Analysis
-
max time kernel
152s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 19:16
Static task
static1
Behavioral task
behavioral1
Sample
a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe
Resource
win10-en-20211208
General
-
Target
a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe
-
Size
2.3MB
-
MD5
1b924ee1c9630f3e580d99a0c7568f7a
-
SHA1
704849500748b97e63cf820f3b768ec4f91336d8
-
SHA256
a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0
-
SHA512
6c4cf6499dbdf8ca6a7815365e0a7ab687f2fcfd52cd4aab968487a7f85e01fbea51087db2710990e74671a5caf1682b05f19b367eda093433775dd72fef4da7
Malware Config
Signatures
-
StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
-
StrongPity Spyware 4 IoCs
resource yara_rule behavioral1/files/0x000700000001226a-62.dat family_strongpity behavioral1/files/0x000700000001226a-63.dat family_strongpity behavioral1/files/0x000700000001226a-64.dat family_strongpity behavioral1/files/0x000700000001226a-65.dat family_strongpity -
Executes dropped EXE 5 IoCs
pid Process 2028 winbox.exe 580 svchosts32.exe 1392 svchosts32.exe 1380 spoolcl.exe 688 wiminit.xml -
Loads dropped DLL 6 IoCs
pid Process 860 a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe 860 a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe 860 a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe 1392 svchosts32.exe 1392 svchosts32.exe 1380 spoolcl.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\svchosts32.exe a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe File created C:\Windows\SysWOW64\spoolcl.exe a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1392 svchosts32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1392 svchosts32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 860 wrote to memory of 2028 860 a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe 28 PID 860 wrote to memory of 2028 860 a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe 28 PID 860 wrote to memory of 2028 860 a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe 28 PID 860 wrote to memory of 2028 860 a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe 28 PID 860 wrote to memory of 580 860 a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe 29 PID 860 wrote to memory of 580 860 a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe 29 PID 860 wrote to memory of 580 860 a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe 29 PID 860 wrote to memory of 580 860 a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe 29 PID 1392 wrote to memory of 1380 1392 svchosts32.exe 31 PID 1392 wrote to memory of 1380 1392 svchosts32.exe 31 PID 1392 wrote to memory of 1380 1392 svchosts32.exe 31 PID 1392 wrote to memory of 1380 1392 svchosts32.exe 31 PID 1380 wrote to memory of 688 1380 spoolcl.exe 32 PID 1380 wrote to memory of 688 1380 spoolcl.exe 32 PID 1380 wrote to memory of 688 1380 spoolcl.exe 32 PID 1380 wrote to memory of 688 1380 spoolcl.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe"C:\Users\Admin\AppData\Local\Temp\a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Users\Admin\AppData\Local\Temp\winbox.exe"C:\Users\Admin\AppData\Local\Temp\winbox.exe"2⤵
- Executes dropped EXE
PID:2028
-
-
C:\Windows\SysWOW64\svchosts32.exeC:\Windows\system32\\svchosts32.exe help2⤵
- Executes dropped EXE
PID:580
-
-
C:\Windows\SysWOW64\svchosts32.exeC:\Windows\SysWOW64\svchosts32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\spoolcl.exe"C:\Windows\system32\\spoolcl.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\AAE25-AA1ECC2131\wiminit.xml"C:\Users\Admin\AppData\Local\Temp\AAE25-AA1ECC2131\wiminit.xml"3⤵
- Executes dropped EXE
PID:688
-
-