Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 02:42

General

  • Target

    fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a.exe

  • Size

    7.2MB

  • MD5

    7560bc4862c99de7d33cd3ae6c93ba8a

  • SHA1

    ec1b474aaf772c85c0714e70f8096825a3b63b12

  • SHA256

    fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a

  • SHA512

    c209e4bde2e6e36e5480edf11ca67a887724fa5b46836ce4fffc1c814f67132ce88f59b46bb3a1861db28943b8df80e8f0606f52ba0918a68f9f2256fbeb7591

Malware Config

Signatures

  • StrongPity

    StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.

  • StrongPity Spyware 2 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • NSIS installer 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a.exe
    "C:\Users\Admin\AppData\Local\Temp\fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Users\Admin\AppData\Local\Temp\DriverPack-17-Online.exe
      "C:\Users\Admin\AppData\Local\Temp\DriverPack-17-Online.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\system32\reg.exe import "C:\Users\Admin\AppData\Local\Temp\DriverPack-2022012430020\Tools\patch.reg"
        3⤵
        • Modifies Internet Explorer settings
        PID:368
      • C:\Windows\SysWOW64\mshta.exe
        C:\Windows\system32\mshta.exe "C:\Users\Admin\AppData\Local\Temp\DriverPack-2022012430020\run.hta" --sfx "DriverPack-17-Online.exe"
        3⤵
        • Blocklisted process makes network request
        PID:3596
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 2396
          4⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3056
    • C:\Windows\SysWOW64\seceditr.exe
      C:\Windows\system32\\seceditr.exe help
      2⤵
      • Executes dropped EXE
      PID:696
  • C:\Windows\SysWOW64\seceditr.exe
    C:\Windows\SysWOW64\seceditr.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4084
    • C:\Windows\SysWOW64\winslui32.exe
      "C:\Windows\system32\\winslui32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3608
      • C:\Users\Admin\AppData\Local\Temp\ACB-D11C-335AAF\spools32.exe
        "C:\Users\Admin\AppData\Local\Temp\ACB-D11C-335AAF\spools32.exe"
        3⤵
        • Executes dropped EXE
        PID:1984

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads