strongpity | bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf

General

Target

bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe
Size

742KB
MD5

07c3207a2297df30908f0b9b1c7f7d80
SHA1

719a542a0397cf1b5f42a9cb690069c21484c663
SHA256

bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf
SHA512

e789c73d95e9f28d0dc48b05017c227934b4f9067e5c913c73a5f4e18db2ce7198208a9177b99be0061f90074c4916023a4fde24293a5d5ff68a6b8853644669

Score

10^/10

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 2 IoCs

resource	yara_rule
behavioral2/files/0x000500000001ab08-123.dat	family_strongpity
behavioral2/files/0x000500000001ab08-124.dat	family_strongpity

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 5 IoCs

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\spoolcl.exe	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe
File created	C:\Windows\SysWOW64\svchosts32.exe	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3792	svchosts32.exe
3792	svchosts32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3792	svchosts32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2736	2224	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe	69
PID 2224 wrote to memory of 2736	2224	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe	69
PID 2224 wrote to memory of 2776	2224	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe	70
PID 2224 wrote to memory of 2776	2224	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe	70
PID 2224 wrote to memory of 2776	2224	bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe	70
PID 3792 wrote to memory of 1540	3792	svchosts32.exe	72
PID 3792 wrote to memory of 1540	3792	svchosts32.exe	72
PID 3792 wrote to memory of 1540	3792	svchosts32.exe	72
PID 1540 wrote to memory of 2020	1540	spoolcl.exe	73
PID 1540 wrote to memory of 2020	1540	spoolcl.exe	73
PID 1540 wrote to memory of 2020	1540	spoolcl.exe	73

C:\Users\Admin\AppData\Local\Temp\bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe
"C:\Users\Admin\AppData\Local\Temp\bd21bf716c3bdff02f1eebae207a1a4e07c5a7f11565b3c3aabff9d925330dcf.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\AdsShow_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\AdsShow_installer.exe"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\SysWOW64\svchosts32.exe
  C:\Windows\system32\\svchosts32.exe help
  2⤵
  - Executes dropped EXE
  PID:2776

memory/2736-122-0x00000000005A0000-0x00000000005A2000-memory.dmp

Filesize
8KB

Download