Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2024 03:58

General

  • Target

    b6e771e0b103860181528efbb46687d5219b656e3a0013fcc9727c6d7f989a02.exe

  • Size

    208KB

  • MD5

    81d0a8f85716b8e55251693d3a56b81e

  • SHA1

    3a12c279037c5836e9fdd7d4029962647f16d850

  • SHA256

    b6e771e0b103860181528efbb46687d5219b656e3a0013fcc9727c6d7f989a02

  • SHA512

    f94e8d948151f54133eb6c65ab899b0fea1a0f72dd76c45a077d3c87180db98e5d28ae0ffa279eb9cddd0889b7390de05beecf5c1212f50308470123063b4192

  • SSDEEP

    6144:Ta1oB/yvpK0JCmRcRRR8N0e2kXfCqNidkfk:TbapK0JCmRcU9vVokf

Malware Config

Extracted

Family

simda

Attributes
  • dga

    gatyfus.com

    lyvyxor.com

    vojyqem.com

    qetyfuv.com

    puvyxil.com

    gahyqah.com

    lyryfyd.com

    vocyzit.com

    qegyqaq.com

    purydyv.com

    gacyzuz.com

    lygymoj.com

    vowydef.com

    qexylup.com

    pufymoq.com

    gaqydeb.com

    lyxylux.com

    vofymik.com

    qeqysag.com

    puzylyp.com

    gadyniw.com

    lymysan.com

    volykyc.com

    qedynul.com

    pumypog.com

    galykes.com

    lysynur.com

    vonypom.com

    qekykev.com

    pupybul.com

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Simda family
  • simda

    Simda is an infostealer written in C++.

  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6e771e0b103860181528efbb46687d5219b656e3a0013fcc9727c6d7f989a02.exe
    "C:\Users\Admin\AppData\Local\Temp\b6e771e0b103860181528efbb46687d5219b656e3a0013fcc9727c6d7f989a02.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\942D.tmp

    Filesize

    593B

    MD5

    926512864979bc27cf187f1de3f57aff

    SHA1

    acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

    SHA256

    b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

    SHA512

    f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

  • C:\Users\Admin\AppData\Local\Temp\A74C.tmp

    Filesize

    24KB

    MD5

    ccc8e9e9660f99b7fd74769a0495fc7e

    SHA1

    503f9a3f096c529d7c742adb553fa2f2a357237d

    SHA256

    a2806912de6941cf5d9195d8bb3675f806fbf0cb495caf071b9164407b85ede5

    SHA512

    e3cfcc00fe49d8862aa05bbe7e9b02f961903287bfdb280a98f2bd1dff0fa081e0aa36c79fe442a9d9911daf5ed0caf73d0a1a12f6d7cc4f3341bab73645eab9

  • C:\Users\Admin\AppData\Local\Temp\A7CD.tmp

    Filesize

    60KB

    MD5

    7b29dd4402ffc270873b532f1a3eb51d

    SHA1

    1abe3746c29d10b4bde2334df74b0fa70422ca18

    SHA256

    e3edeed0a09678cc754adc4feec2f888e38e321e0594e87a971fdb291333ca8c

    SHA512

    48566519a2e35adc631c114ca9b7555e8d0f16a0a2084378b7b1206a84f795802fc1df902498127eff41de252d9718635780a861c8dbaad8e613609e2ad247cb

  • C:\Users\Admin\AppData\Local\Temp\A84D.tmp

    Filesize

    481B

    MD5

    015b60fd953fa2e1a96b5e25d3a72c69

    SHA1

    024a8c473b71ae953d6a59d2d4293f91adb576db

    SHA256

    333c27720d5d30633b6b0248bcb148f28d45d15fd5c5df2e63a870a65617675e

    SHA512

    a4738f43d8ff9460f29467c5b3633b65414582a053503de57a752c14176d47079db2b8ae96f4b0363660dd65f4bff3a382f34da705ddb36c1d09e79c031966ad

  • C:\Windows\apppatch\svchost.exe

    Filesize

    208KB

    MD5

    f3baec42ab909c633db9d7ec3674bda4

    SHA1

    bb64c7cab04cd99f748c8014ee8fa3e559aa88fd

    SHA256

    9c7a4e2a83906e6692beac3439adc4d8b6cff4e87bff803574988818be13dddb

    SHA512

    b32df263fa03c21bb2a69d0e9ad751988cfdf9c2a6c981c31808cd9da0b771838ebebc322d8dd74d80dda87d1925ad13430014e2a9c3b54c4d0453c4498bd232

  • memory/2484-0-0x0000000000500000-0x0000000000503000-memory.dmp

    Filesize

    12KB

  • memory/2484-1-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/2484-13-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/2484-12-0x0000000000500000-0x0000000000503000-memory.dmp

    Filesize

    12KB

  • memory/2484-11-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/2600-70-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-65-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-20-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-71-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-62-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-60-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-53-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-50-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-51-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-40-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-37-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-35-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-32-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-30-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-28-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-26-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-23-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-79-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-78-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-77-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-76-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-75-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-74-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-73-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-72-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-18-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-69-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-17-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/2600-68-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-67-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-66-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-22-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-64-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-63-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-61-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-59-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-58-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-57-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-56-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-55-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-54-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-52-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-49-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-48-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-47-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-46-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-45-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-44-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-43-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-16-0x0000000002A00000-0x0000000002AA8000-memory.dmp

    Filesize

    672KB

  • memory/2600-42-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-41-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-39-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-38-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-36-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-34-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-33-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-31-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-29-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-27-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-25-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-24-0x0000000002BB0000-0x0000000002C66000-memory.dmp

    Filesize

    728KB

  • memory/2600-15-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/2600-14-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB