strongpity | f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4

General

Target

f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4.exe
Size

8.0MB
MD5

286175827543c48d2db0042944dbecc4
SHA1

46720f8f3bd61d1e9a6deb4b9968f8976567fd70
SHA256

f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4
SHA512

98c078e3f398cf0580b807d0b92d23362bb810271fbdaea5861b79932e75a73cccea4e65389743a81c6aad9f95dada7f8a34b3f25a8c54cbf1aacc35254e8b3e

Score

10^/10

strongpity xmrig miner spyware stealer

Malware Config

Signatures

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012284-64.dat	family_strongpity
behavioral1/files/0x0007000000012284-65.dat	family_strongpity
behavioral1/files/0x0007000000012284-66.dat	family_strongpity
behavioral1/files/0x0007000000012284-67.dat	family_strongpity

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
1512	5kplayer.exe
2044	rmaserv.exe
1648	rmaserv.exe
616	winprint32.exe
760	mssqldbserv.xml
400	5kp.exe
532	5kplayer_0.exe

Loads dropped DLL 14 IoCs

pid	Process
1656	f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4.exe
1656	f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4.exe
1656	f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4.exe
1512	5kplayer.exe
1648	rmaserv.exe
1648	rmaserv.exe
616	winprint32.exe
1512	5kplayer.exe
1512	5kplayer.exe
400	5kp.exe
532	5kplayer_0.exe
532	5kplayer_0.exe
532	5kplayer_0.exe
532	5kplayer_0.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winprint32.exe	f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4.exe
File created	C:\Windows\SysWOW64\rmaserv.exe	f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
400	5kp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1648	rmaserv.exe
400	5kp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
400	5kp.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
400	5kp.exe
400	5kp.exe
400	5kp.exe
400	5kp.exe
400	5kp.exe
400	5kp.exe
400	5kp.exe
400	5kp.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1512	1656	f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4.exe	28
PID 1656 wrote to memory of 1512	1656	f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4.exe	28
PID 1656 wrote to memory of 1512	1656	f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4.exe	28
PID 1656 wrote to memory of 1512	1656	f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4.exe	28
PID 1656 wrote to memory of 2044	1656	f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4.exe	29
PID 1656 wrote to memory of 2044	1656	f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4.exe	29
PID 1656 wrote to memory of 2044	1656	f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4.exe	29
PID 1656 wrote to memory of 2044	1656	f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4.exe	29
PID 1648 wrote to memory of 616	1648	rmaserv.exe	31
PID 1648 wrote to memory of 616	1648	rmaserv.exe	31
PID 1648 wrote to memory of 616	1648	rmaserv.exe	31
PID 1648 wrote to memory of 616	1648	rmaserv.exe	31
PID 616 wrote to memory of 760	616	winprint32.exe	32
PID 616 wrote to memory of 760	616	winprint32.exe	32
PID 616 wrote to memory of 760	616	winprint32.exe	32
PID 616 wrote to memory of 760	616	winprint32.exe	32
PID 1512 wrote to memory of 400	1512	5kplayer.exe	34
PID 1512 wrote to memory of 400	1512	5kplayer.exe	34
PID 1512 wrote to memory of 400	1512	5kplayer.exe	34
PID 1512 wrote to memory of 400	1512	5kplayer.exe	34
PID 400 wrote to memory of 532	400	5kp.exe	35
PID 400 wrote to memory of 532	400	5kp.exe	35
PID 400 wrote to memory of 532	400	5kp.exe	35
PID 400 wrote to memory of 532	400	5kp.exe	35

C:\Users\Admin\AppData\Local\Temp\f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4.exe
"C:\Users\Admin\AppData\Local\Temp\f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\5kplayer.exe
  "C:\Users\Admin\AppData\Local\Temp\5kplayer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Users\Admin\AppData\Local\Temp\5kplayer\5kp.exe
    C:\Users\Admin\AppData\Local\Temp\5kplayer\5kp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Users\Admin\AppData\Local\Temp\5kplayer_0.exe
      C:\Users\Admin\AppData\Local\Temp\5kplayer_0.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:532
- C:\Windows\SysWOW64\rmaserv.exe
  C:\Windows\system32\\rmaserv.exe help
  2⤵
  - Executes dropped EXE
  PID:2044

C:\Windows\SysWOW64\rmaserv.exe
C:\Windows\SysWOW64\rmaserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\winprint32.exe
  "C:\Windows\system32\\winprint32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Users\Admin\AppData\Local\Temp\4CA-B25C11-A27BC\mssqldbserv.xml
    "C:\Users\Admin\AppData\Local\Temp\4CA-B25C11-A27BC\mssqldbserv.xml"
    3⤵
    - Executes dropped EXE
    PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1512-58-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing