Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 02:42
Static task
static1
Behavioral task
behavioral1
Sample
fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a.exe
Resource
win10-en-20211208
General
-
Target
fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a.exe
-
Size
7.2MB
-
MD5
7560bc4862c99de7d33cd3ae6c93ba8a
-
SHA1
ec1b474aaf772c85c0714e70f8096825a3b63b12
-
SHA256
fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a
-
SHA512
c209e4bde2e6e36e5480edf11ca67a887724fa5b46836ce4fffc1c814f67132ce88f59b46bb3a1861db28943b8df80e8f0606f52ba0918a68f9f2256fbeb7591
Malware Config
Signatures
-
StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
-
StrongPity Spyware 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab61-120.dat family_strongpity behavioral2/files/0x000500000001ab61-121.dat family_strongpity -
Blocklisted process makes network request 3 IoCs
flow pid Process 27 3596 mshta.exe 28 3596 mshta.exe 30 3596 mshta.exe -
Executes dropped EXE 5 IoCs
pid Process 1440 DriverPack-17-Online.exe 696 seceditr.exe 4084 seceditr.exe 3608 winslui32.exe 1984 spools32.exe -
Loads dropped DLL 1 IoCs
pid Process 1440 DriverPack-17-Online.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\seceditr.exe fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a.exe File created C:\Windows\SysWOW64\winslui32.exe fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3056 3596 WerFault.exe 78 -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x000600000001ab58-115.dat nsis_installer_2 behavioral2/files/0x000600000001ab58-116.dat nsis_installer_2 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Styles reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Styles\MaxScriptStatements = "4294967295" reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Styles reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Styles\MaxScriptStatements = "4294967295" reg.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 4084 seceditr.exe 4084 seceditr.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3056 WerFault.exe Token: SeBackupPrivilege 3056 WerFault.exe Token: SeDebugPrivilege 3056 WerFault.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2732 wrote to memory of 1440 2732 fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a.exe 70 PID 2732 wrote to memory of 1440 2732 fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a.exe 70 PID 2732 wrote to memory of 1440 2732 fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a.exe 70 PID 2732 wrote to memory of 696 2732 fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a.exe 71 PID 2732 wrote to memory of 696 2732 fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a.exe 71 PID 2732 wrote to memory of 696 2732 fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a.exe 71 PID 4084 wrote to memory of 3608 4084 seceditr.exe 73 PID 4084 wrote to memory of 3608 4084 seceditr.exe 73 PID 4084 wrote to memory of 3608 4084 seceditr.exe 73 PID 3608 wrote to memory of 1984 3608 winslui32.exe 74 PID 3608 wrote to memory of 1984 3608 winslui32.exe 74 PID 3608 wrote to memory of 1984 3608 winslui32.exe 74 PID 1440 wrote to memory of 368 1440 DriverPack-17-Online.exe 76 PID 1440 wrote to memory of 368 1440 DriverPack-17-Online.exe 76 PID 1440 wrote to memory of 368 1440 DriverPack-17-Online.exe 76 PID 1440 wrote to memory of 3596 1440 DriverPack-17-Online.exe 78 PID 1440 wrote to memory of 3596 1440 DriverPack-17-Online.exe 78 PID 1440 wrote to memory of 3596 1440 DriverPack-17-Online.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a.exe"C:\Users\Admin\AppData\Local\Temp\fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\DriverPack-17-Online.exe"C:\Users\Admin\AppData\Local\Temp\DriverPack-17-Online.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe import "C:\Users\Admin\AppData\Local\Temp\DriverPack-2022012430020\Tools\patch.reg"3⤵
- Modifies Internet Explorer settings
PID:368
-
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\system32\mshta.exe "C:\Users\Admin\AppData\Local\Temp\DriverPack-2022012430020\run.hta" --sfx "DriverPack-17-Online.exe"3⤵
- Blocklisted process makes network request
PID:3596 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 23964⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
-
-
C:\Windows\SysWOW64\seceditr.exeC:\Windows\system32\\seceditr.exe help2⤵
- Executes dropped EXE
PID:696
-
-
C:\Windows\SysWOW64\seceditr.exeC:\Windows\SysWOW64\seceditr.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\winslui32.exe"C:\Windows\system32\\winslui32.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\ACB-D11C-335AAF\spools32.exe"C:\Users\Admin\AppData\Local\Temp\ACB-D11C-335AAF\spools32.exe"3⤵
- Executes dropped EXE
PID:1984
-
-