Overview

overview

10

Static

static

78556a2fc0...ff.exe

windows7_x64

10

78556a2fc0...ff.exe

windows7_x64

10

78556a2fc0...ff.exe

windows7_x64

10

78556a2fc0...ff.exe

windows11_x64

10

78556a2fc0...ff.exe

windows10_x64

10

78556a2fc0...ff.exe

windows10_x64

10

78556a2fc0...ff.exe

windows10_x64

10

Analysis

  • max time kernel
    1194s
  • max time network
    1208s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    11-11-2021 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78556a2fc01c40f64f11c76ef26ec3ff.exe

  • Size

    4.9MB

  • MD5

    78556a2fc01c40f64f11c76ef26ec3ff

  • SHA1

    b66a7117d0e22dc0421337e20612ea08f1b2c9e3

  • SHA256

    7d3192cad53f934173187f91d8555065d69e09b4f127275a1d47f9f1f9405c5c

  • SHA512

    c001603616e7539612e75707664c5356f3fc16a2e6e9033a77f0d4f3cf2854a71310f194e8d9f41207f41c1b60bd7b8fcd49797ba3cfc96a2d406bc55ab104d3

Score
10/10
strongpityxmrigminerpersistencespywarestealer

Malware Config

Signatures

  • StrongPity

    StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.

    stealerspywarestrongpity
  • StrongPity Spyware 3 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Executes dropped EXE 4 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe
    "C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe
      "C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1012
    • C:\Windows\SysWOW64\winpickr.exe
      C:\Windows\system32\\winpickr.exe update
      2⤵
      • Executes dropped EXE
      PID:476
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe e9c9949297a9b53d28d70458f37a614e 3/aaMElYZ0uRt/xCEjQ3LQ.0.1.0.3.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:1436
  • C:\Windows\SysWOW64\winpickr.exe
    C:\Windows\SysWOW64\winpickr.exe
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\ProgramData\Microsoft\WindowsData\ntuis32.exe
      "C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"
      2⤵
      • Executes dropped EXE
      PID:1524
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2400
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
    1⤵
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
      C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
      2⤵
        PID:2216
      • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
        C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
        2⤵
          PID:3260
        • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
          C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
          2⤵
            PID:3312
        • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
          C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
          1⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:3992
        • C:\Windows\System32\WaaSMedicAgent.exe
          C:\Windows\System32\WaaSMedicAgent.exe e9c9949297a9b53d28d70458f37a614e 3/aaMElYZ0uRt/xCEjQ3LQ.0.1.0.3.0
          1⤵
          • Modifies data under HKEY_USERS
          PID:1964
        • C:\Windows\System32\WaaSMedicAgent.exe
          C:\Windows\System32\WaaSMedicAgent.exe e9c9949297a9b53d28d70458f37a614e 3/aaMElYZ0uRt/xCEjQ3LQ.0.1.0.3.0
          1⤵
          • Modifies data under HKEY_USERS
          PID:3948

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        2
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\WindowsData\ntuis32.exe
          MD5

          6b0279da0e09514269437f0c7bda9c69

          SHA1

          edf15ad1973450b00762037877974394d27130b9

          SHA256

          ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95

          SHA512

          5556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787

          Download Submit
        • C:\ProgramData\Microsoft\WindowsData\ntuis32.exe
          MD5

          6b0279da0e09514269437f0c7bda9c69

          SHA1

          edf15ad1973450b00762037877974394d27130b9

          SHA256

          ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95

          SHA512

          5556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe
          MD5

          0392a100a1e09ae747e45382deceef4d

          SHA1

          053d176f7d6f5af15291805338b59d3891ba58dc

          SHA256

          18107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622

          SHA512

          ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe
          MD5

          0392a100a1e09ae747e45382deceef4d

          SHA1

          053d176f7d6f5af15291805338b59d3891ba58dc

          SHA256

          18107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622

          SHA512

          ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\nsbE5A9.tmp\InstallOptions.dll
          MD5

          05bf02da51e717f79f6b5cbea7bc0710

          SHA1

          07471a64ef4dba9dc19ce68ae6cce683af7df86d

          SHA256

          ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5

          SHA512

          c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\nsbE5A9.tmp\InstallOptions.dll
          MD5

          05bf02da51e717f79f6b5cbea7bc0710

          SHA1

          07471a64ef4dba9dc19ce68ae6cce683af7df86d

          SHA256

          ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5

          SHA512

          c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\nsbE5A9.tmp\LangDLL.dll
          MD5

          ab1db56369412fe8476fefffd11e4cc0

          SHA1

          daad036a83b2ee2fa86d840a34a341100552e723

          SHA256

          6f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b

          SHA512

          8d886643b4fc24adf78f76b663227d6e61863f89e0cbd49548f40dd040666ca94ea46bec9e336850e4f300995d56e6dc85b689c8e09ff46758822d280f06b03d

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\nsbE5A9.tmp\System.dll
          MD5

          0d7ad4f45dc6f5aa87f606d0331c6901

          SHA1

          48df0911f0484cbe2a8cdd5362140b63c41ee457

          SHA256

          3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

          SHA512

          c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

          Download Submit
        • C:\Windows\SysWOW64\winpickr.exe
          MD5

          c66279129816fd2986495f5fcfec8625

          SHA1

          44bd7a588f94595b09f41553905dfc0f4e2b564e

          SHA256

          1380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6

          SHA512

          3dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04

          Download Submit
        • C:\Windows\SysWOW64\winpickr.exe
          MD5

          c66279129816fd2986495f5fcfec8625

          SHA1

          44bd7a588f94595b09f41553905dfc0f4e2b564e

          SHA256

          1380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6

          SHA512

          3dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04

          Download Submit
        • C:\Windows\SysWOW64\winpickr.exe
          MD5

          c66279129816fd2986495f5fcfec8625

          SHA1

          44bd7a588f94595b09f41553905dfc0f4e2b564e

          SHA256

          1380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6

          SHA512

          3dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04

          Download Submit
        • memory/476-148-0x0000000000000000-mapping.dmp
          Download
        • memory/1012-146-0x0000000000000000-mapping.dmp
          Download
        • memory/1524-157-0x0000000000000000-mapping.dmp
          Download
        • memory/2216-160-0x0000000000000000-mapping.dmp
          Download
        • memory/2400-156-0x000001CC94070000-0x000001CC94074000-memory.dmp
          Filesize

          16KB

          Download
        • memory/2400-154-0x000001CC91920000-0x000001CC91930000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2400-155-0x000001CC919A0000-0x000001CC919B0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2400-165-0x000001CC94090000-0x000001CC94094000-memory.dmp
          Filesize

          16KB

          Download
        • memory/2400-166-0x000001CC93FB0000-0x000001CC93FB1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2400-168-0x000001CC93F70000-0x000001CC93F71000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3260-164-0x0000000000000000-mapping.dmp
          Download
        • memory/3312-169-0x0000000000000000-mapping.dmp
          Download