strongpity | ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372

General

Target

ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe
Size

8.3MB
MD5

7b558126b8e488be2b33aeed7a330730
SHA1

1d3819d1c8cba8a6ff5e83124291573145b46e4c
SHA256

ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372
SHA512

0274f537ec45054200285271e09b3ba9a4cfa5eaa2e610388d5cb9154ea7bb481b6daa5245b5eddc40b21ed4b4278b5e3d8170a53438a87c7bf1df43bfcc0962

Score

10^/10

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 2 IoCs

resource	yara_rule
behavioral2/files/0x000500000001ab3b-122.dat	family_strongpity
behavioral2/files/0x000500000001ab3b-123.dat	family_strongpity

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 6 IoCs

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wvsvcs32.exe	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe
File created	C:\Windows\SysWOW64\printque.exe	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1300	wvsvcs32.exe
1300	wvsvcs32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	wvsvcs32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 3864	2648	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe	69
PID 2648 wrote to memory of 3864	2648	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe	69
PID 2648 wrote to memory of 3864	2648	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe	69
PID 2648 wrote to memory of 3844	2648	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe	70
PID 2648 wrote to memory of 3844	2648	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe	70
PID 2648 wrote to memory of 3844	2648	ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe	70
PID 3864 wrote to memory of 844	3864	idman633build2.exe	72
PID 3864 wrote to memory of 844	3864	idman633build2.exe	72
PID 3864 wrote to memory of 844	3864	idman633build2.exe	72
PID 1300 wrote to memory of 2916	1300	wvsvcs32.exe	73
PID 1300 wrote to memory of 2916	1300	wvsvcs32.exe	73
PID 1300 wrote to memory of 2916	1300	wvsvcs32.exe	73
PID 2916 wrote to memory of 3096	2916	printque.exe	74
PID 2916 wrote to memory of 3096	2916	printque.exe	74
PID 2916 wrote to memory of 3096	2916	printque.exe	74

C:\Users\Admin\AppData\Local\Temp\ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe
"C:\Users\Admin\AppData\Local\Temp\ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\idman633build2.exe
  "C:\Users\Admin\AppData\Local\Temp\idman633build2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
    "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
    3⤵
    - Executes dropped EXE
    PID:844
- C:\Windows\SysWOW64\wvsvcs32.exe
  C:\Windows\system32\\wvsvcs32.exe help
  2⤵
  - Executes dropped EXE
  PID:3844

memory/844-180-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3864-121-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download