Analysis

  • max time kernel
    4294208s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    24-02-2022 04:01

General

  • Target

    d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe

  • Size

    2.4MB

  • MD5

    469c0460e4c1fefd01db4ae9f79c53c7

  • SHA1

    975e5ac0f82b26eb4df8c718207c61dd8afee9ff

  • SHA256

    d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78

  • SHA512

    d7a109e33abd2f6383c50b973db5c252f5c6e0b0c079ba1b5ccd3281e4e73b43422236149d8cdf76842f4c4ccabc07a34bc23c46c2f01715afb29436464af0ec

Malware Config

Signatures

  • StrongPity

    StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.

  • StrongPity Spyware 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe
    "C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Users\Admin\AppData\Local\Temp\is-F4A2T.tmp\fnmsetup.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-F4A2T.tmp\fnmsetup.tmp" /SL5="$D0150,1480519,54272,C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: GetForegroundWindowSpam
        PID:764
    • C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
      "C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe
        "C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"
        3⤵
        • Executes dropped EXE
        PID:1116

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/764-65-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

  • memory/1448-59-0x0000000000401000-0x000000000040B000-memory.dmp

    Filesize

    40KB

  • memory/1448-57-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/1448-56-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

    Filesize

    8KB