          6f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b

          SHA512

          8d886643b4fc24adf78f76b663227d6e61863f89e0cbd49548f40dd040666ca94ea46bec9e336850e4f300995d56e6dc85b689c8e09ff46758822d280f06b03d

        • \Users\Admin\AppData\Local\Temp\nstCEA7.tmp\System.dll

          MD5

          0d7ad4f45dc6f5aa87f606d0331c6901

          SHA1

          48df0911f0484cbe2a8cdd5362140b63c41ee457

          SHA256

          3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

          SHA512

          c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

        • \Windows\SysWOW64\winpickr.exe

          MD5

          c66279129816fd2986495f5fcfec8625

          SHA1

          44bd7a588f94595b09f41553905dfc0f4e2b564e

          SHA256

          1380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6

          SHA512

          3dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04

        • memory/432-74-0x0000000000000000-mapping.dmp

        • memory/884-61-0x0000000000000000-mapping.dmp

        • memory/1184-55-0x00000000754B1000-0x00000000754B3000-memory.dmp

          Filesize

          8KB

        • memory/1408-76-0x0000000000000000-mapping.dmp

        • memory/1636-77-0x0000000000000000-mapping.dmp

        • memory/1716-57-0x0000000000000000-mapping.dmp