strongpity | 0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3

General

Target

0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe
Size

8.3MB
MD5

0d7c16ad2aaf62172aead5455f93e38c
SHA1

9836b713ec9f984815c2a8dfe2d0213234a27700
SHA256

0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3
SHA512

5540bd21915e7d5b4eb1bacfbd91c4e30eb1ea83f1e811943779e166c88f74917c01c605224fae949c3c9358cd038a0de810bd4f6eccc0c44b0536731fb2e390

Score

10^/10

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 2 IoCs

resource	yara_rule
behavioral2/files/0x000500000001ab2d-120.dat	family_strongpity
behavioral2/files/0x000500000001ab2d-121.dat	family_strongpity

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 6 IoCs

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\printque.exe	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe
File created	C:\Windows\SysWOW64\wvsvcs32.exe	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1332	wvsvcs32.exe
1332	wvsvcs32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1332	wvsvcs32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 3692	2552	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe	69
PID 2552 wrote to memory of 3692	2552	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe	69
PID 2552 wrote to memory of 3692	2552	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe	69
PID 2552 wrote to memory of 3888	2552	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe	70
PID 2552 wrote to memory of 3888	2552	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe	70
PID 2552 wrote to memory of 3888	2552	0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe	70
PID 1332 wrote to memory of 8	1332	wvsvcs32.exe	72
PID 1332 wrote to memory of 8	1332	wvsvcs32.exe	72
PID 1332 wrote to memory of 8	1332	wvsvcs32.exe	72
PID 8 wrote to memory of 2140	8	printque.exe	73
PID 8 wrote to memory of 2140	8	printque.exe	73
PID 8 wrote to memory of 2140	8	printque.exe	73
PID 3692 wrote to memory of 3520	3692	idman633build2.exe	75
PID 3692 wrote to memory of 3520	3692	idman633build2.exe	75
PID 3692 wrote to memory of 3520	3692	idman633build2.exe	75

C:\Users\Admin\AppData\Local\Temp\0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe
"C:\Users\Admin\AppData\Local\Temp\0de13f1d74dda01de51794c0b559eb528c972e6dcb18fe873207275940cc16b3.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\idman633build2.exe
  "C:\Users\Admin\AppData\Local\Temp\idman633build2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
    "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
    3⤵
    - Executes dropped EXE
    PID:3520
- C:\Windows\SysWOW64\wvsvcs32.exe
  C:\Windows\system32\\wvsvcs32.exe help
  2⤵
  - Executes dropped EXE
  PID:3888

memory/3520-199-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3692-126-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download