Analysis
-
max time kernel
1174s -
max time network
1178s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
11-11-2021 17:10
Static task
static1
Behavioral task
behavioral1
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win7-en-20211104
Behavioral task
behavioral3
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win7-de-20211104
Behavioral task
behavioral4
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win11
Behavioral task
behavioral5
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win10-de-20211104
General
-
Target
78556a2fc01c40f64f11c76ef26ec3ff.exe
-
Size
4.9MB
-
MD5
78556a2fc01c40f64f11c76ef26ec3ff
-
SHA1
b66a7117d0e22dc0421337e20612ea08f1b2c9e3
-
SHA256
7d3192cad53f934173187f91d8555065d69e09b4f127275a1d47f9f1f9405c5c
-
SHA512
c001603616e7539612e75707664c5356f3fc16a2e6e9033a77f0d4f3cf2854a71310f194e8d9f41207f41c1b60bd7b8fcd49797ba3cfc96a2d406bc55ab104d3
Malware Config
Signatures
-
StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
-
StrongPity Spyware 3 IoCs
Processes:
resource yara_rule behavioral6/files/0x000600000001aba5-118.dat family_strongpity behavioral6/files/0x000600000001aba5-119.dat family_strongpity behavioral6/files/0x000600000001aba5-120.dat family_strongpity -
Executes dropped EXE 4 IoCs
Processes:
npp.8.1.7.Installer.x64.exewinpickr.exewinpickr.exentuis32.exepid Process 3020 npp.8.1.7.Installer.x64.exe 3784 winpickr.exe 3548 winpickr.exe 1596 ntuis32.exe -
Loads dropped DLL 4 IoCs
Processes:
npp.8.1.7.Installer.x64.exepid Process 3020 npp.8.1.7.Installer.x64.exe 3020 npp.8.1.7.Installer.x64.exe 3020 npp.8.1.7.Installer.x64.exe 3020 npp.8.1.7.Installer.x64.exe -
Drops file in System32 directory 1 IoCs
Processes:
78556a2fc01c40f64f11c76ef26ec3ff.exedescription ioc Process File created C:\Windows\SysWOW64\winpickr.exe 78556a2fc01c40f64f11c76ef26ec3ff.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 42 IoCs
Processes:
winpickr.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust winpickr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache winpickr.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates winpickr.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
winpickr.exepid Process 3548 winpickr.exe 3548 winpickr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
78556a2fc01c40f64f11c76ef26ec3ff.exewinpickr.exedescription pid Process procid_target PID 2460 wrote to memory of 3020 2460 78556a2fc01c40f64f11c76ef26ec3ff.exe 68 PID 2460 wrote to memory of 3020 2460 78556a2fc01c40f64f11c76ef26ec3ff.exe 68 PID 2460 wrote to memory of 3020 2460 78556a2fc01c40f64f11c76ef26ec3ff.exe 68 PID 2460 wrote to memory of 3784 2460 78556a2fc01c40f64f11c76ef26ec3ff.exe 69 PID 2460 wrote to memory of 3784 2460 78556a2fc01c40f64f11c76ef26ec3ff.exe 69 PID 2460 wrote to memory of 3784 2460 78556a2fc01c40f64f11c76ef26ec3ff.exe 69 PID 3548 wrote to memory of 1596 3548 winpickr.exe 72 PID 3548 wrote to memory of 1596 3548 winpickr.exe 72 PID 3548 wrote to memory of 1596 3548 winpickr.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020
-
-
C:\Windows\SysWOW64\winpickr.exeC:\Windows\system32\\winpickr.exe update2⤵
- Executes dropped EXE
PID:3784
-
-
C:\Windows\SysWOW64\winpickr.exeC:\Windows\SysWOW64\winpickr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"2⤵
- Executes dropped EXE
PID:1596
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6b0279da0e09514269437f0c7bda9c69
SHA1edf15ad1973450b00762037877974394d27130b9
SHA256ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95
SHA5125556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787
-
MD5
6b0279da0e09514269437f0c7bda9c69
SHA1edf15ad1973450b00762037877974394d27130b9
SHA256ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95
SHA5125556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787
-
MD5
0392a100a1e09ae747e45382deceef4d
SHA1053d176f7d6f5af15291805338b59d3891ba58dc
SHA25618107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622
SHA512ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905
-
MD5
0392a100a1e09ae747e45382deceef4d
SHA1053d176f7d6f5af15291805338b59d3891ba58dc
SHA25618107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622
SHA512ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905
-
MD5
c66279129816fd2986495f5fcfec8625
SHA144bd7a588f94595b09f41553905dfc0f4e2b564e
SHA2561380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6
SHA5123dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04
-
MD5
c66279129816fd2986495f5fcfec8625
SHA144bd7a588f94595b09f41553905dfc0f4e2b564e
SHA2561380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6
SHA5123dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04
-
MD5
c66279129816fd2986495f5fcfec8625
SHA144bd7a588f94595b09f41553905dfc0f4e2b564e
SHA2561380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6
SHA5123dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04
-
MD5
05bf02da51e717f79f6b5cbea7bc0710
SHA107471a64ef4dba9dc19ce68ae6cce683af7df86d
SHA256ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5
SHA512c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6
-
MD5
05bf02da51e717f79f6b5cbea7bc0710
SHA107471a64ef4dba9dc19ce68ae6cce683af7df86d
SHA256ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5
SHA512c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6
-
MD5
ab1db56369412fe8476fefffd11e4cc0
SHA1daad036a83b2ee2fa86d840a34a341100552e723
SHA2566f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b
SHA5128d886643b4fc24adf78f76b663227d6e61863f89e0cbd49548f40dd040666ca94ea46bec9e336850e4f300995d56e6dc85b689c8e09ff46758822d280f06b03d
-
MD5
0d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9