strongpity | ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372

General

Target

ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe
Size

8.3MB
MD5

7b558126b8e488be2b33aeed7a330730
SHA1

1d3819d1c8cba8a6ff5e83124291573145b46e4c
SHA256

ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372
SHA512

0274f537ec45054200285271e09b3ba9a4cfa5eaa2e610388d5cb9154ea7bb481b6daa5245b5eddc40b21ed4b4278b5e3d8170a53438a87c7bf1df43bfcc0962

Score

10^/10

strongpity xmrig miner spyware stealer

Malware Config

Signatures

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 4 IoCs

resource	yara_rule
behavioral1/files/0x0006000000012662-66.dat	family_strongpity
behavioral1/files/0x0006000000012662-67.dat	family_strongpity
behavioral1/files/0x0006000000012662-69.dat	family_strongpity
behavioral1/files/0x0006000000012662-68.dat	family_strongpity

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 6 IoCs

pid	Process
800	idman633build2.exe
520	wvsvcs32.exe
1120	wvsvcs32.exe
1764	IDM1.tmp
2036	printque.exe
928	sqlhostserv.xml

Loads dropped DLL 6 IoCs

pid	Process
1772	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe
1772	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe
800	idman633build2.exe
1120	wvsvcs32.exe
1120	wvsvcs32.exe
2036	printque.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wvsvcs32.exe	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe
File created	C:\Windows\SysWOW64\printque.exe	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1120	wvsvcs32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1764	IDM1.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1120	wvsvcs32.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 800	1772	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe	28
PID 1772 wrote to memory of 800	1772	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe	28
PID 1772 wrote to memory of 800	1772	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe	28
PID 1772 wrote to memory of 800	1772	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe	28
PID 1772 wrote to memory of 800	1772	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe	28
PID 1772 wrote to memory of 800	1772	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe	28
PID 1772 wrote to memory of 800	1772	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe	28
PID 1772 wrote to memory of 520	1772	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe	29
PID 1772 wrote to memory of 520	1772	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe	29
PID 1772 wrote to memory of 520	1772	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe	29
PID 1772 wrote to memory of 520	1772	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe	29
PID 800 wrote to memory of 1764	800	idman633build2.exe	31
PID 800 wrote to memory of 1764	800	idman633build2.exe	31
PID 800 wrote to memory of 1764	800	idman633build2.exe	31
PID 800 wrote to memory of 1764	800	idman633build2.exe	31
PID 800 wrote to memory of 1764	800	idman633build2.exe	31
PID 800 wrote to memory of 1764	800	idman633build2.exe	31
PID 800 wrote to memory of 1764	800	idman633build2.exe	31
PID 1120 wrote to memory of 2036	1120	wvsvcs32.exe	32
PID 1120 wrote to memory of 2036	1120	wvsvcs32.exe	32
PID 1120 wrote to memory of 2036	1120	wvsvcs32.exe	32
PID 1120 wrote to memory of 2036	1120	wvsvcs32.exe	32
PID 2036 wrote to memory of 928	2036	printque.exe	33
PID 2036 wrote to memory of 928	2036	printque.exe	33
PID 2036 wrote to memory of 928	2036	printque.exe	33
PID 2036 wrote to memory of 928	2036	printque.exe	33

C:\Users\Admin\AppData\Local\Temp\ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe
"C:\Users\Admin\AppData\Local\Temp\ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\idman633build2.exe
  "C:\Users\Admin\AppData\Local\Temp\idman633build2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
    "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1764
- C:\Windows\SysWOW64\wvsvcs32.exe
  C:\Windows\system32\\wvsvcs32.exe help
  2⤵
  - Executes dropped EXE
  PID:520

C:\Windows\SysWOW64\wvsvcs32.exe
C:\Windows\SysWOW64\wvsvcs32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\SysWOW64\printque.exe
  "C:\Windows\system32\\printque.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\5AD-CA113D-416AA\sqlhostserv.xml
    "C:\Users\Admin\AppData\Local\Temp\5AD-CA113D-416AA\sqlhostserv.xml"
    3⤵
    - Executes dropped EXE
    PID:928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/800-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/800-57-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/1764-122-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing