strongpity | bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf

General

Target

bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe
Size

742KB
MD5

07c3207a2297df30908f0b9b1c7f7d80
SHA1

719a542a0397cf1b5f42a9cb690069c21484c663
SHA256

bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf
SHA512

e789c73d95e9f28d0dc48b05017c227934b4f9067e5c913c73a5f4e18db2ce7198208a9177b99be0061f90074c4916023a4fde24293a5d5ff68a6b8853644669

Score

10^/10

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 4 IoCs

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 5 IoCs

Loads dropped DLL 5 IoCs

pid	Process
1584	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe
1584	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe
1868	svchosts32.exe
1868	svchosts32.exe
744	spoolcl.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchosts32.exe	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe
File created	C:\Windows\SysWOW64\spoolcl.exe	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1868	svchosts32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	svchosts32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1160	1584	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe	28
PID 1584 wrote to memory of 1160	1584	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe	28
PID 1584 wrote to memory of 1160	1584	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe	28
PID 1584 wrote to memory of 1160	1584	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe	28
PID 1584 wrote to memory of 436	1584	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe	29
PID 1584 wrote to memory of 436	1584	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe	29
PID 1584 wrote to memory of 436	1584	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe	29
PID 1584 wrote to memory of 436	1584	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe	29
PID 1868 wrote to memory of 744	1868	svchosts32.exe	31
PID 1868 wrote to memory of 744	1868	svchosts32.exe	31
PID 1868 wrote to memory of 744	1868	svchosts32.exe	31
PID 1868 wrote to memory of 744	1868	svchosts32.exe	31
PID 744 wrote to memory of 328	744	spoolcl.exe	32
PID 744 wrote to memory of 328	744	spoolcl.exe	32
PID 744 wrote to memory of 328	744	spoolcl.exe	32
PID 744 wrote to memory of 328	744	spoolcl.exe	32

C:\Users\Admin\AppData\Local\Temp\bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe
"C:\Users\Admin\AppData\Local\Temp\bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\AdsShow_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\AdsShow_installer.exe"
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\SysWOW64\svchosts32.exe
  C:\Windows\system32\\svchosts32.exe help
  2⤵
  - Executes dropped EXE
  PID:436

memory/1160-58-0x0000000000A20000-0x0000000000A22000-memory.dmp

Filesize
8KB

Download