Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 20:00

General

  • Target

    760e5c8f836e2a0054c4270fffdc54aee104b4ad109ee7edff4d82e50a57b7ceN.exe

  • Size

    1.3MB

  • MD5

    0acffb0cb5b3a1ad763e251e93f3a350

  • SHA1

    6297bd956e04c2f7cf5ccb8189a72f603412ddbe

  • SHA256

    760e5c8f836e2a0054c4270fffdc54aee104b4ad109ee7edff4d82e50a57b7ce

  • SHA512

    c31714756a46336c71c03216634766ee67970d5e0514a8f07188cfaecbd8b885ce8d0dace123816a083584b9275627f73b083b353c86e66792ce98d281c9decf

  • SSDEEP

    24576:ImUNJyJqb1FcMap2ATT5rmUNJyJqymUNJyJqb1FcMap2ATT5rmUNJyJqymUNJyJZ:ImV2AprmV1mV2AprmV1mV2AprmVQ

Malware Config

Extracted

Family

simda

Attributes
  • dga

    gatyfus.com

    lyvyxor.com

    vojyqem.com

    qetyfuv.com

    puvyxil.com

    gahyqah.com

    lyryfyd.com

    vocyzit.com

    qegyqaq.com

    purydyv.com

    gacyzuz.com

    lygymoj.com

    vowydef.com

    qexylup.com

    pufymoq.com

    gaqydeb.com

    lyxylux.com

    vofymik.com

    qeqysag.com

    puzylyp.com

    gadyniw.com

    lymysan.com

    volykyc.com

    qedynul.com

    pumypog.com

    galykes.com

    lysynur.com

    vonypom.com

    qekykev.com

    pupybul.com

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • simda

    Simda is an infostealer written in C++.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\760e5c8f836e2a0054c4270fffdc54aee104b4ad109ee7edff4d82e50a57b7ceN.exe
    "C:\Users\Admin\AppData\Local\Temp\760e5c8f836e2a0054c4270fffdc54aee104b4ad109ee7edff4d82e50a57b7ceN.exe"
    1⤵
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2796

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\F90F.tmp

          Filesize

          42KB

          MD5

          a5ce06c48358b237b1499f6d3426371e

          SHA1

          609bfdb84bc786023f8752cfe7dd0133b4bbe11c

          SHA256

          0be06d2f6f102e5f19b87fd92ff0dff8bbbf15131f2c249259b32892d7552b3c

          SHA512

          4132f2d5707c2bb81f249e71b087fec2ad0d3be0c3e952eaf8b5997c905a20b79d3b8da1cd5dc7e1ca18109a22f6d36323e6bc7f009c8a91ec4566f6bcaa3640

        • \Windows\AppPatch\svchost.exe

          Filesize

          1.3MB

          MD5

          6df60f760d87e4750651bfbc72ff63c8

          SHA1

          d43a248ced77cb93d72bf05d0ec622607c698431

          SHA256

          6e022f40bf5b446a5db89b7722ee873c1c9520c5f03c9a08bc70c40320c50f65

          SHA512

          11cfdc36604cdd372ed7e3448ea0d0ddbad256ba80e6100b6983f5db4014300402f1c7c06b38b9a9f278bc984b7d7e102347750a172e69069c1e26837066fd01

        • memory/2132-12-0x0000000000400000-0x000000000045F000-memory.dmp

          Filesize

          380KB

        • memory/2796-14-0x0000000002130000-0x00000000021D8000-memory.dmp

          Filesize

          672KB

        • memory/2796-16-0x0000000002130000-0x00000000021D8000-memory.dmp

          Filesize

          672KB

        • memory/2796-20-0x0000000002130000-0x00000000021D8000-memory.dmp

          Filesize

          672KB

        • memory/2796-24-0x0000000002130000-0x00000000021D8000-memory.dmp

          Filesize

          672KB

        • memory/2796-22-0x0000000002130000-0x00000000021D8000-memory.dmp

          Filesize

          672KB

        • memory/2796-18-0x0000000002130000-0x00000000021D8000-memory.dmp

          Filesize

          672KB

        • memory/2796-29-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-27-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-25-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-40-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-39-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-44-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-77-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-75-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-74-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-73-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-71-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-70-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-68-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-67-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-65-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-64-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-62-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-61-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-60-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-58-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-57-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-56-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-54-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-52-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-51-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-49-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-48-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-46-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-76-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-72-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-69-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-66-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-63-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-42-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-59-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-55-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-53-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-37-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-34-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-50-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-47-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-45-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-43-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-38-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-41-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-36-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-35-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-33-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-32-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-31-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB

        • memory/2796-197-0x0000000002320000-0x00000000023D6000-memory.dmp

          Filesize

          728KB