strongpity | a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1

General

Target

a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe
Size

2.3MB
MD5

819e71bf3e6f4d0bac816a36eca5f3d3
SHA1

0661be49531a1b13a9fa7a76eabd906ed613da82
SHA256

a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1
SHA512

e47bbbb232d34f0e8fbb9d820f3e1c97554b8464c5aeb05e612b76300ab23da565892ecd3e76ec65a7faf6e837a942c2c8ab036aae1951551e766cfbd040e398

Score

10^/10

StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
stealer spyware strongpity

StrongPity Spyware 2 IoCs

resource	yara_rule
behavioral2/files/0x000500000001ab2d-124.dat	family_strongpity
behavioral2/files/0x000500000001ab2d-123.dat	family_strongpity

Executes dropped EXE 5 IoCs

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wvsvcs32.exe	a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe
File created	C:\Windows\SysWOW64\printque.exe	a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1328	wvsvcs32.exe
1328	wvsvcs32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1328	wvsvcs32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 3548	2420	a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe	69
PID 2420 wrote to memory of 3548	2420	a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe	69
PID 2420 wrote to memory of 3548	2420	a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe	69
PID 2420 wrote to memory of 2324	2420	a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe	70
PID 2420 wrote to memory of 2324	2420	a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe	70
PID 2420 wrote to memory of 2324	2420	a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe	70
PID 1328 wrote to memory of 4080	1328	wvsvcs32.exe	72
PID 1328 wrote to memory of 4080	1328	wvsvcs32.exe	72
PID 1328 wrote to memory of 4080	1328	wvsvcs32.exe	72
PID 4080 wrote to memory of 4072	4080	printque.exe	73
PID 4080 wrote to memory of 4072	4080	printque.exe	73
PID 4080 wrote to memory of 4072	4080	printque.exe	73

C:\Users\Admin\AppData\Local\Temp\a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe
"C:\Users\Admin\AppData\Local\Temp\a97702b25fea7863bff4a1f37b5e5a4733f2772f9e0cb55e73956acaddf53ab1.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\winbox.exe
  "C:\Users\Admin\AppData\Local\Temp\winbox.exe"
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Windows\SysWOW64\wvsvcs32.exe
  C:\Windows\system32\\wvsvcs32.exe help
  2⤵
  - Executes dropped EXE
  PID:2324