Overview

overview

10

Static

static

78556a2fc0...ff.exe

windows7_x64

10

78556a2fc0...ff.exe

windows7_x64

10

78556a2fc0...ff.exe

windows7_x64

10

78556a2fc0...ff.exe

windows11_x64

10

78556a2fc0...ff.exe

windows10_x64

10

78556a2fc0...ff.exe

windows10_x64

10

78556a2fc0...ff.exe

windows10_x64

10

Analysis

  • max time kernel
    1174s
  • max time network
    1178s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    11-11-2021 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78556a2fc01c40f64f11c76ef26ec3ff.exe

  • Size

    4.9MB

  • MD5

    78556a2fc01c40f64f11c76ef26ec3ff

  • SHA1

    b66a7117d0e22dc0421337e20612ea08f1b2c9e3

  • SHA256

    7d3192cad53f934173187f91d8555065d69e09b4f127275a1d47f9f1f9405c5c

  • SHA512

    c001603616e7539612e75707664c5356f3fc16a2e6e9033a77f0d4f3cf2854a71310f194e8d9f41207f41c1b60bd7b8fcd49797ba3cfc96a2d406bc55ab104d3

Score
10/10
strongpityspywarestealer

Malware Config

Signatures

  • StrongPity

    StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.

    stealerspywarestrongpity
  • StrongPity Spyware 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe
    "C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe
      "C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:3020
    • C:\Windows\SysWOW64\winpickr.exe
      C:\Windows\system32\\winpickr.exe update
      2⤵
      • Executes dropped EXE
      PID:3784
  • C:\Windows\SysWOW64\winpickr.exe
    C:\Windows\SysWOW64\winpickr.exe
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\ProgramData\Microsoft\WindowsData\ntuis32.exe
      "C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"
      2⤵
      • Executes dropped EXE
      PID:1596

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\WindowsData\ntuis32.exe
    MD5

    6b0279da0e09514269437f0c7bda9c69

    SHA1

    edf15ad1973450b00762037877974394d27130b9

    SHA256

    ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95

    SHA512

    5556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787

    Download Submit

  • C:\ProgramData\Microsoft\WindowsData\ntuis32.exe
    MD5

    6b0279da0e09514269437f0c7bda9c69

    SHA1

    edf15ad1973450b00762037877974394d27130b9

    SHA256

    ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95

    SHA512

    5556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe
    MD5

    0392a100a1e09ae747e45382deceef4d

    SHA1

    053d176f7d6f5af15291805338b59d3891ba58dc

    SHA256

    18107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622

    SHA512

    ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe
    MD5

    0392a100a1e09ae747e45382deceef4d

    SHA1

    053d176f7d6f5af15291805338b59d3891ba58dc

    SHA256

    18107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622

    SHA512

    ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905

    Download Submit

  • C:\Windows\SysWOW64\winpickr.exe
    MD5

    c66279129816fd2986495f5fcfec8625

    SHA1

    44bd7a588f94595b09f41553905dfc0f4e2b564e

    SHA256

    1380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6

    SHA512

    3dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04

    Download Submit

  • C:\Windows\SysWOW64\winpickr.exe
    MD5

    c66279129816fd2986495f5fcfec8625

    SHA1

    44bd7a588f94595b09f41553905dfc0f4e2b564e

    SHA256

    1380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6

    SHA512

    3dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04

    Download Submit

  • C:\Windows\SysWOW64\winpickr.exe
    MD5

    c66279129816fd2986495f5fcfec8625

    SHA1

    44bd7a588f94595b09f41553905dfc0f4e2b564e

    SHA256

    1380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6

    SHA512

    3dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsfDDA1.tmp\InstallOptions.dll
    MD5

    05bf02da51e717f79f6b5cbea7bc0710

    SHA1

    07471a64ef4dba9dc19ce68ae6cce683af7df86d

    SHA256

    ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5

    SHA512

    c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsfDDA1.tmp\InstallOptions.dll
    MD5

    05bf02da51e717f79f6b5cbea7bc0710

    SHA1

    07471a64ef4dba9dc19ce68ae6cce683af7df86d

    SHA256

    ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5

    SHA512

    c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsfDDA1.tmp\LangDLL.dll
    MD5

    ab1db56369412fe8476fefffd11e4cc0

    SHA1

    daad036a83b2ee2fa86d840a34a341100552e723

    SHA256

    6f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b

    SHA512

    8d886643b4fc24adf78f76b663227d6e61863f89e0cbd49548f40dd040666ca94ea46bec9e336850e4f300995d56e6dc85b689c8e09ff46758822d280f06b03d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsfDDA1.tmp\System.dll
    MD5

    0d7ad4f45dc6f5aa87f606d0331c6901

    SHA1

    48df0911f0484cbe2a8cdd5362140b63c41ee457

    SHA256

    3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    SHA512

    c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    Download Submit

  • memory/1596-123-0x0000000000000000-mapping.dmp

    Download

  • memory/3020-115-0x0000000000000000-mapping.dmp

    Download

  • memory/3784-117-0x0000000000000000-mapping.dmp

    Download