strongpity | 7d3192cad53f934173187f91d8555065d69e09b4f127275a1d47f9f1f9405c5c

Analysis

max time kernel
1194s
max time network
1208s
platform
windows11_x64
resource
win11
submitted
11/11/2021, 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78556a2fc01c40f64f11c76ef26ec3ff.exe
Size

4.9MB
MD5

78556a2fc01c40f64f11c76ef26ec3ff
SHA1

b66a7117d0e22dc0421337e20612ea08f1b2c9e3
SHA256

7d3192cad53f934173187f91d8555065d69e09b4f127275a1d47f9f1f9405c5c
SHA512

c001603616e7539612e75707664c5356f3fc16a2e6e9033a77f0d4f3cf2854a71310f194e8d9f41207f41c1b60bd7b8fcd49797ba3cfc96a2d406bc55ab104d3

Score

10^/10

strongpity xmrig miner persistence spyware stealer

Malware Config

Signatures

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 3 IoCs

resource	yara_rule
behavioral4/files/0x000300000001fce3-149.dat	family_strongpity
behavioral4/files/0x000300000001fce3-150.dat	family_strongpity
behavioral4/files/0x000300000001fce3-151.dat	family_strongpity

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 4 IoCs

pid	Process
1012	npp.8.1.7.Installer.x64.exe
476	winpickr.exe
1876	winpickr.exe
1524	ntuis32.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 4 IoCs

pid	Process
1012	npp.8.1.7.Installer.x64.exe
1012	npp.8.1.7.Installer.x64.exe
1012	npp.8.1.7.Installer.x64.exe
1012	npp.8.1.7.Installer.x64.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winpickr.exe	78556a2fc01c40f64f11c76ef26ec3ff.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	winpickr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1876	winpickr.exe
1876	winpickr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2400	svchost.exe
Token: SeCreatePagefilePrivilege	2400	svchost.exe
Token: SeShutdownPrivilege	2400	svchost.exe
Token: SeCreatePagefilePrivilege	2400	svchost.exe
Token: SeShutdownPrivilege	2400	svchost.exe
Token: SeCreatePagefilePrivilege	2400	svchost.exe
Token: SeShutdownPrivilege	2324	svchost.exe
Token: SeCreatePagefilePrivilege	2324	svchost.exe
Token: SeSecurityPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe
Token: SeSecurityPrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe
Token: SeSecurityPrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe
Token: SeSecurityPrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe
Token: SeSecurityPrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe
Token: SeSecurityPrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe
Token: SeSecurityPrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe
Token: SeSecurityPrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe
Token: SeSecurityPrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe
Token: SeSecurityPrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe
Token: SeSecurityPrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe
Token: SeSecurityPrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe
Token: SeSecurityPrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe
Token: SeSecurityPrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe
Token: SeSecurityPrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe
Token: SeSecurityPrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe
Token: SeSecurityPrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe
Token: SeSecurityPrivilege	3992	TiWorker.exe
Token: SeBackupPrivilege	3992	TiWorker.exe
Token: SeRestorePrivilege	3992	TiWorker.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 1012	780	78556a2fc01c40f64f11c76ef26ec3ff.exe	80
PID 780 wrote to memory of 1012	780	78556a2fc01c40f64f11c76ef26ec3ff.exe	80
PID 780 wrote to memory of 1012	780	78556a2fc01c40f64f11c76ef26ec3ff.exe	80
PID 780 wrote to memory of 476	780	78556a2fc01c40f64f11c76ef26ec3ff.exe	81
PID 780 wrote to memory of 476	780	78556a2fc01c40f64f11c76ef26ec3ff.exe	81
PID 780 wrote to memory of 476	780	78556a2fc01c40f64f11c76ef26ec3ff.exe	81
PID 1876 wrote to memory of 1524	1876	winpickr.exe	87
PID 1876 wrote to memory of 1524	1876	winpickr.exe	87
PID 1876 wrote to memory of 1524	1876	winpickr.exe	87
PID 2324 wrote to memory of 2216	2324	svchost.exe	89
PID 2324 wrote to memory of 2216	2324	svchost.exe	89
PID 2324 wrote to memory of 3260	2324	svchost.exe	109
PID 2324 wrote to memory of 3260	2324	svchost.exe	109
PID 2324 wrote to memory of 3312	2324	svchost.exe	110
PID 2324 wrote to memory of 3312	2324	svchost.exe	110

C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe
"C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe
  "C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1012
- C:\Windows\SysWOW64\winpickr.exe
  C:\Windows\system32\\winpickr.exe update
  2⤵
  - Executes dropped EXE
  PID:476

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe e9c9949297a9b53d28d70458f37a614e 3/aaMElYZ0uRt/xCEjQ3LQ.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:1436

C:\Windows\SysWOW64\winpickr.exe
C:\Windows\SysWOW64\winpickr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876
- C:\ProgramData\Microsoft\WindowsData\ntuis32.exe
  "C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"
  2⤵
  - Executes dropped EXE
  PID:1524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
  C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
  2⤵
  PID:2216
- C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
  C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
  2⤵
  PID:3260
- C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
  C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
  2⤵
  PID:3312

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe e9c9949297a9b53d28d70458f37a614e 3/aaMElYZ0uRt/xCEjQ3LQ.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:1964

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe e9c9949297a9b53d28d70458f37a614e 3/aaMElYZ0uRt/xCEjQ3LQ.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:3948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2400-156-0x000001CC94070000-0x000001CC94074000-memory.dmp

Filesize
16KB

Download
memory/2400-154-0x000001CC91920000-0x000001CC91930000-memory.dmp

Filesize
64KB

Download
memory/2400-155-0x000001CC919A0000-0x000001CC919B0000-memory.dmp

Filesize
64KB

Download
memory/2400-165-0x000001CC94090000-0x000001CC94094000-memory.dmp

Filesize
16KB

Download
memory/2400-166-0x000001CC93FB0000-0x000001CC93FB1000-memory.dmp

Filesize
4KB

Download
memory/2400-168-0x000001CC93F70000-0x000001CC93F71000-memory.dmp

Filesize
4KB

Download