Analysis
-
max time kernel
1174s -
max time network
1178s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
11/11/2021, 17:10
Static task
static1
Behavioral task
behavioral1
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win7-ja-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win7-de-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win11
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win10-ja-20211014
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win10-de-20211104
windows10_x64
0 signatures
0 seconds
General
-
Target
78556a2fc01c40f64f11c76ef26ec3ff.exe
-
Size
4.9MB
-
MD5
78556a2fc01c40f64f11c76ef26ec3ff
-
SHA1
b66a7117d0e22dc0421337e20612ea08f1b2c9e3
-
SHA256
7d3192cad53f934173187f91d8555065d69e09b4f127275a1d47f9f1f9405c5c
-
SHA512
c001603616e7539612e75707664c5356f3fc16a2e6e9033a77f0d4f3cf2854a71310f194e8d9f41207f41c1b60bd7b8fcd49797ba3cfc96a2d406bc55ab104d3
Score
10/10
Malware Config
Signatures
-
StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
-
StrongPity Spyware 3 IoCs
resource yara_rule behavioral6/files/0x000600000001aba5-118.dat family_strongpity behavioral6/files/0x000600000001aba5-119.dat family_strongpity behavioral6/files/0x000600000001aba5-120.dat family_strongpity -
Executes dropped EXE 4 IoCs
pid Process 3020 npp.8.1.7.Installer.x64.exe 3784 winpickr.exe 3548 winpickr.exe 1596 ntuis32.exe -
Loads dropped DLL 4 IoCs
pid Process 3020 npp.8.1.7.Installer.x64.exe 3020 npp.8.1.7.Installer.x64.exe 3020 npp.8.1.7.Installer.x64.exe 3020 npp.8.1.7.Installer.x64.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\winpickr.exe 78556a2fc01c40f64f11c76ef26ec3ff.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 42 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache winpickr.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates winpickr.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3548 winpickr.exe 3548 winpickr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2460 wrote to memory of 3020 2460 78556a2fc01c40f64f11c76ef26ec3ff.exe 68 PID 2460 wrote to memory of 3020 2460 78556a2fc01c40f64f11c76ef26ec3ff.exe 68 PID 2460 wrote to memory of 3020 2460 78556a2fc01c40f64f11c76ef26ec3ff.exe 68 PID 2460 wrote to memory of 3784 2460 78556a2fc01c40f64f11c76ef26ec3ff.exe 69 PID 2460 wrote to memory of 3784 2460 78556a2fc01c40f64f11c76ef26ec3ff.exe 69 PID 2460 wrote to memory of 3784 2460 78556a2fc01c40f64f11c76ef26ec3ff.exe 69 PID 3548 wrote to memory of 1596 3548 winpickr.exe 72 PID 3548 wrote to memory of 1596 3548 winpickr.exe 72 PID 3548 wrote to memory of 1596 3548 winpickr.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020
-
-
C:\Windows\SysWOW64\winpickr.exeC:\Windows\system32\\winpickr.exe update2⤵
- Executes dropped EXE
PID:3784
-
-
C:\Windows\SysWOW64\winpickr.exeC:\Windows\SysWOW64\winpickr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"2⤵
- Executes dropped EXE
PID:1596
-