strongpity | 7d3192cad53f934173187f91d8555065d69e09b4f127275a1d47f9f1f9405c5c

Analysis

max time kernel
1200s
max time network
1200s
platform
windows7_x64
resource
win7-de-20211104
submitted
11-11-2021 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78556a2fc01c40f64f11c76ef26ec3ff.exe
Size

4.9MB
MD5

78556a2fc01c40f64f11c76ef26ec3ff
SHA1

b66a7117d0e22dc0421337e20612ea08f1b2c9e3
SHA256

7d3192cad53f934173187f91d8555065d69e09b4f127275a1d47f9f1f9405c5c
SHA512

c001603616e7539612e75707664c5356f3fc16a2e6e9033a77f0d4f3cf2854a71310f194e8d9f41207f41c1b60bd7b8fcd49797ba3cfc96a2d406bc55ab104d3

Score

10^/10

strongpity spyware stealer

Malware Config

Signatures

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 3 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\winpickr.exe	family_strongpity
C:\Windows\SysWOW64\winpickr.exe	family_strongpity
C:\Windows\SysWOW64\winpickr.exe	family_strongpity

Executes dropped EXE 4 IoCs

Processes:

npp.8.1.7.Installer.x64.exewinpickr.exewinpickr.exentuis32.exe

pid process

1716 npp.8.1.7.Installer.x64.exe
884 winpickr.exe
1496 winpickr.exe
432 ntuis32.exe

pid	process
1716	npp.8.1.7.Installer.x64.exe
884	winpickr.exe
1496	winpickr.exe
432	ntuis32.exe

Loads dropped DLL 8 IoCs

Processes:

78556a2fc01c40f64f11c76ef26ec3ff.exenpp.8.1.7.Installer.x64.exewinpickr.exe

pid	process
1184	78556a2fc01c40f64f11c76ef26ec3ff.exe
1184	78556a2fc01c40f64f11c76ef26ec3ff.exe
1716	npp.8.1.7.Installer.x64.exe
1716	npp.8.1.7.Installer.x64.exe
1716	npp.8.1.7.Installer.x64.exe
1716	npp.8.1.7.Installer.x64.exe
1496	winpickr.exe
1496	winpickr.exe

Drops file in System32 directory 1 IoCs

Processes:

78556a2fc01c40f64f11c76ef26ec3ff.exe

description ioc process

File created C:\Windows\SysWOW64\winpickr.exe 78556a2fc01c40f64f11c76ef26ec3ff.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\winpickr.exe	78556a2fc01c40f64f11c76ef26ec3ff.exe

Modifies data under HKEY_USERS 42 IoCs

Processes:

winpickr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	winpickr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\LanguageList = 640065002d0044004500000064006500000065006e002d0055005300000065006e0000000000	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	winpickr.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

winpickr.exe

pid process

1496 winpickr.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

npp.8.1.7.Installer.x64.exe

pid process

1716 npp.8.1.7.Installer.x64.exe

pid	process
1496	winpickr.exe

pid	process
1716	npp.8.1.7.Installer.x64.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

78556a2fc01c40f64f11c76ef26ec3ff.exewinpickr.exetaskeng.exetaskeng.exe

description	pid	process	target process
PID 1184 wrote to memory of 1716	1184	78556a2fc01c40f64f11c76ef26ec3ff.exe	npp.8.1.7.Installer.x64.exe
PID 1184 wrote to memory of 1716	1184	78556a2fc01c40f64f11c76ef26ec3ff.exe	npp.8.1.7.Installer.x64.exe
PID 1184 wrote to memory of 1716	1184	78556a2fc01c40f64f11c76ef26ec3ff.exe	npp.8.1.7.Installer.x64.exe
PID 1184 wrote to memory of 1716	1184	78556a2fc01c40f64f11c76ef26ec3ff.exe	npp.8.1.7.Installer.x64.exe
PID 1184 wrote to memory of 1716	1184	78556a2fc01c40f64f11c76ef26ec3ff.exe	npp.8.1.7.Installer.x64.exe
PID 1184 wrote to memory of 1716	1184	78556a2fc01c40f64f11c76ef26ec3ff.exe	npp.8.1.7.Installer.x64.exe
PID 1184 wrote to memory of 1716	1184	78556a2fc01c40f64f11c76ef26ec3ff.exe	npp.8.1.7.Installer.x64.exe
PID 1184 wrote to memory of 884	1184	78556a2fc01c40f64f11c76ef26ec3ff.exe	winpickr.exe
PID 1184 wrote to memory of 884	1184	78556a2fc01c40f64f11c76ef26ec3ff.exe	winpickr.exe
PID 1184 wrote to memory of 884	1184	78556a2fc01c40f64f11c76ef26ec3ff.exe	winpickr.exe
PID 1184 wrote to memory of 884	1184	78556a2fc01c40f64f11c76ef26ec3ff.exe	winpickr.exe
PID 1496 wrote to memory of 432	1496	winpickr.exe	ntuis32.exe
PID 1496 wrote to memory of 432	1496	winpickr.exe	ntuis32.exe
PID 1496 wrote to memory of 432	1496	winpickr.exe	ntuis32.exe
PID 1496 wrote to memory of 432	1496	winpickr.exe	ntuis32.exe
PID 1920 wrote to memory of 1408	1920	taskeng.exe	default-browser-agent.exe
PID 1920 wrote to memory of 1408	1920	taskeng.exe	default-browser-agent.exe
PID 1920 wrote to memory of 1408	1920	taskeng.exe	default-browser-agent.exe
PID 1436 wrote to memory of 1636	1436	taskeng.exe	default-browser-agent.exe
PID 1436 wrote to memory of 1636	1436	taskeng.exe	default-browser-agent.exe
PID 1436 wrote to memory of 1636	1436	taskeng.exe	default-browser-agent.exe

C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe
"C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe
"C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1716

C:\Windows\SysWOW64\winpickr.exe
C:\Windows\system32\\winpickr.exe update
2⤵
- Executes dropped EXE
PID:884

C:\Windows\SysWOW64\winpickr.exe
C:\Windows\SysWOW64\winpickr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496

C:\ProgramData\Microsoft\WindowsData\ntuis32.exe
"C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"
2⤵
- Executes dropped EXE
PID:432

C:\Windows\system32\taskeng.exe
taskeng.exe {6EB47578-4D0A-4718-A118-6B0DBCF0F378} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1536

C:\Windows\system32\taskeng.exe
taskeng.exe {A22B9DB5-2529-4F2C-A02A-EF67BDD9081F} S-1-5-21-103686315-404690609-2047157615-1000:EDWYFHKN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Program Files\Mozilla Firefox\default-browser-agent.exe
"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
2⤵
PID:1408

C:\Windows\system32\taskeng.exe
taskeng.exe {EC87D3BF-009E-4D21-A958-282D828332BD} S-1-5-21-103686315-404690609-2047157615-1000:EDWYFHKN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\Program Files\Mozilla Firefox\default-browser-agent.exe
"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
2⤵
PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\WindowsData\ntuis32.exe

MD5
6b0279da0e09514269437f0c7bda9c69

SHA1
edf15ad1973450b00762037877974394d27130b9

SHA256
ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95

SHA512
5556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787

Download Submit
C:\ProgramData\Microsoft\WindowsData\ntuis32.exe

MD5
6b0279da0e09514269437f0c7bda9c69

SHA1
edf15ad1973450b00762037877974394d27130b9

SHA256
ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95

SHA512
5556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787

Download Submit
C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe

MD5
0392a100a1e09ae747e45382deceef4d

SHA1
053d176f7d6f5af15291805338b59d3891ba58dc

SHA256
18107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622

SHA512
ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905

Download Submit
C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe

MD5
0392a100a1e09ae747e45382deceef4d

SHA1
053d176f7d6f5af15291805338b59d3891ba58dc

SHA256
18107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622

SHA512
ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905

Download Submit
C:\Windows\SysWOW64\winpickr.exe

MD5
c66279129816fd2986495f5fcfec8625

SHA1
44bd7a588f94595b09f41553905dfc0f4e2b564e

SHA256
1380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6

SHA512
3dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04

Download Submit
C:\Windows\SysWOW64\winpickr.exe

MD5
c66279129816fd2986495f5fcfec8625

SHA1
44bd7a588f94595b09f41553905dfc0f4e2b564e

SHA256
1380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6

SHA512
3dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04

Download Submit
\ProgramData\Microsoft\WindowsData\ntuis32.exe

MD5
6b0279da0e09514269437f0c7bda9c69

SHA1
edf15ad1973450b00762037877974394d27130b9

SHA256
ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95

SHA512
5556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787

Download Submit
\ProgramData\Microsoft\WindowsData\ntuis32.exe

MD5
6b0279da0e09514269437f0c7bda9c69

SHA1
edf15ad1973450b00762037877974394d27130b9

SHA256
ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95

SHA512
5556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787

Download Submit
\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe

MD5
0392a100a1e09ae747e45382deceef4d

SHA1
053d176f7d6f5af15291805338b59d3891ba58dc

SHA256
18107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622

SHA512
ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905

Download Submit
\Users\Admin\AppData\Local\Temp\nstCEA7.tmp\InstallOptions.dll

MD5
05bf02da51e717f79f6b5cbea7bc0710

SHA1
07471a64ef4dba9dc19ce68ae6cce683af7df86d

SHA256
ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5

SHA512
c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6

Download Submit
\Users\Admin\AppData\Local\Temp\nstCEA7.tmp\InstallOptions.dll

MD5
05bf02da51e717f79f6b5cbea7bc0710

SHA1
07471a64ef4dba9dc19ce68ae6cce683af7df86d

SHA256
ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5

SHA512
c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6

Download Submit
\Users\Admin\AppData\Local\Temp\nstCEA7.tmp\LangDLL.dll

MD5
ab1db56369412fe8476fefffd11e4cc0

SHA1
daad036a83b2ee2fa86d840a34a341100552e723

SHA256
6f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b

SHA512
8d886643b4fc24adf78f76b663227d6e61863f89e0cbd49548f40dd040666ca94ea46bec9e336850e4f300995d56e6dc85b689c8e09ff46758822d280f06b03d

Download Submit
\Users\Admin\AppData\Local\Temp\nstCEA7.tmp\System.dll

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Windows\SysWOW64\winpickr.exe

MD5
c66279129816fd2986495f5fcfec8625

SHA1
44bd7a588f94595b09f41553905dfc0f4e2b564e

SHA256
1380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6

SHA512
3dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04

Download Submit
memory/432-74-0x0000000000000000-mapping.dmp

Download
memory/884-61-0x0000000000000000-mapping.dmp

Download
memory/1184-55-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download
memory/1408-76-0x0000000000000000-mapping.dmp

Download
memory/1636-77-0x0000000000000000-mapping.dmp

Download
memory/1716-57-0x0000000000000000-mapping.dmp

Download