Analysis

  • max time kernel
    155s
  • max time network
    155s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-01-2022 19:17

General

  • Target

    a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe

  • Size

    3.5MB

  • MD5

    c01e9d2a0ac1240ddde0bade9b4223ce

  • SHA1

    fcffd492d70c3eba6064a40db995d69436161b81

  • SHA256

    a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83

  • SHA512

    4dd5defafe8778d17ce22b0a51e40642bf40936754f3f953f04beeb84d3ecf5dd8133ba250fca0a96bf331b97aed32f2d4f309666ce81a57a030c312154e94af

Malware Config

Signatures

  • StrongPity

    StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.

  • StrongPity Spyware 2 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Executes dropped EXE 5 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe
    "C:\Users\Admin\AppData\Local\Temp\a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3408
    • C:\Users\Admin\AppData\Local\Temp\wrar561.exe
      "C:\Users\Admin\AppData\Local\Temp\wrar561.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4076
    • C:\Windows\SysWOW64\svchosts32.exe
      C:\Windows\system32\\svchosts32.exe help
      2⤵
      • Executes dropped EXE
      PID:4032
  • C:\Windows\SysWOW64\svchosts32.exe
    C:\Windows\SysWOW64\svchosts32.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4016
    • C:\Windows\SysWOW64\spoolcl.exe
      "C:\Windows\system32\\spoolcl.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4280
      • C:\Users\Admin\AppData\Local\Temp\AAE25-AA1ECC2131\wiminit.xml
        "C:\Users\Admin\AppData\Local\Temp\AAE25-AA1ECC2131\wiminit.xml"
        3⤵
        • Executes dropped EXE
        PID:4412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads