strongpity | 0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3

General

Target

0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe
Size

8.3MB
MD5

0d7c16ad2aaf62172aead5455f93e38c
SHA1

9836b713ec9f984815c2a8dfe2d0213234a27700
SHA256

0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3
SHA512

5540bd21915e7d5b4eb1bacfbd91c4e30eb1ea83f1e811943779e166c88f74917c01c605224fae949c3c9358cd038a0de810bd4f6eccc0c44b0536731fb2e390

Score

10^/10

strongpity xmrig miner spyware stealer

Malware Config

Signatures

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 4 IoCs

resource	yara_rule
behavioral1/files/0x000600000001389a-67.dat	family_strongpity
behavioral1/files/0x000600000001389a-65.dat	family_strongpity
behavioral1/files/0x000600000001389a-69.dat	family_strongpity
behavioral1/files/0x000600000001389a-68.dat	family_strongpity

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 6 IoCs

pid	Process
2004	idman633build2.exe
524	wvsvcs32.exe
1632	wvsvcs32.exe
596	IDM1.tmp
1992	printque.exe
436	sqlhostserv.xml

Loads dropped DLL 6 IoCs

pid	Process
1928	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe
1928	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe
2004	idman633build2.exe
1632	wvsvcs32.exe
1632	wvsvcs32.exe
1992	printque.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wvsvcs32.exe	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe
File created	C:\Windows\SysWOW64\printque.exe	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1632	wvsvcs32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
596	IDM1.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	wvsvcs32.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2004	1928	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe	28
PID 1928 wrote to memory of 2004	1928	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe	28
PID 1928 wrote to memory of 2004	1928	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe	28
PID 1928 wrote to memory of 2004	1928	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe	28
PID 1928 wrote to memory of 2004	1928	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe	28
PID 1928 wrote to memory of 2004	1928	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe	28
PID 1928 wrote to memory of 2004	1928	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe	28
PID 1928 wrote to memory of 524	1928	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe	29
PID 1928 wrote to memory of 524	1928	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe	29
PID 1928 wrote to memory of 524	1928	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe	29
PID 1928 wrote to memory of 524	1928	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe	29
PID 2004 wrote to memory of 596	2004	idman633build2.exe	31
PID 2004 wrote to memory of 596	2004	idman633build2.exe	31
PID 2004 wrote to memory of 596	2004	idman633build2.exe	31
PID 2004 wrote to memory of 596	2004	idman633build2.exe	31
PID 2004 wrote to memory of 596	2004	idman633build2.exe	31
PID 2004 wrote to memory of 596	2004	idman633build2.exe	31
PID 2004 wrote to memory of 596	2004	idman633build2.exe	31
PID 1632 wrote to memory of 1992	1632	wvsvcs32.exe	32
PID 1632 wrote to memory of 1992	1632	wvsvcs32.exe	32
PID 1632 wrote to memory of 1992	1632	wvsvcs32.exe	32
PID 1632 wrote to memory of 1992	1632	wvsvcs32.exe	32
PID 1992 wrote to memory of 436	1992	printque.exe	33
PID 1992 wrote to memory of 436	1992	printque.exe	33
PID 1992 wrote to memory of 436	1992	printque.exe	33
PID 1992 wrote to memory of 436	1992	printque.exe	33

C:\Users\Admin\AppData\Local\Temp\0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe
"C:\Users\Admin\AppData\Local\Temp\0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\idman633build2.exe
  "C:\Users\Admin\AppData\Local\Temp\idman633build2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
    "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:596
- C:\Windows\SysWOW64\wvsvcs32.exe
  C:\Windows\system32\\wvsvcs32.exe help
  2⤵
  - Executes dropped EXE
  PID:524

C:\Windows\SysWOW64\wvsvcs32.exe
C:\Windows\SysWOW64\wvsvcs32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\printque.exe
  "C:\Windows\system32\\printque.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\5AD-CA113D-416AA\sqlhostserv.xml
    "C:\Users\Admin\AppData\Local\Temp\5AD-CA113D-416AA\sqlhostserv.xml"
    3⤵
    - Executes dropped EXE
    PID:436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/596-115-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2004-57-0x0000000076511000-0x0000000076513000-memory.dmp

Filesize
8KB

Download
memory/2004-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing