Analysis
-
max time kernel
151s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
24-02-2022 04:01
Static task
static1
Behavioral task
behavioral1
Sample
d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe
Resource
win10v2004-en-20220112
General
-
Target
d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe
-
Size
2.4MB
-
MD5
469c0460e4c1fefd01db4ae9f79c53c7
-
SHA1
975e5ac0f82b26eb4df8c718207c61dd8afee9ff
-
SHA256
d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78
-
SHA512
d7a109e33abd2f6383c50b973db5c252f5c6e0b0c079ba1b5ccd3281e4e73b43422236149d8cdf76842f4c4ccabc07a34bc23c46c2f01715afb29436464af0ec
Malware Config
Signatures
-
StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
-
StrongPity Spyware 2 IoCs
resource yara_rule behavioral2/files/0x0002000000022060-137.dat family_strongpity behavioral2/files/0x0002000000022060-138.dat family_strongpity -
Executes dropped EXE 4 IoCs
pid Process 3224 fnmsetup.exe 2252 fnmsetup.tmp 2428 nvwmisrv.exe 2472 winmsism.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\Run d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeyStoreUpdater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndaData\\nvwmisrv.exe" d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3956 wrote to memory of 3224 3956 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 57 PID 3956 wrote to memory of 3224 3956 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 57 PID 3956 wrote to memory of 3224 3956 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 57 PID 3224 wrote to memory of 2252 3224 fnmsetup.exe 58 PID 3224 wrote to memory of 2252 3224 fnmsetup.exe 58 PID 3224 wrote to memory of 2252 3224 fnmsetup.exe 58 PID 3956 wrote to memory of 2428 3956 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 68 PID 3956 wrote to memory of 2428 3956 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 68 PID 3956 wrote to memory of 2428 3956 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 68 PID 2428 wrote to memory of 2472 2428 nvwmisrv.exe 70 PID 2428 wrote to memory of 2472 2428 nvwmisrv.exe 70 PID 2428 wrote to memory of 2472 2428 nvwmisrv.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe"C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\is-NH99O.tmp\fnmsetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-NH99O.tmp\fnmsetup.tmp" /SL5="$801C8,1480519,54272,C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"3⤵
- Executes dropped EXE
PID:2252
-
-
-
C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"3⤵
- Executes dropped EXE
PID:2472
-
-