Overview

overview

10

Static

static

78556a2fc0...ff.exe

windows7_x64

10

78556a2fc0...ff.exe

windows7_x64

10

78556a2fc0...ff.exe

windows7_x64

10

78556a2fc0...ff.exe

windows11_x64

10

78556a2fc0...ff.exe

windows10_x64

10

78556a2fc0...ff.exe

windows10_x64

10

78556a2fc0...ff.exe

windows10_x64

10

Analysis

  • max time kernel
    1163s
  • max time network
    1179s
  • platform
    windows10_x64
  • resource
    win10-de-20211104
  • submitted
    11-11-2021 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78556a2fc01c40f64f11c76ef26ec3ff.exe

  • Size

    4.9MB

  • MD5

    78556a2fc01c40f64f11c76ef26ec3ff

  • SHA1

    b66a7117d0e22dc0421337e20612ea08f1b2c9e3

  • SHA256

    7d3192cad53f934173187f91d8555065d69e09b4f127275a1d47f9f1f9405c5c

  • SHA512

    c001603616e7539612e75707664c5356f3fc16a2e6e9033a77f0d4f3cf2854a71310f194e8d9f41207f41c1b60bd7b8fcd49797ba3cfc96a2d406bc55ab104d3

Score
10/10
strongpitypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs
    persistence
  • StrongPity

    StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.

    stealerspywarestrongpity
  • StrongPity Spyware 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe
    "C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe
      "C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:4176
    • C:\Windows\SysWOW64\winpickr.exe
      C:\Windows\system32\\winpickr.exe update
      2⤵
      • Executes dropped EXE
      PID:4664
  • C:\Windows\SysWOW64\winpickr.exe
    C:\Windows\SysWOW64\winpickr.exe
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\ProgramData\Microsoft\WindowsData\ntuis32.exe
      "C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"
      2⤵
      • Executes dropped EXE
      PID:2288
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.205.1003.0005\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.205.1003.0005\FileSyncConfig.exe"
    1⤵
    • Modifies registry class
    PID:5104
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\WindowsData\ntuis32.exe
    MD5

    6b0279da0e09514269437f0c7bda9c69

    SHA1

    edf15ad1973450b00762037877974394d27130b9

    SHA256

    ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95

    SHA512

    5556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787

    Download Submit
  • C:\ProgramData\Microsoft\WindowsData\ntuis32.exe
    MD5

    6b0279da0e09514269437f0c7bda9c69

    SHA1

    edf15ad1973450b00762037877974394d27130b9

    SHA256

    ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95

    SHA512

    5556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe
    MD5

    0392a100a1e09ae747e45382deceef4d

    SHA1

    053d176f7d6f5af15291805338b59d3891ba58dc

    SHA256

    18107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622

    SHA512

    ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe
    MD5

    0392a100a1e09ae747e45382deceef4d

    SHA1

    053d176f7d6f5af15291805338b59d3891ba58dc

    SHA256

    18107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622

    SHA512

    ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905

    Download Submit
  • C:\Windows\SysWOW64\winpickr.exe
    MD5

    c66279129816fd2986495f5fcfec8625

    SHA1

    44bd7a588f94595b09f41553905dfc0f4e2b564e

    SHA256

    1380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6

    SHA512

    3dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04

    Download Submit
  • C:\Windows\SysWOW64\winpickr.exe
    MD5

    c66279129816fd2986495f5fcfec8625

    SHA1

    44bd7a588f94595b09f41553905dfc0f4e2b564e

    SHA256

    1380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6

    SHA512

    3dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04

    Download Submit
  • C:\Windows\SysWOW64\winpickr.exe
    MD5

    c66279129816fd2986495f5fcfec8625

    SHA1

    44bd7a588f94595b09f41553905dfc0f4e2b564e

    SHA256

    1380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6

    SHA512

    3dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsiA4DE.tmp\InstallOptions.dll
    MD5

    05bf02da51e717f79f6b5cbea7bc0710

    SHA1

    07471a64ef4dba9dc19ce68ae6cce683af7df86d

    SHA256

    ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5

    SHA512

    c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsiA4DE.tmp\InstallOptions.dll
    MD5

    05bf02da51e717f79f6b5cbea7bc0710

    SHA1

    07471a64ef4dba9dc19ce68ae6cce683af7df86d

    SHA256

    ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5

    SHA512

    c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsiA4DE.tmp\LangDLL.dll
    MD5

    ab1db56369412fe8476fefffd11e4cc0

    SHA1

    daad036a83b2ee2fa86d840a34a341100552e723

    SHA256

    6f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b

    SHA512

    8d886643b4fc24adf78f76b663227d6e61863f89e0cbd49548f40dd040666ca94ea46bec9e336850e4f300995d56e6dc85b689c8e09ff46758822d280f06b03d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsiA4DE.tmp\System.dll
    MD5

    0d7ad4f45dc6f5aa87f606d0331c6901

    SHA1

    48df0911f0484cbe2a8cdd5362140b63c41ee457

    SHA256

    3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    SHA512

    c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    Download Submit
  • memory/2288-126-0x0000000000000000-mapping.dmp
    Download
  • memory/4176-118-0x0000000000000000-mapping.dmp
    Download
  • memory/4664-120-0x0000000000000000-mapping.dmp
    Download