Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 03:25
Static task
static1
Behavioral task
behavioral1
Sample
c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5.exe
Resource
win10-en-20211208
General
-
Target
c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5.exe
-
Size
9.0MB
-
MD5
7d22d5b7cac4c8789f3fe7102e459edd
-
SHA1
37ec3fab893bb88b673380c7f0356065fc607f57
-
SHA256
c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5
-
SHA512
5f9bd84f4e31b32a6339d0e4b17f7d3ddede8be11aab5e54a52199757d6f4c32b57ab8057290f33ed3c8e29abee6007d4cd74226a11090bc5475328b8888f954
Malware Config
Signatures
-
StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
-
StrongPity Spyware 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab29-116.dat family_strongpity behavioral2/files/0x000500000001ab29-117.dat family_strongpity -
Executes dropped EXE 4 IoCs
pid Process 1328 idman636build7.exe 1956 sivsnui.exe 2144 srvolpsm.exe 3204 IDM1.tmp -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\OperaSyncService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Opera\\sivsnui.exe" c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2944 wrote to memory of 1328 2944 c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5.exe 68 PID 2944 wrote to memory of 1328 2944 c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5.exe 68 PID 2944 wrote to memory of 1328 2944 c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5.exe 68 PID 2944 wrote to memory of 1956 2944 c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5.exe 69 PID 2944 wrote to memory of 1956 2944 c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5.exe 69 PID 2944 wrote to memory of 1956 2944 c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5.exe 69 PID 1956 wrote to memory of 2144 1956 sivsnui.exe 70 PID 1956 wrote to memory of 2144 1956 sivsnui.exe 70 PID 1956 wrote to memory of 2144 1956 sivsnui.exe 70 PID 1328 wrote to memory of 3204 1328 idman636build7.exe 72 PID 1328 wrote to memory of 3204 1328 idman636build7.exe 72 PID 1328 wrote to memory of 3204 1328 idman636build7.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5.exe"C:\Users\Admin\AppData\Local\Temp\c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\idman636build7.exe"C:\Users\Admin\AppData\Local\Temp\idman636build7.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp"C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"3⤵
- Executes dropped EXE
PID:3204
-
-
-
C:\Users\Admin\AppData\Local\Temp\Opera\sivsnui.exe"C:\Users\Admin\AppData\Local\Temp\Opera\sivsnui.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\Opera\srvolpsm.exe"C:\Users\Admin\AppData\Local\Temp\Opera\srvolpsm.exe"3⤵
- Executes dropped EXE
PID:2144
-
-