Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2024 22:16

General

  • Target

    4235e7a97cd29f0d7787a2fdc1b5cd0d1194afcd9fd7dacfcf4a2ab1b3322194.exe

  • Size

    355KB

  • MD5

    f828dab602b9fbd149aee57b50254837

  • SHA1

    ab2de1732e4e08844b49f6c93ba792a2521b2b3e

  • SHA256

    4235e7a97cd29f0d7787a2fdc1b5cd0d1194afcd9fd7dacfcf4a2ab1b3322194

  • SHA512

    e6f29e5bdcf3046d97f6d36289574f04b676abfc8db99d1196556eeae7d72c6ce8ef0b2570687def0b95f06ffb1ec84f9b17d20f11e23c1040b327b3ca7441eb

  • SSDEEP

    6144:p3EmWPDNND9yRPzLq+YXFqaZiMLic9kzVd7EAC4TSs9EiS:+mWhND9yJz+b1FcMLmp2ATTSsdS

Malware Config

Extracted

Family

simda

Attributes
  • dga

    gatyfus.com

    lyvyxor.com

    vojyqem.com

    qetyfuv.com

    puvyxil.com

    gahyqah.com

    lyryfyd.com

    vocyzit.com

    qegyqaq.com

    purydyv.com

    gacyzuz.com

    lygymoj.com

    vowydef.com

    qexylup.com

    pufymoq.com

    gaqydeb.com

    lyxylux.com

    vofymik.com

    qeqysag.com

    puzylyp.com

    gadyniw.com

    lymysan.com

    volykyc.com

    qedynul.com

    pumypog.com

    galykes.com

    lysynur.com

    vonypom.com

    qekykev.com

    pupybul.com

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Simda family
  • simda

    Simda is an infostealer written in C++.

  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4235e7a97cd29f0d7787a2fdc1b5cd0d1194afcd9fd7dacfcf4a2ab1b3322194.exe
    "C:\Users\Admin\AppData\Local\Temp\4235e7a97cd29f0d7787a2fdc1b5cd0d1194afcd9fd7dacfcf4a2ab1b3322194.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BB68.tmp

    Filesize

    42KB

    MD5

    bef77b8f584051895bfe35cd2cf1b069

    SHA1

    11ee649ead77b97ad1f753ccc9073ad1aa5029a4

    SHA256

    f6a3aa85b0dae8a9744b318988ce796f78bad24dba758e9310788e625ea361d4

    SHA512

    29903c4d4959270f859f1a496e9564704711d4f7ba8f526a53cff1b6695a9638593f30ae2137c2f7858213243aa42d7fe569ddf5374b66b362c9a1e00cfeb4d9

  • C:\Users\Admin\AppData\Local\Temp\BC08.tmp

    Filesize

    62KB

    MD5

    8c28cc87223c1c9b6c2eeb461bb56d1e

    SHA1

    367faf0eb3a817f6659047dfa6884ab9ed5d1fe8

    SHA256

    fc5775884f8e176b440f4ceb0c20c1814e8b8375d0fd283d2e00326f2755c3d2

    SHA512

    5d39aad0fbd5b3529e77b915fd76063b7bedfea5467a5c333eed67cf902a31a060b33ea74db77310c74dc94dc47fc38d97db728437570ca0a3d006c879735757

  • C:\Users\Admin\AppData\Local\Temp\BC18.tmp

    Filesize

    481B

    MD5

    1eeb1772ad386ca011bf7f98ab0b4095

    SHA1

    3e11831c0fa8d72d296bcf7c3be76cf2b290bd7e

    SHA256

    27afcb1302157c82be3b82ef51bc654d0e95db8303df9928efe7ce1699228177

    SHA512

    9f7c6472fde471ac79c86f8dc04b3fc97d6a9f71f4a786b802b4c0a24ff0a12be5fa9d070a39aaaa88aed4403ce8cad89e4716e6c3948472d7ba7b973ecf6bc8

  • C:\Users\Admin\AppData\Local\Temp\FBF3.tmp

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Users\Admin\AppData\Local\Temp\FBF3.tmp

    Filesize

    593B

    MD5

    926512864979bc27cf187f1de3f57aff

    SHA1

    acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

    SHA256

    b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

    SHA512

    f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

  • C:\Windows\apppatch\svchost.exe

    Filesize

    355KB

    MD5

    5b40e92def84c6663ac8542de9e29959

    SHA1

    d9cef1a968fd15e5e07672b91314b516412aeeed

    SHA256

    9d882f6c4f5f1ce7e45c3605064d487a6dfa5bd19d8148be625aca49c3edbb4d

    SHA512

    b631deb6804d06d3ce882cc94cc49f3406e1d98c690d55b3352f8bbbece6966cfbd5e9e15cd1db6a222cf6736f07aba5e084c55d5ca33728113ed74573157293

  • memory/408-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-10-0x0000000002720000-0x00000000027C8000-memory.dmp

    Filesize

    672KB

  • memory/408-15-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-11-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-13-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-16-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-20-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-18-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/408-177-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/4656-9-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB