Malware Analysis Report

2024-09-11 02:40

Sample ID 240401-kpfeysab88
Target 5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f
SHA256 5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f
Tags
strongpity
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f

Threat Level: Known bad

The file 5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f was found to be: Known bad.

Malicious Activity Summary

strongpity

StrongPity Spyware

Strongpity family

Unsigned PE

Modifies system certificate store

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-01 08:46

Signatures

StrongPity Spyware

Description Indicator Process Target
N/A N/A N/A N/A

Strongpity family

strongpity

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-01 08:46

Reported

2024-04-01 08:49

Platform

win7-20240221-en

Max time kernel

148s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f.exe"

Signatures

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E6E05058C1510337F1C0D7000939C976E01E7070\Blob = 040000000100000010000000ff85d9ab4cd724af6f3d7d3fc2ef9b3b0f0000000100000020000000d730cb7433f966be0da3d990d5fada4f62bb7e629a574c25ec8f60d773cccba9030000000100000014000000e6e05058c1510337f1c0d7000939c976e01e707014000000010000001400000013e24100807a4c63e6ee6a2f4715c5e1fe0e4f142000000001000000f9020000308202f5308201dda0030201020210279870039d9b9bc93f65112ef53448e9300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303331393137303030305a170d3239303331383137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c661803f980f1490d14d5642db965502ee5bdc842e90c508ac6860d95bf23be740112624afc13e2d734d76fdc760cf57cf5b4f755da33b61dee9ce755e75400a63ab0e34df71050365a4e7a3f3fdc06528cc8d285658436da25190310bc288cadb49d536292016e628a33ff110fcead04ed9c8cc1db780fc88a0ed044c1f51fa24cf2b92ba486682b9f40abe75f2c96a0e44cb321dd5c89afc63453d7ce9f6b856748d1455f65cf4a3fa37980f9b54208e87cd5e30f3ee8685cb3b15b65c492b32b80c44d04e1668aa7a7e27c513d8182f10e768a9ed3810fce50ec8dfc37407512a3a61d1f637db304c1ad3a1fecc6751c0a74d0107d92b9bdb2180753e08f90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041413e24100807a4c63e6ee6a2f4715c5e1fe0e4f14300d06092a864886f70d01010b05000382010100938fc4ca824c7894982848f91d8ae5e6b572397f8f48de443c130629162a18d42c68f899ab77ac6107a7eb1a4c05bddb063a3171a5f9f033746e65d6bc871a4f43c968e1cd59361ee4cdd58bfd79480007f7d8800d2fcf54f6b4935cdcbff8dc9855b376ce57827e94c8fd2fc42cd7a759af9c8436f5fd5506d2e4a0c64cf720d8b5292ed4e9791dfa81f7a478c822417d0626719b9b9ca8626a92c93df56638a4de6dc4ab347b26786ad7f3bf16e9fb8d285dbc20cbf32a7f8fdc3070a197d4cd98521f7f49863ce2405099b1a28c1548f339bf8b9501b87646008e131e400818daccad01c912213a60f551decf8ae553996fba160755332c1f16dbe6750f96 C:\Users\Admin\AppData\Local\Temp\5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E6E05058C1510337F1C0D7000939C976E01E7070\Blob = 1900000001000000100000000717199702ba7cba022ad970ba50b0b014000000010000001400000013e24100807a4c63e6ee6a2f4715c5e1fe0e4f14030000000100000014000000e6e05058c1510337f1c0d7000939c976e01e70700f0000000100000020000000d730cb7433f966be0da3d990d5fada4f62bb7e629a574c25ec8f60d773cccba9040000000100000010000000ff85d9ab4cd724af6f3d7d3fc2ef9b3b2000000001000000f9020000308202f5308201dda0030201020210279870039d9b9bc93f65112ef53448e9300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303331393137303030305a170d3239303331383137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c661803f980f1490d14d5642db965502ee5bdc842e90c508ac6860d95bf23be740112624afc13e2d734d76fdc760cf57cf5b4f755da33b61dee9ce755e75400a63ab0e34df71050365a4e7a3f3fdc06528cc8d285658436da25190310bc288cadb49d536292016e628a33ff110fcead04ed9c8cc1db780fc88a0ed044c1f51fa24cf2b92ba486682b9f40abe75f2c96a0e44cb321dd5c89afc63453d7ce9f6b856748d1455f65cf4a3fa37980f9b54208e87cd5e30f3ee8685cb3b15b65c492b32b80c44d04e1668aa7a7e27c513d8182f10e768a9ed3810fce50ec8dfc37407512a3a61d1f637db304c1ad3a1fecc6751c0a74d0107d92b9bdb2180753e08f90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041413e24100807a4c63e6ee6a2f4715c5e1fe0e4f14300d06092a864886f70d01010b05000382010100938fc4ca824c7894982848f91d8ae5e6b572397f8f48de443c130629162a18d42c68f899ab77ac6107a7eb1a4c05bddb063a3171a5f9f033746e65d6bc871a4f43c968e1cd59361ee4cdd58bfd79480007f7d8800d2fcf54f6b4935cdcbff8dc9855b376ce57827e94c8fd2fc42cd7a759af9c8436f5fd5506d2e4a0c64cf720d8b5292ed4e9791dfa81f7a478c822417d0626719b9b9ca8626a92c93df56638a4de6dc4ab347b26786ad7f3bf16e9fb8d285dbc20cbf32a7f8fdc3070a197d4cd98521f7f49863ce2405099b1a28c1548f339bf8b9501b87646008e131e400818daccad01c912213a60f551decf8ae553996fba160755332c1f16dbe6750f96 C:\Users\Admin\AppData\Local\Temp\5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E6E05058C1510337F1C0D7000939C976E01E7070 C:\Users\Admin\AppData\Local\Temp\5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E6E05058C1510337F1C0D7000939C976E01E7070\Blob = 0f0000000100000020000000d730cb7433f966be0da3d990d5fada4f62bb7e629a574c25ec8f60d773cccba9030000000100000014000000e6e05058c1510337f1c0d7000939c976e01e70702000000001000000f9020000308202f5308201dda0030201020210279870039d9b9bc93f65112ef53448e9300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303331393137303030305a170d3239303331383137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c661803f980f1490d14d5642db965502ee5bdc842e90c508ac6860d95bf23be740112624afc13e2d734d76fdc760cf57cf5b4f755da33b61dee9ce755e75400a63ab0e34df71050365a4e7a3f3fdc06528cc8d285658436da25190310bc288cadb49d536292016e628a33ff110fcead04ed9c8cc1db780fc88a0ed044c1f51fa24cf2b92ba486682b9f40abe75f2c96a0e44cb321dd5c89afc63453d7ce9f6b856748d1455f65cf4a3fa37980f9b54208e87cd5e30f3ee8685cb3b15b65c492b32b80c44d04e1668aa7a7e27c513d8182f10e768a9ed3810fce50ec8dfc37407512a3a61d1f637db304c1ad3a1fecc6751c0a74d0107d92b9bdb2180753e08f90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041413e24100807a4c63e6ee6a2f4715c5e1fe0e4f14300d06092a864886f70d01010b05000382010100938fc4ca824c7894982848f91d8ae5e6b572397f8f48de443c130629162a18d42c68f899ab77ac6107a7eb1a4c05bddb063a3171a5f9f033746e65d6bc871a4f43c968e1cd59361ee4cdd58bfd79480007f7d8800d2fcf54f6b4935cdcbff8dc9855b376ce57827e94c8fd2fc42cd7a759af9c8436f5fd5506d2e4a0c64cf720d8b5292ed4e9791dfa81f7a478c822417d0626719b9b9ca8626a92c93df56638a4de6dc4ab347b26786ad7f3bf16e9fb8d285dbc20cbf32a7f8fdc3070a197d4cd98521f7f49863ce2405099b1a28c1548f339bf8b9501b87646008e131e400818daccad01c912213a60f551decf8ae553996fba160755332c1f16dbe6750f96 C:\Users\Admin\AppData\Local\Temp\5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E6E05058C1510337F1C0D7000939C976E01E7070\Blob = 14000000010000001400000013e24100807a4c63e6ee6a2f4715c5e1fe0e4f14030000000100000014000000e6e05058c1510337f1c0d7000939c976e01e70700f0000000100000020000000d730cb7433f966be0da3d990d5fada4f62bb7e629a574c25ec8f60d773cccba92000000001000000f9020000308202f5308201dda0030201020210279870039d9b9bc93f65112ef53448e9300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303331393137303030305a170d3239303331383137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c661803f980f1490d14d5642db965502ee5bdc842e90c508ac6860d95bf23be740112624afc13e2d734d76fdc760cf57cf5b4f755da33b61dee9ce755e75400a63ab0e34df71050365a4e7a3f3fdc06528cc8d285658436da25190310bc288cadb49d536292016e628a33ff110fcead04ed9c8cc1db780fc88a0ed044c1f51fa24cf2b92ba486682b9f40abe75f2c96a0e44cb321dd5c89afc63453d7ce9f6b856748d1455f65cf4a3fa37980f9b54208e87cd5e30f3ee8685cb3b15b65c492b32b80c44d04e1668aa7a7e27c513d8182f10e768a9ed3810fce50ec8dfc37407512a3a61d1f637db304c1ad3a1fecc6751c0a74d0107d92b9bdb2180753e08f90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041413e24100807a4c63e6ee6a2f4715c5e1fe0e4f14300d06092a864886f70d01010b05000382010100938fc4ca824c7894982848f91d8ae5e6b572397f8f48de443c130629162a18d42c68f899ab77ac6107a7eb1a4c05bddb063a3171a5f9f033746e65d6bc871a4f43c968e1cd59361ee4cdd58bfd79480007f7d8800d2fcf54f6b4935cdcbff8dc9855b376ce57827e94c8fd2fc42cd7a759af9c8436f5fd5506d2e4a0c64cf720d8b5292ed4e9791dfa81f7a478c822417d0626719b9b9ca8626a92c93df56638a4de6dc4ab347b26786ad7f3bf16e9fb8d285dbc20cbf32a7f8fdc3070a197d4cd98521f7f49863ce2405099b1a28c1548f339bf8b9501b87646008e131e400818daccad01c912213a60f551decf8ae553996fba160755332c1f16dbe6750f96 C:\Users\Admin\AppData\Local\Temp\5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f.exe

"C:\Users\Admin\AppData\Local\Temp\5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 awe232-service-app.com udp
N/A 100.114.106.116:443 awe232-service-app.com tcp
N/A 100.114.106.116:443 awe232-service-app.com tcp
N/A 100.114.106.116:443 awe232-service-app.com tcp
N/A 100.114.106.116:443 awe232-service-app.com tcp
N/A 100.114.106.116:443 awe232-service-app.com tcp
N/A 100.114.106.116:443 awe232-service-app.com tcp
N/A 100.114.106.116:443 awe232-service-app.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-01 08:46

Reported

2024-04-01 08:49

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f.exe

"C:\Users\Admin\AppData\Local\Temp\5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.49.113.100.in-addr.arpa udp
US 8.8.8.8:53 69.69.116.100.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 208.116.117.100.in-addr.arpa udp
US 8.8.8.8:53 awe232-service-app.com udp
N/A 100.74.119.0:443 awe232-service-app.com tcp
US 8.8.8.8:53 0.119.74.100.in-addr.arpa udp
US 8.8.8.8:53 165.139.112.100.in-addr.arpa udp
US 8.8.8.8:53 100.76.86.100.in-addr.arpa udp
N/A 100.74.119.0:443 awe232-service-app.com tcp
N/A 100.74.119.0:443 awe232-service-app.com tcp
N/A 100.74.119.0:443 awe232-service-app.com tcp
US 8.8.8.8:53 247.53.71.100.in-addr.arpa udp
N/A 100.74.119.0:443 awe232-service-app.com tcp
US 8.8.8.8:53 udp

Files

N/A