Analysis
-
max time kernel
4294208s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
24-02-2022 04:01
Static task
static1
Behavioral task
behavioral1
Sample
d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe
Resource
win10v2004-en-20220112
General
-
Target
d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe
-
Size
2.4MB
-
MD5
469c0460e4c1fefd01db4ae9f79c53c7
-
SHA1
975e5ac0f82b26eb4df8c718207c61dd8afee9ff
-
SHA256
d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78
-
SHA512
d7a109e33abd2f6383c50b973db5c252f5c6e0b0c079ba1b5ccd3281e4e73b43422236149d8cdf76842f4c4ccabc07a34bc23c46c2f01715afb29436464af0ec
Malware Config
Signatures
-
StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
-
StrongPity Spyware 3 IoCs
resource yara_rule behavioral1/files/0x0007000000013392-66.dat family_strongpity behavioral1/files/0x0007000000013392-68.dat family_strongpity behavioral1/files/0x0007000000013392-67.dat family_strongpity -
Executes dropped EXE 4 IoCs
pid Process 1448 fnmsetup.exe 764 fnmsetup.tmp 1600 nvwmisrv.exe 1116 winmsism.exe -
Loads dropped DLL 7 IoCs
pid Process 1788 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 1448 fnmsetup.exe 764 fnmsetup.tmp 764 fnmsetup.tmp 1788 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 1788 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 1600 nvwmisrv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeyStoreUpdater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndaData\\nvwmisrv.exe" d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 764 fnmsetup.tmp -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1788 wrote to memory of 1448 1788 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 27 PID 1788 wrote to memory of 1448 1788 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 27 PID 1788 wrote to memory of 1448 1788 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 27 PID 1788 wrote to memory of 1448 1788 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 27 PID 1788 wrote to memory of 1448 1788 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 27 PID 1788 wrote to memory of 1448 1788 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 27 PID 1788 wrote to memory of 1448 1788 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 27 PID 1448 wrote to memory of 764 1448 fnmsetup.exe 28 PID 1448 wrote to memory of 764 1448 fnmsetup.exe 28 PID 1448 wrote to memory of 764 1448 fnmsetup.exe 28 PID 1448 wrote to memory of 764 1448 fnmsetup.exe 28 PID 1448 wrote to memory of 764 1448 fnmsetup.exe 28 PID 1448 wrote to memory of 764 1448 fnmsetup.exe 28 PID 1448 wrote to memory of 764 1448 fnmsetup.exe 28 PID 1788 wrote to memory of 1600 1788 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 29 PID 1788 wrote to memory of 1600 1788 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 29 PID 1788 wrote to memory of 1600 1788 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 29 PID 1788 wrote to memory of 1600 1788 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 29 PID 1600 wrote to memory of 1116 1600 nvwmisrv.exe 31 PID 1600 wrote to memory of 1116 1600 nvwmisrv.exe 31 PID 1600 wrote to memory of 1116 1600 nvwmisrv.exe 31 PID 1600 wrote to memory of 1116 1600 nvwmisrv.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe"C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\is-F4A2T.tmp\fnmsetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-F4A2T.tmp\fnmsetup.tmp" /SL5="$D0150,1480519,54272,C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:764
-
-
-
C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"3⤵
- Executes dropped EXE
PID:1116
-
-