Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2024 03:58

General

  • Target

    b6e771e0b103860181528efbb46687d5219b656e3a0013fcc9727c6d7f989a02.exe

  • Size

    208KB

  • MD5

    81d0a8f85716b8e55251693d3a56b81e

  • SHA1

    3a12c279037c5836e9fdd7d4029962647f16d850

  • SHA256

    b6e771e0b103860181528efbb46687d5219b656e3a0013fcc9727c6d7f989a02

  • SHA512

    f94e8d948151f54133eb6c65ab899b0fea1a0f72dd76c45a077d3c87180db98e5d28ae0ffa279eb9cddd0889b7390de05beecf5c1212f50308470123063b4192

  • SSDEEP

    6144:Ta1oB/yvpK0JCmRcRRR8N0e2kXfCqNidkfk:TbapK0JCmRcU9vVokf

Malware Config

Extracted

Family

simda

Attributes
  • dga

    gatyfus.com

    lyvyxor.com

    vojyqem.com

    qetyfuv.com

    puvyxil.com

    gahyqah.com

    lyryfyd.com

    vocyzit.com

    qegyqaq.com

    purydyv.com

    gacyzuz.com

    lygymoj.com

    vowydef.com

    qexylup.com

    pufymoq.com

    gaqydeb.com

    lyxylux.com

    vofymik.com

    qeqysag.com

    puzylyp.com

    gadyniw.com

    lymysan.com

    volykyc.com

    qedynul.com

    pumypog.com

    galykes.com

    lysynur.com

    vonypom.com

    qekykev.com

    pupybul.com

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Simda family
  • simda

    Simda is an infostealer written in C++.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6e771e0b103860181528efbb46687d5219b656e3a0013fcc9727c6d7f989a02.exe
    "C:\Users\Admin\AppData\Local\Temp\b6e771e0b103860181528efbb46687d5219b656e3a0013fcc9727c6d7f989a02.exe"
    1⤵
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\login[4].htm

    Filesize

    162B

    MD5

    4f8e702cc244ec5d4de32740c0ecbd97

    SHA1

    3adb1f02d5b6054de0046e367c1d687b6cdf7aff

    SHA256

    9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

    SHA512

    21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

  • C:\Users\Admin\AppData\Local\Temp\421.tmp

    Filesize

    593B

    MD5

    926512864979bc27cf187f1de3f57aff

    SHA1

    acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

    SHA256

    b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

    SHA512

    f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

  • C:\Users\Admin\AppData\Local\Temp\F763.tmp

    Filesize

    481B

    MD5

    2e5a07d0432af364e5398e2ea5563168

    SHA1

    5f85fceda597ab465053a392fad37609088cd166

    SHA256

    a9a998cb0f6714a8521a84c5b2222e4dabdc2707668bcec7a91d38e20e005ae1

    SHA512

    63b3d78c866cd7a18d321a65ff56bba86f4d8ece2a2eb149170f592184646a82261074ee53ce8d83543f830e5c967d121718552ebc9448ae96c8c2f24b37c450

  • \Windows\AppPatch\svchost.exe

    Filesize

    208KB

    MD5

    efa9e0a27d0752322e5dbbc6b455f722

    SHA1

    b5a7c62952b73138320a80987cabf47bdc64284c

    SHA256

    125928dfa8823151f19b72cac234cff37f19e4bfd10ffd9e4211fa8505266a1e

    SHA512

    1dddd6ead7a4e5e8e4a590aefda45a4d1e9a6645d415c0380331ee0ef6e627422eb0a5a3892563a7a632cb7bebf11148e250661580121710dbe2f81302647295

  • memory/2376-0-0x0000000000240000-0x0000000000243000-memory.dmp

    Filesize

    12KB

  • memory/2376-1-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/2376-14-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/2376-13-0x0000000000240000-0x0000000000243000-memory.dmp

    Filesize

    12KB

  • memory/2376-12-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/2744-15-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/2744-16-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/2744-19-0x0000000000470000-0x0000000000518000-memory.dmp

    Filesize

    672KB

  • memory/2744-23-0x0000000000470000-0x0000000000518000-memory.dmp

    Filesize

    672KB

  • memory/2744-27-0x0000000000470000-0x0000000000518000-memory.dmp

    Filesize

    672KB

  • memory/2744-25-0x0000000000470000-0x0000000000518000-memory.dmp

    Filesize

    672KB

  • memory/2744-28-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/2744-21-0x0000000000470000-0x0000000000518000-memory.dmp

    Filesize

    672KB

  • memory/2744-17-0x0000000000470000-0x0000000000518000-memory.dmp

    Filesize

    672KB

  • memory/2744-29-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-33-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-31-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-47-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-50-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-81-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-80-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-79-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-78-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-77-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-76-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-75-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-74-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-72-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-71-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-70-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-69-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-68-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-67-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-66-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-65-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-64-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-63-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-62-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-61-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-60-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-59-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-58-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-57-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-56-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-55-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-54-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-53-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-52-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-51-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-49-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-48-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-46-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-45-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-44-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-43-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-42-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-40-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-73-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-39-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-38-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-37-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-36-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-41-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB

  • memory/2744-35-0x00000000023F0000-0x00000000024A6000-memory.dmp

    Filesize

    728KB