strongpity | 17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4

General

Target

17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe
Size

8.6MB
MD5

2cd63d9157af4579004ff2c34a36bdc3
SHA1

7b8e9a522400c9672ee2244a6993407f945584d6
SHA256

17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4
SHA512

ef6c6f2cddb449519488aa775336f5ec4384cd3b95df371450d11435cad383d570bdba6e9ae60d637c68cb810343a8b1af325bbb67012092a08478d03d76eb26

Score

10^/10

strongpity xmrig miner spyware stealer

Malware Config

Signatures

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 4 IoCs

resource	yara_rule
behavioral1/files/0x00060000000125b9-61.dat	family_strongpity
behavioral1/files/0x00060000000125b9-62.dat	family_strongpity
behavioral1/files/0x00060000000125b9-63.dat	family_strongpity
behavioral1/files/0x00060000000125b9-64.dat	family_strongpity

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 6 IoCs

pid	Process
1812	idman635build12.exe
1556	winpickr.exe
1060	winpickr.exe
552	consent32.exe
776	IDM1.tmp
948	ntuis32.exe

Loads dropped DLL 6 IoCs

pid	Process
756	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe
756	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe
1060	winpickr.exe
1060	winpickr.exe
1812	idman635build12.exe
552	consent32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winpickr.exe	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe
File created	C:\Windows\SysWOW64\consent32.exe	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1060	winpickr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
776	IDM1.tmp

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 1812	756	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe	28
PID 756 wrote to memory of 1812	756	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe	28
PID 756 wrote to memory of 1812	756	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe	28
PID 756 wrote to memory of 1812	756	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe	28
PID 756 wrote to memory of 1812	756	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe	28
PID 756 wrote to memory of 1812	756	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe	28
PID 756 wrote to memory of 1812	756	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe	28
PID 756 wrote to memory of 1556	756	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe	29
PID 756 wrote to memory of 1556	756	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe	29
PID 756 wrote to memory of 1556	756	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe	29
PID 756 wrote to memory of 1556	756	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe	29
PID 1060 wrote to memory of 552	1060	winpickr.exe	31
PID 1060 wrote to memory of 552	1060	winpickr.exe	31
PID 1060 wrote to memory of 552	1060	winpickr.exe	31
PID 1060 wrote to memory of 552	1060	winpickr.exe	31
PID 1812 wrote to memory of 776	1812	idman635build12.exe	32
PID 1812 wrote to memory of 776	1812	idman635build12.exe	32
PID 1812 wrote to memory of 776	1812	idman635build12.exe	32
PID 1812 wrote to memory of 776	1812	idman635build12.exe	32
PID 1812 wrote to memory of 776	1812	idman635build12.exe	32
PID 1812 wrote to memory of 776	1812	idman635build12.exe	32
PID 1812 wrote to memory of 776	1812	idman635build12.exe	32
PID 552 wrote to memory of 948	552	consent32.exe	33
PID 552 wrote to memory of 948	552	consent32.exe	33
PID 552 wrote to memory of 948	552	consent32.exe	33
PID 552 wrote to memory of 948	552	consent32.exe	33

C:\Users\Admin\AppData\Local\Temp\17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe
"C:\Users\Admin\AppData\Local\Temp\17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Local\Temp\idman635build12.exe
  "C:\Users\Admin\AppData\Local\Temp\idman635build12.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
    "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:776
- C:\Windows\SysWOW64\winpickr.exe
  C:\Windows\system32\\winpickr.exe help
  2⤵
  - Executes dropped EXE
  PID:1556

C:\Windows\SysWOW64\winpickr.exe
C:\Windows\SysWOW64\winpickr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\SysWOW64\consent32.exe
  "C:\Windows\system32\\consent32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\CDD2-432-11422F\ntuis32.exe
    "C:\Users\Admin\AppData\Local\Temp\CDD2-432-11422F\ntuis32.exe"
    3⤵
    - Executes dropped EXE
    PID:948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/776-121-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1812-57-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/1812-67-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing