Analysis

  • max time kernel
    151s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    24-02-2022 04:01

General

  • Target

    d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe

  • Size

    2.4MB

  • MD5

    469c0460e4c1fefd01db4ae9f79c53c7

  • SHA1

    975e5ac0f82b26eb4df8c718207c61dd8afee9ff

  • SHA256

    d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78

  • SHA512

    d7a109e33abd2f6383c50b973db5c252f5c6e0b0c079ba1b5ccd3281e4e73b43422236149d8cdf76842f4c4ccabc07a34bc23c46c2f01715afb29436464af0ec

Malware Config

Signatures

  • StrongPity

    StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.

  • StrongPity Spyware 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe
    "C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3956
    • C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3224
      • C:\Users\Admin\AppData\Local\Temp\is-NH99O.tmp\fnmsetup.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-NH99O.tmp\fnmsetup.tmp" /SL5="$801C8,1480519,54272,C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"
        3⤵
        • Executes dropped EXE
        PID:2252
    • C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
      "C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe
        "C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"
        3⤵
        • Executes dropped EXE
        PID:2472

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2252-136-0x0000000000790000-0x0000000000791000-memory.dmp

    Filesize

    4KB

  • memory/3224-132-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/3224-135-0x0000000000401000-0x000000000040B000-memory.dmp

    Filesize

    40KB