Analysis

  • max time kernel
    174s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    06-03-2022 06:51

General

  • Target

    d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe

  • Size

    2.4MB

  • MD5

    469c0460e4c1fefd01db4ae9f79c53c7

  • SHA1

    975e5ac0f82b26eb4df8c718207c61dd8afee9ff

  • SHA256

    d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78

  • SHA512

    d7a109e33abd2f6383c50b973db5c252f5c6e0b0c079ba1b5ccd3281e4e73b43422236149d8cdf76842f4c4ccabc07a34bc23c46c2f01715afb29436464af0ec

Malware Config

Signatures

  • StrongPity

    StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.

  • StrongPity Spyware 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe
    "C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Users\Admin\AppData\Local\Temp\is-6ADJE.tmp\fnmsetup.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-6ADJE.tmp\fnmsetup.tmp" /SL5="$901E8,1480519,54272,C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"
        3⤵
        • Executes dropped EXE
        PID:960
    • C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
      "C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3504
      • C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe
        "C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"
        3⤵
        • Executes dropped EXE
        PID:2164

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/960-136-0x0000000000690000-0x0000000000691000-memory.dmp

    Filesize

    4KB

  • memory/2460-132-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2460-133-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB