Analysis
-
max time kernel
155s -
max time network
155s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 19:17
Static task
static1
Behavioral task
behavioral1
Sample
a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe
Resource
win10-en-20211208
General
-
Target
a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe
-
Size
3.5MB
-
MD5
c01e9d2a0ac1240ddde0bade9b4223ce
-
SHA1
fcffd492d70c3eba6064a40db995d69436161b81
-
SHA256
a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83
-
SHA512
4dd5defafe8778d17ce22b0a51e40642bf40936754f3f953f04beeb84d3ecf5dd8133ba250fca0a96bf331b97aed32f2d4f309666ce81a57a030c312154e94af
Malware Config
Signatures
-
StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
-
StrongPity Spyware 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab14-124.dat family_strongpity behavioral2/files/0x000500000001ab14-123.dat family_strongpity -
Executes dropped EXE 5 IoCs
pid Process 4076 wrar561.exe 4032 svchosts32.exe 4016 svchosts32.exe 4280 spoolcl.exe 4412 wiminit.xml -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\svchosts32.exe a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe File created C:\Windows\SysWOW64\spoolcl.exe a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4016 svchosts32.exe 4016 svchosts32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4016 svchosts32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4076 wrar561.exe 4076 wrar561.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3408 wrote to memory of 4076 3408 a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe 70 PID 3408 wrote to memory of 4076 3408 a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe 70 PID 3408 wrote to memory of 4076 3408 a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe 70 PID 3408 wrote to memory of 4032 3408 a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe 71 PID 3408 wrote to memory of 4032 3408 a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe 71 PID 3408 wrote to memory of 4032 3408 a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe 71 PID 4016 wrote to memory of 4280 4016 svchosts32.exe 73 PID 4016 wrote to memory of 4280 4016 svchosts32.exe 73 PID 4016 wrote to memory of 4280 4016 svchosts32.exe 73 PID 4280 wrote to memory of 4412 4280 spoolcl.exe 74 PID 4280 wrote to memory of 4412 4280 spoolcl.exe 74 PID 4280 wrote to memory of 4412 4280 spoolcl.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe"C:\Users\Admin\AppData\Local\Temp\a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\wrar561.exe"C:\Users\Admin\AppData\Local\Temp\wrar561.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4076
-
-
C:\Windows\SysWOW64\svchosts32.exeC:\Windows\system32\\svchosts32.exe help2⤵
- Executes dropped EXE
PID:4032
-
-
C:\Windows\SysWOW64\svchosts32.exeC:\Windows\SysWOW64\svchosts32.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\spoolcl.exe"C:\Windows\system32\\spoolcl.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\AAE25-AA1ECC2131\wiminit.xml"C:\Users\Admin\AppData\Local\Temp\AAE25-AA1ECC2131\wiminit.xml"3⤵
- Executes dropped EXE
PID:4412
-
-