Overview

overview

10

Static

static

835a545fe9...16.exe

windows7_x64

10

835a545fe9...16.exe

windows10_x64

10

Analysis

  • max time kernel
    159s
  • max time network
    166s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24/01/2022, 04:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe

  • Size

    28.4MB

  • MD5

    1070495a068632647e756a9209a42ac2

  • SHA1

    1044ef843ed83450ffa3238694db5c6e1d785f39

  • SHA256

    835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416

  • SHA512

    8c73e8999f06d4f3a38748ecce10bd43e03e41637355a60a3a9324cb033b9dcbe7415cf153f20192f296099dd408462a2fa01ccbd453eebaae2f634bb42cddf9

Score
10/10
strongpityxmrigminerspywarestealer

Malware Config

Signatures

  • StrongPity

    StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.

    stealerspywarestrongpity
  • StrongPity Spyware 2 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Executes dropped EXE 5 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe
    "C:\Users\Admin\AppData\Local\Temp\835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3676
    • C:\Users\Admin\AppData\Local\Temp\WinSetupFromUSB-1-9.exe
      "C:\Users\Admin\AppData\Local\Temp\WinSetupFromUSB-1-9.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      PID:2160
    • C:\Windows\SysWOW64\dusntask.exe
      C:\Windows\system32\\dusntask.exe help
      2⤵
      • Executes dropped EXE
      PID:3976
  • C:\Windows\SysWOW64\dusntask.exe
    C:\Windows\SysWOW64\dusntask.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4204
    • C:\Windows\SysWOW64\ngentask.exe
      "C:\Windows\system32\\ngentask.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4172
      • C:\Users\Admin\AppData\Local\Temp\6ADC-AEE3C-1A5B\spoolsrv32.exe
        "C:\Users\Admin\AppData\Local\Temp\6ADC-AEE3C-1A5B\spoolsrv32.exe"
        3⤵
        • Executes dropped EXE
        PID:1736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads