Analysis

  • max time kernel
    152s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    28-01-2022 19:16

General

  • Target

    a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe

  • Size

    2.3MB

  • MD5

    1b924ee1c9630f3e580d99a0c7568f7a

  • SHA1

    704849500748b97e63cf820f3b768ec4f91336d8

  • SHA256

    a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0

  • SHA512

    6c4cf6499dbdf8ca6a7815365e0a7ab687f2fcfd52cd4aab968487a7f85e01fbea51087db2710990e74671a5caf1682b05f19b367eda093433775dd72fef4da7

Malware Config

Signatures

  • StrongPity

    StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.

  • StrongPity Spyware 4 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe
    "C:\Users\Admin\AppData\Local\Temp\a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Users\Admin\AppData\Local\Temp\winbox.exe
      "C:\Users\Admin\AppData\Local\Temp\winbox.exe"
      2⤵
      • Executes dropped EXE
      PID:2028
    • C:\Windows\SysWOW64\svchosts32.exe
      C:\Windows\system32\\svchosts32.exe help
      2⤵
      • Executes dropped EXE
      PID:580
  • C:\Windows\SysWOW64\svchosts32.exe
    C:\Windows\SysWOW64\svchosts32.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Windows\SysWOW64\spoolcl.exe
      "C:\Windows\system32\\spoolcl.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Users\Admin\AppData\Local\Temp\AAE25-AA1ECC2131\wiminit.xml
        "C:\Users\Admin\AppData\Local\Temp\AAE25-AA1ECC2131\wiminit.xml"
        3⤵
        • Executes dropped EXE
        PID:688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2028-59-0x0000000076731000-0x0000000076733000-memory.dmp

    Filesize

    8KB