Analysis
-
max time kernel
174s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
06-03-2022 06:51
Static task
static1
Behavioral task
behavioral1
Sample
d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe
Resource
win10v2004-en-20220112
General
-
Target
d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe
-
Size
2.4MB
-
MD5
469c0460e4c1fefd01db4ae9f79c53c7
-
SHA1
975e5ac0f82b26eb4df8c718207c61dd8afee9ff
-
SHA256
d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78
-
SHA512
d7a109e33abd2f6383c50b973db5c252f5c6e0b0c079ba1b5ccd3281e4e73b43422236149d8cdf76842f4c4ccabc07a34bc23c46c2f01715afb29436464af0ec
Malware Config
Signatures
-
StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
-
StrongPity Spyware 2 IoCs
resource yara_rule behavioral2/files/0x00060000000220fd-137.dat family_strongpity behavioral2/files/0x00060000000220fd-138.dat family_strongpity -
Executes dropped EXE 4 IoCs
pid Process 2460 fnmsetup.exe 960 fnmsetup.tmp 3504 nvwmisrv.exe 2164 winmsism.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\Run d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeyStoreUpdater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndaData\\nvwmisrv.exe" d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1552 wrote to memory of 2460 1552 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 60 PID 1552 wrote to memory of 2460 1552 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 60 PID 1552 wrote to memory of 2460 1552 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 60 PID 2460 wrote to memory of 960 2460 fnmsetup.exe 61 PID 2460 wrote to memory of 960 2460 fnmsetup.exe 61 PID 2460 wrote to memory of 960 2460 fnmsetup.exe 61 PID 1552 wrote to memory of 3504 1552 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 62 PID 1552 wrote to memory of 3504 1552 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 62 PID 1552 wrote to memory of 3504 1552 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe 62 PID 3504 wrote to memory of 2164 3504 nvwmisrv.exe 64 PID 3504 wrote to memory of 2164 3504 nvwmisrv.exe 64 PID 3504 wrote to memory of 2164 3504 nvwmisrv.exe 64
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe"C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\is-6ADJE.tmp\fnmsetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-6ADJE.tmp\fnmsetup.tmp" /SL5="$901E8,1480519,54272,C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"3⤵
- Executes dropped EXE
PID:960
-
-
-
C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"3⤵
- Executes dropped EXE
PID:2164
-
-