Overview

overview

10

Static

static

65041a83c8...ab.exe

windows7_x64

10

65041a83c8...ab.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 04:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65041a83c88ba90e489de8ac275688815c51b93ae568c627b74fc160d2db6bab.exe

  • Size

    9.2MB

  • MD5

    2b9ef4ae5ebd8429d6d84c894ecc8fab

  • SHA1

    eca4cebc30fcc93ee073185a7a6b2862c116fbd2

  • SHA256

    65041a83c88ba90e489de8ac275688815c51b93ae568c627b74fc160d2db6bab

  • SHA512

    43f378cb70537a0cc30458a7044fb9cfa0debbfe43cdaeee96f4fc3d829370119fa0703460fff49c952fe0d7edc61033e57e0b2b5fdefeb13b4b643ff80355f0

Score
10/10
strongpityevasionpersistencespywarestealersuricata

Malware Config

Signatures

  • StrongPity

    StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.

    stealerspywarestrongpity
  • StrongPity Spyware 3 IoCs
  • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 4 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 52 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65041a83c88ba90e489de8ac275688815c51b93ae568c627b74fc160d2db6bab.exe
    "C:\Users\Admin\AppData\Local\Temp\65041a83c88ba90e489de8ac275688815c51b93ae568c627b74fc160d2db6bab.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Users\Admin\AppData\Local\Temp\intervpnmix2.exe
      "C:\Users\Admin\AppData\Local\Temp\intervpnmix2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\Intervpn\vpnpro.exe
        "C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\Intervpn\vpnpro.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        PID:2416
    • C:\Users\Admin\AppData\Local\Temp\Opera\sivsnui.exe
      "C:\Users\Admin\AppData\Local\Temp\Opera\sivsnui.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Users\Admin\AppData\Local\Temp\Opera\srvolpsm.exe
        "C:\Users\Admin\AppData\Local\Temp\Opera\srvolpsm.exe"
        3⤵
        • Executes dropped EXE
        PID:2280

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2236-57-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2416-120-0x0000000009490000-0x0000000009491000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-121-0x0000000008F60000-0x0000000008F61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-122-0x00000000094D0000-0x00000000094D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-123-0x00000000094E0000-0x00000000094E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-124-0x0000000009000000-0x0000000009001000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-125-0x0000000009480000-0x0000000009481000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-126-0x00000000094B0000-0x00000000094B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-128-0x0000000008F70000-0x0000000008F71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-127-0x0000000008FF0000-0x0000000008FF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-129-0x0000000009010000-0x0000000009011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-130-0x0000000009600000-0x0000000009601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-132-0x00000000094C0000-0x00000000094C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-131-0x0000000000400000-0x0000000000912000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2416-133-0x0000000008FB0000-0x0000000008FB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-134-0x0000000009610000-0x0000000009611000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-135-0x00000000096B0000-0x00000000096B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-137-0x0000000009580000-0x0000000009581000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-136-0x00000000095D0000-0x00000000095D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-138-0x00000000095B0000-0x00000000095B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-139-0x00000000096D0000-0x00000000096D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-140-0x00000000096C0000-0x00000000096C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-141-0x0000000009680000-0x0000000009681000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-142-0x0000000009640000-0x0000000009641000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-143-0x00000000096F0000-0x00000000096F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-145-0x0000000009660000-0x0000000009661000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-144-0x0000000009670000-0x0000000009671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-146-0x0000000009630000-0x0000000009631000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-147-0x0000000009710000-0x0000000009711000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-148-0x0000000009700000-0x0000000009701000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-149-0x0000000008F90000-0x0000000008F91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-150-0x0000000008FA0000-0x0000000008FA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-151-0x0000000008FC0000-0x0000000008FC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-153-0x00000000094A0000-0x00000000094A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-152-0x00000000095E0000-0x00000000095E1000-memory.dmp

    Filesize

    4KB

    Download