Analysis
-
max time kernel
146s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 19:04
Static task
static1
Behavioral task
behavioral1
Sample
a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe
Resource
win10-en-20211208
General
-
Target
a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe
-
Size
2.3MB
-
MD5
819e71bf3e6f4d0bac816a36eca5f3d3
-
SHA1
0661be49531a1b13a9fa7a76eabd906ed613da82
-
SHA256
a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1
-
SHA512
e47bbbb232d34f0e8fbb9d820f3e1c97554b8464c5aeb05e612b76300ab23da565892ecd3e76ec65a7faf6e837a942c2c8ab036aae1951551e766cfbd040e398
Malware Config
Signatures
-
StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
-
StrongPity Spyware 4 IoCs
resource yara_rule behavioral1/files/0x00070000000121ee-62.dat family_strongpity behavioral1/files/0x00070000000121ee-63.dat family_strongpity behavioral1/files/0x00070000000121ee-64.dat family_strongpity behavioral1/files/0x00070000000121ee-65.dat family_strongpity -
Executes dropped EXE 5 IoCs
pid Process 1668 winbox.exe 576 wvsvcs32.exe 460 wvsvcs32.exe 1644 printque.exe 288 sqlhostserv.xml -
Loads dropped DLL 6 IoCs
pid Process 1388 a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe 1388 a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe 1388 a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe 460 wvsvcs32.exe 460 wvsvcs32.exe 1644 printque.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\wvsvcs32.exe a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe File created C:\Windows\SysWOW64\printque.exe a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 460 wvsvcs32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 460 wvsvcs32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1388 wrote to memory of 1668 1388 a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe 28 PID 1388 wrote to memory of 1668 1388 a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe 28 PID 1388 wrote to memory of 1668 1388 a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe 28 PID 1388 wrote to memory of 1668 1388 a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe 28 PID 1388 wrote to memory of 576 1388 a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe 29 PID 1388 wrote to memory of 576 1388 a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe 29 PID 1388 wrote to memory of 576 1388 a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe 29 PID 1388 wrote to memory of 576 1388 a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe 29 PID 460 wrote to memory of 1644 460 wvsvcs32.exe 31 PID 460 wrote to memory of 1644 460 wvsvcs32.exe 31 PID 460 wrote to memory of 1644 460 wvsvcs32.exe 31 PID 460 wrote to memory of 1644 460 wvsvcs32.exe 31 PID 1644 wrote to memory of 288 1644 printque.exe 32 PID 1644 wrote to memory of 288 1644 printque.exe 32 PID 1644 wrote to memory of 288 1644 printque.exe 32 PID 1644 wrote to memory of 288 1644 printque.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe"C:\Users\Admin\AppData\Local\Temp\a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\winbox.exe"C:\Users\Admin\AppData\Local\Temp\winbox.exe"2⤵
- Executes dropped EXE
PID:1668
-
-
C:\Windows\SysWOW64\wvsvcs32.exeC:\Windows\system32\\wvsvcs32.exe help2⤵
- Executes dropped EXE
PID:576
-
-
C:\Windows\SysWOW64\wvsvcs32.exeC:\Windows\SysWOW64\wvsvcs32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\printque.exe"C:\Windows\system32\\printque.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\5AD-CA113D-416AA\sqlhostserv.xml"C:\Users\Admin\AppData\Local\Temp\5AD-CA113D-416AA\sqlhostserv.xml"3⤵
- Executes dropped EXE
PID:288
-
-