strongpity | 17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4

General

Target

17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe
Size

8.6MB
MD5

2cd63d9157af4579004ff2c34a36bdc3
SHA1

7b8e9a522400c9672ee2244a6993407f945584d6
SHA256

17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4
SHA512

ef6c6f2cddb449519488aa775336f5ec4384cd3b95df371450d11435cad383d570bdba6e9ae60d637c68cb810343a8b1af325bbb67012092a08478d03d76eb26

Score

10^/10

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 2 IoCs

resource	yara_rule
behavioral2/files/0x000500000001ab17-124.dat	family_strongpity
behavioral2/files/0x000500000001ab17-125.dat	family_strongpity

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 6 IoCs

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winpickr.exe	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe
File created	C:\Windows\SysWOW64\consent32.exe	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1948	winpickr.exe
1948	winpickr.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 684	2708	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe	70
PID 2708 wrote to memory of 684	2708	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe	70
PID 2708 wrote to memory of 684	2708	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe	70
PID 2708 wrote to memory of 1032	2708	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe	71
PID 2708 wrote to memory of 1032	2708	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe	71
PID 2708 wrote to memory of 1032	2708	17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe	71
PID 684 wrote to memory of 584	684	idman635build12.exe	73
PID 684 wrote to memory of 584	684	idman635build12.exe	73
PID 684 wrote to memory of 584	684	idman635build12.exe	73
PID 1948 wrote to memory of 3784	1948	winpickr.exe	74
PID 1948 wrote to memory of 3784	1948	winpickr.exe	74
PID 1948 wrote to memory of 3784	1948	winpickr.exe	74
PID 3784 wrote to memory of 772	3784	consent32.exe	75
PID 3784 wrote to memory of 772	3784	consent32.exe	75
PID 3784 wrote to memory of 772	3784	consent32.exe	75

C:\Users\Admin\AppData\Local\Temp\17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe
"C:\Users\Admin\AppData\Local\Temp\17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\idman635build12.exe
  "C:\Users\Admin\AppData\Local\Temp\idman635build12.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
    "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
    3⤵
    - Executes dropped EXE
    PID:584
- C:\Windows\SysWOW64\winpickr.exe
  C:\Windows\system32\\winpickr.exe help
  2⤵
  - Executes dropped EXE
  PID:1032

memory/584-183-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/684-128-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download