strongpity | 835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416

General

Target

835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe
Size

28.4MB
MD5

1070495a068632647e756a9209a42ac2
SHA1

1044ef843ed83450ffa3238694db5c6e1d785f39
SHA256

835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416
SHA512

8c73e8999f06d4f3a38748ecce10bd43e03e41637355a60a3a9324cb033b9dcbe7415cf153f20192f296099dd408462a2fa01ccbd453eebaae2f634bb42cddf9

Score

10^/10

strongpity xmrig miner spyware stealer

Malware Config

Signatures

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012247-66.dat	family_strongpity
behavioral1/files/0x0007000000012247-65.dat	family_strongpity
behavioral1/files/0x0007000000012247-67.dat	family_strongpity
behavioral1/files/0x0007000000012247-68.dat	family_strongpity

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 5 IoCs

pid	Process
2036	WinSetupFromUSB-1-9.exe
268	dusntask.exe
1728	dusntask.exe
888	ngentask.exe
684	spoolsrv32.exe

Loads dropped DLL 8 IoCs

pid	Process
1308	835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe
1308	835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe
2036	WinSetupFromUSB-1-9.exe
2036	WinSetupFromUSB-1-9.exe
2036	WinSetupFromUSB-1-9.exe
1728	dusntask.exe
1728	dusntask.exe
888	ngentask.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dusntask.exe	835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe
File created	C:\Windows\SysWOW64\ngentask.exe	835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1728	dusntask.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2036	WinSetupFromUSB-1-9.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2036	1308	835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe	28
PID 1308 wrote to memory of 2036	1308	835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe	28
PID 1308 wrote to memory of 2036	1308	835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe	28
PID 1308 wrote to memory of 2036	1308	835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe	28
PID 1308 wrote to memory of 2036	1308	835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe	28
PID 1308 wrote to memory of 2036	1308	835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe	28
PID 1308 wrote to memory of 2036	1308	835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe	28
PID 1308 wrote to memory of 268	1308	835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe	29
PID 1308 wrote to memory of 268	1308	835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe	29
PID 1308 wrote to memory of 268	1308	835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe	29
PID 1308 wrote to memory of 268	1308	835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe	29
PID 1728 wrote to memory of 888	1728	dusntask.exe	31
PID 1728 wrote to memory of 888	1728	dusntask.exe	31
PID 1728 wrote to memory of 888	1728	dusntask.exe	31
PID 1728 wrote to memory of 888	1728	dusntask.exe	31
PID 888 wrote to memory of 684	888	ngentask.exe	32
PID 888 wrote to memory of 684	888	ngentask.exe	32
PID 888 wrote to memory of 684	888	ngentask.exe	32
PID 888 wrote to memory of 684	888	ngentask.exe	32

C:\Users\Admin\AppData\Local\Temp\835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe
"C:\Users\Admin\AppData\Local\Temp\835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\WinSetupFromUSB-1-9.exe
  "C:\Users\Admin\AppData\Local\Temp\WinSetupFromUSB-1-9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  PID:2036
- C:\Windows\SysWOW64\dusntask.exe
  C:\Windows\system32\\dusntask.exe help
  2⤵
  - Executes dropped EXE
  PID:268

C:\Windows\SysWOW64\dusntask.exe
C:\Windows\SysWOW64\dusntask.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\ngentask.exe
  "C:\Windows\system32\\ngentask.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Users\Admin\AppData\Local\Temp\6ADC-AEE3C-1A5B\spoolsrv32.exe
    "C:\Users\Admin\AppData\Local\Temp\6ADC-AEE3C-1A5B\spoolsrv32.exe"
    3⤵
    - Executes dropped EXE
    PID:684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2036-64-0x0000000074E91000-0x0000000074E93000-memory.dmp

Filesize
8KB

Download
memory/2036-57-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing