Analysis
-
max time kernel
166s -
max time network
189s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 19:16
Static task
static1
Behavioral task
behavioral1
Sample
a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe
Resource
win10-en-20211208
General
-
Target
a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe
-
Size
2.3MB
-
MD5
1b924ee1c9630f3e580d99a0c7568f7a
-
SHA1
704849500748b97e63cf820f3b768ec4f91336d8
-
SHA256
a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0
-
SHA512
6c4cf6499dbdf8ca6a7815365e0a7ab687f2fcfd52cd4aab968487a7f85e01fbea51087db2710990e74671a5caf1682b05f19b367eda093433775dd72fef4da7
Malware Config
Signatures
-
StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
-
StrongPity Spyware 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab2c-121.dat family_strongpity behavioral2/files/0x000500000001ab2c-120.dat family_strongpity -
Executes dropped EXE 5 IoCs
pid Process 4008 winbox.exe 940 svchosts32.exe 648 svchosts32.exe 3956 spoolcl.exe 3740 wiminit.xml -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\svchosts32.exe a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe File created C:\Windows\SysWOW64\spoolcl.exe a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 648 svchosts32.exe 648 svchosts32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 648 svchosts32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3476 wrote to memory of 4008 3476 a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe 69 PID 3476 wrote to memory of 4008 3476 a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe 69 PID 3476 wrote to memory of 4008 3476 a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe 69 PID 3476 wrote to memory of 940 3476 a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe 70 PID 3476 wrote to memory of 940 3476 a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe 70 PID 3476 wrote to memory of 940 3476 a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe 70 PID 648 wrote to memory of 3956 648 svchosts32.exe 74 PID 648 wrote to memory of 3956 648 svchosts32.exe 74 PID 648 wrote to memory of 3956 648 svchosts32.exe 74 PID 3956 wrote to memory of 3740 3956 spoolcl.exe 75 PID 3956 wrote to memory of 3740 3956 spoolcl.exe 75 PID 3956 wrote to memory of 3740 3956 spoolcl.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe"C:\Users\Admin\AppData\Local\Temp\a2035a826d94a0d9e63cb90f80acffd03caff3db6b73bf4e03fa84eddd8806b0.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\winbox.exe"C:\Users\Admin\AppData\Local\Temp\winbox.exe"2⤵
- Executes dropped EXE
PID:4008
-
-
C:\Windows\SysWOW64\svchosts32.exeC:\Windows\system32\\svchosts32.exe help2⤵
- Executes dropped EXE
PID:940
-
-
C:\Windows\SysWOW64\svchosts32.exeC:\Windows\SysWOW64\svchosts32.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\spoolcl.exe"C:\Windows\system32\\spoolcl.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\AAE25-AA1ECC2131\wiminit.xml"C:\Users\Admin\AppData\Local\Temp\AAE25-AA1ECC2131\wiminit.xml"3⤵
- Executes dropped EXE
PID:3740
-
-