Analysis
-
max time kernel
1200s -
max time network
1200s -
platform
windows7_x64 -
resource
win7-de-20211104 -
submitted
11-11-2021 17:10
Static task
static1
Behavioral task
behavioral1
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win7-en-20211104
Behavioral task
behavioral3
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win7-de-20211104
Behavioral task
behavioral4
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win11
Behavioral task
behavioral5
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win10-de-20211104
General
-
Target
78556a2fc01c40f64f11c76ef26ec3ff.exe
-
Size
4.9MB
-
MD5
78556a2fc01c40f64f11c76ef26ec3ff
-
SHA1
b66a7117d0e22dc0421337e20612ea08f1b2c9e3
-
SHA256
7d3192cad53f934173187f91d8555065d69e09b4f127275a1d47f9f1f9405c5c
-
SHA512
c001603616e7539612e75707664c5356f3fc16a2e6e9033a77f0d4f3cf2854a71310f194e8d9f41207f41c1b60bd7b8fcd49797ba3cfc96a2d406bc55ab104d3
Malware Config
Signatures
-
StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
-
StrongPity Spyware 3 IoCs
Processes:
resource yara_rule behavioral3/files/0x000600000001226f-60.dat family_strongpity behavioral3/files/0x000600000001226f-62.dat family_strongpity behavioral3/files/0x000600000001226f-64.dat family_strongpity -
Executes dropped EXE 4 IoCs
Processes:
npp.8.1.7.Installer.x64.exewinpickr.exewinpickr.exentuis32.exepid Process 1716 npp.8.1.7.Installer.x64.exe 884 winpickr.exe 1496 winpickr.exe 432 ntuis32.exe -
Loads dropped DLL 8 IoCs
Processes:
78556a2fc01c40f64f11c76ef26ec3ff.exenpp.8.1.7.Installer.x64.exewinpickr.exepid Process 1184 78556a2fc01c40f64f11c76ef26ec3ff.exe 1184 78556a2fc01c40f64f11c76ef26ec3ff.exe 1716 npp.8.1.7.Installer.x64.exe 1716 npp.8.1.7.Installer.x64.exe 1716 npp.8.1.7.Installer.x64.exe 1716 npp.8.1.7.Installer.x64.exe 1496 winpickr.exe 1496 winpickr.exe -
Drops file in System32 directory 1 IoCs
Processes:
78556a2fc01c40f64f11c76ef26ec3ff.exedescription ioc Process File created C:\Windows\SysWOW64\winpickr.exe 78556a2fc01c40f64f11c76ef26ec3ff.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 42 IoCs
Processes:
winpickr.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs winpickr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\LanguageList = 640065002d0044004500000064006500000065006e002d0055005300000065006e0000000000 winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople winpickr.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
winpickr.exepid Process 1496 winpickr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
npp.8.1.7.Installer.x64.exepid Process 1716 npp.8.1.7.Installer.x64.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
78556a2fc01c40f64f11c76ef26ec3ff.exewinpickr.exetaskeng.exetaskeng.exedescription pid Process procid_target PID 1184 wrote to memory of 1716 1184 78556a2fc01c40f64f11c76ef26ec3ff.exe 28 PID 1184 wrote to memory of 1716 1184 78556a2fc01c40f64f11c76ef26ec3ff.exe 28 PID 1184 wrote to memory of 1716 1184 78556a2fc01c40f64f11c76ef26ec3ff.exe 28 PID 1184 wrote to memory of 1716 1184 78556a2fc01c40f64f11c76ef26ec3ff.exe 28 PID 1184 wrote to memory of 1716 1184 78556a2fc01c40f64f11c76ef26ec3ff.exe 28 PID 1184 wrote to memory of 1716 1184 78556a2fc01c40f64f11c76ef26ec3ff.exe 28 PID 1184 wrote to memory of 1716 1184 78556a2fc01c40f64f11c76ef26ec3ff.exe 28 PID 1184 wrote to memory of 884 1184 78556a2fc01c40f64f11c76ef26ec3ff.exe 29 PID 1184 wrote to memory of 884 1184 78556a2fc01c40f64f11c76ef26ec3ff.exe 29 PID 1184 wrote to memory of 884 1184 78556a2fc01c40f64f11c76ef26ec3ff.exe 29 PID 1184 wrote to memory of 884 1184 78556a2fc01c40f64f11c76ef26ec3ff.exe 29 PID 1496 wrote to memory of 432 1496 winpickr.exe 32 PID 1496 wrote to memory of 432 1496 winpickr.exe 32 PID 1496 wrote to memory of 432 1496 winpickr.exe 32 PID 1496 wrote to memory of 432 1496 winpickr.exe 32 PID 1920 wrote to memory of 1408 1920 taskeng.exe 35 PID 1920 wrote to memory of 1408 1920 taskeng.exe 35 PID 1920 wrote to memory of 1408 1920 taskeng.exe 35 PID 1436 wrote to memory of 1636 1436 taskeng.exe 37 PID 1436 wrote to memory of 1636 1436 taskeng.exe 37 PID 1436 wrote to memory of 1636 1436 taskeng.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1716
-
-
C:\Windows\SysWOW64\winpickr.exeC:\Windows\system32\\winpickr.exe update2⤵
- Executes dropped EXE
PID:884
-
-
C:\Windows\SysWOW64\winpickr.exeC:\Windows\SysWOW64\winpickr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"2⤵
- Executes dropped EXE
PID:432
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6EB47578-4D0A-4718-A118-6B0DBCF0F378} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1536
-
C:\Windows\system32\taskeng.exetaskeng.exe {A22B9DB5-2529-4F2C-A02A-EF67BDD9081F} S-1-5-21-103686315-404690609-2047157615-1000:EDWYFHKN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task2⤵PID:1408
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {EC87D3BF-009E-4D21-A958-282D828332BD} S-1-5-21-103686315-404690609-2047157615-1000:EDWYFHKN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task2⤵PID:1636
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6b0279da0e09514269437f0c7bda9c69
SHA1edf15ad1973450b00762037877974394d27130b9
SHA256ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95
SHA5125556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787
-
MD5
6b0279da0e09514269437f0c7bda9c69
SHA1edf15ad1973450b00762037877974394d27130b9
SHA256ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95
SHA5125556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787
-
MD5
0392a100a1e09ae747e45382deceef4d
SHA1053d176f7d6f5af15291805338b59d3891ba58dc
SHA25618107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622
SHA512ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905
-
MD5
0392a100a1e09ae747e45382deceef4d
SHA1053d176f7d6f5af15291805338b59d3891ba58dc
SHA25618107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622
SHA512ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905
-
MD5
c66279129816fd2986495f5fcfec8625
SHA144bd7a588f94595b09f41553905dfc0f4e2b564e
SHA2561380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6
SHA5123dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04
-
MD5
c66279129816fd2986495f5fcfec8625
SHA144bd7a588f94595b09f41553905dfc0f4e2b564e
SHA2561380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6
SHA5123dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04
-
MD5
6b0279da0e09514269437f0c7bda9c69
SHA1edf15ad1973450b00762037877974394d27130b9
SHA256ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95
SHA5125556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787
-
MD5
6b0279da0e09514269437f0c7bda9c69
SHA1edf15ad1973450b00762037877974394d27130b9
SHA256ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95
SHA5125556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787
-
MD5
0392a100a1e09ae747e45382deceef4d
SHA1053d176f7d6f5af15291805338b59d3891ba58dc
SHA25618107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622
SHA512ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905
-
MD5
05bf02da51e717f79f6b5cbea7bc0710
SHA107471a64ef4dba9dc19ce68ae6cce683af7df86d
SHA256ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5
SHA512c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6
-
MD5
05bf02da51e717f79f6b5cbea7bc0710
SHA107471a64ef4dba9dc19ce68ae6cce683af7df86d
SHA256ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5
SHA512c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6
-
MD5
ab1db56369412fe8476fefffd11e4cc0
SHA1daad036a83b2ee2fa86d840a34a341100552e723
SHA2566f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b
SHA5128d886643b4fc24adf78f76b663227d6e61863f89e0cbd49548f40dd040666ca94ea46bec9e336850e4f300995d56e6dc85b689c8e09ff46758822d280f06b03d
-
MD5
0d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
MD5
c66279129816fd2986495f5fcfec8625
SHA144bd7a588f94595b09f41553905dfc0f4e2b564e
SHA2561380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6
SHA5123dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04