strongpity | e2cd8fd988a9a08f4bd73d7343ae54e68ee2a0a4728277792115edc86900e899

General

Target

e2cd8fd988a9a08f4bd73d7343ae54e68ee2a0a4728277792115edc86900e899.exe
Size

6.8MB
MD5

6512121c74cff138e74b8de7fc109c44
SHA1

c52198f82d56a48544e66fc68a18749b839dde41
SHA256

e2cd8fd988a9a08f4bd73d7343ae54e68ee2a0a4728277792115edc86900e899
SHA512

3430619eeecb2fbd83ae7724855c8e6112a80adc491cd306dc8f2b1854adbbdafbfc8e3ce30ddae9c7a71f6382ce4aa006ea88e0a8c02be03f1aaf48cca3aa82

Score

10^/10

strongpity xmrig miner spyware stealer

Malware Config

Signatures

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 2 IoCs

resource	yara_rule
behavioral2/files/0x000500000001ab18-121.dat	family_strongpity
behavioral2/files/0x000500000001ab18-120.dat	family_strongpity

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2232 created 2576	2232	WerFault.exe	80

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 3 IoCs

flow	pid	Process
34	2576	mshta.exe
35	2576	mshta.exe
38	2576	mshta.exe

Executes dropped EXE 5 IoCs

pid	Process
1188	DriverPack-17-Online.exe
1320	wimservr.exe
3320	wimservr.exe
2004	wsutil32.exe
2940	WmiPrvSV32.exe

Loads dropped DLL 1 IoCs

pid	Process
1188	DriverPack-17-Online.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wsutil32.exe	e2cd8fd988a9a08f4bd73d7343ae54e68ee2a0a4728277792115edc86900e899.exe
File created	C:\Windows\SysWOW64\wimservr.exe	e2cd8fd988a9a08f4bd73d7343ae54e68ee2a0a4728277792115edc86900e899.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3240	2576	WerFault.exe	80
2232	2576	WerFault.exe	80

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000001ab12-115.dat	nsis_installer_2
behavioral2/files/0x000700000001ab12-116.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Styles\MaxScriptStatements = "4294967295"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Styles	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Styles\MaxScriptStatements = "4294967295"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Styles	reg.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3320	wimservr.exe
3320	wimservr.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3240	WerFault.exe
Token: SeBackupPrivilege	3240	WerFault.exe
Token: SeDebugPrivilege	3240	WerFault.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 1188	1840	e2cd8fd988a9a08f4bd73d7343ae54e68ee2a0a4728277792115edc86900e899.exe	70
PID 1840 wrote to memory of 1188	1840	e2cd8fd988a9a08f4bd73d7343ae54e68ee2a0a4728277792115edc86900e899.exe	70
PID 1840 wrote to memory of 1188	1840	e2cd8fd988a9a08f4bd73d7343ae54e68ee2a0a4728277792115edc86900e899.exe	70
PID 1840 wrote to memory of 1320	1840	e2cd8fd988a9a08f4bd73d7343ae54e68ee2a0a4728277792115edc86900e899.exe	71
PID 1840 wrote to memory of 1320	1840	e2cd8fd988a9a08f4bd73d7343ae54e68ee2a0a4728277792115edc86900e899.exe	71
PID 1840 wrote to memory of 1320	1840	e2cd8fd988a9a08f4bd73d7343ae54e68ee2a0a4728277792115edc86900e899.exe	71
PID 3320 wrote to memory of 2004	3320	wimservr.exe	73
PID 3320 wrote to memory of 2004	3320	wimservr.exe	73
PID 3320 wrote to memory of 2004	3320	wimservr.exe	73
PID 2004 wrote to memory of 2940	2004	wsutil32.exe	74
PID 2004 wrote to memory of 2940	2004	wsutil32.exe	74
PID 2004 wrote to memory of 2940	2004	wsutil32.exe	74
PID 1188 wrote to memory of 396	1188	DriverPack-17-Online.exe	78
PID 1188 wrote to memory of 396	1188	DriverPack-17-Online.exe	78
PID 1188 wrote to memory of 396	1188	DriverPack-17-Online.exe	78
PID 1188 wrote to memory of 2576	1188	DriverPack-17-Online.exe	80
PID 1188 wrote to memory of 2576	1188	DriverPack-17-Online.exe	80
PID 1188 wrote to memory of 2576	1188	DriverPack-17-Online.exe	80

C:\Users\Admin\AppData\Local\Temp\e2cd8fd988a9a08f4bd73d7343ae54e68ee2a0a4728277792115edc86900e899.exe
"C:\Users\Admin\AppData\Local\Temp\e2cd8fd988a9a08f4bd73d7343ae54e68ee2a0a4728277792115edc86900e899.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Local\Temp\DriverPack-17-Online.exe
  "C:\Users\Admin\AppData\Local\Temp\DriverPack-17-Online.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe import "C:\Users\Admin\AppData\Local\Temp\DriverPack-20211211154958\Tools\patch.reg"
    3⤵
    - Modifies Internet Explorer settings
    PID:396
- - C:\Windows\SysWOW64\mshta.exe
    C:\Windows\system32\mshta.exe "C:\Users\Admin\AppData\Local\Temp\DriverPack-20211211154958\run.hta" --sfx "DriverPack-17-Online.exe"
    3⤵
    - Blocklisted process makes network request
    PID:2576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 2452
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 2396
      4⤵
      Suspicious use of NtCreateProcessExOtherParentProcess
      Program crash
      PID:2232
- C:\Windows\SysWOW64\wimservr.exe
  C:\Windows\system32\\wimservr.exe help
  2⤵
  - Executes dropped EXE
  PID:1320

C:\Windows\SysWOW64\wimservr.exe
C:\Windows\SysWOW64\wimservr.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\SysWOW64\wsutil32.exe
  "C:\Windows\system32\\wsutil32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\BAA5-22C-AC866D\WmiPrvSV32.exe
    "C:\Users\Admin\AppData\Local\Temp\BAA5-22C-AC866D\WmiPrvSV32.exe"
    3⤵
    - Executes dropped EXE
    PID:2940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads