Analysis

  • max time kernel
    142s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2024 09:56

General

  • Target

    f769fcf3131c1cd9bbe155c827371eca3a9b07f446729dcc939d27a5703609abN.exe

  • Size

    230KB

  • MD5

    94a9a3777e967eae3dd89b5ce5642c90

  • SHA1

    827ef7d402f9cad442d96bb2cdf192ea298e5e3d

  • SHA256

    f769fcf3131c1cd9bbe155c827371eca3a9b07f446729dcc939d27a5703609ab

  • SHA512

    a3eac6e9c366947061046225369274bcebc4b2c0bd7def8a8a59b1134faaa93c8a48cd52158423085bf7c226ac1ef5ea22c3f7cc9cc1564f915a698ef202f7d8

  • SSDEEP

    3072:uIMa5VPdnLAWeBIg5Si2mVvu3TRENKWH3xPALAiyEv7p5qyt/s7niwK/f+JuKtkk:zDAWw5NV4EBXWAIT/nw08xTm3E

Malware Config

Extracted

Family

simda

Attributes
  • dga

    gatyfus.com

    lyvyxor.com

    vojyqem.com

    qetyfuv.com

    puvyxil.com

    gahyqah.com

    lyryfyd.com

    vocyzit.com

    qegyqaq.com

    purydyv.com

    gacyzuz.com

    lygymoj.com

    vowydef.com

    qexylup.com

    pufymoq.com

    gaqydeb.com

    lyxylux.com

    vofymik.com

    qeqysag.com

    puzylyp.com

    gadyniw.com

    lymysan.com

    volykyc.com

    qedynul.com

    pumypog.com

    galykes.com

    lysynur.com

    vonypom.com

    qekykev.com

    pupybul.com

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Simda family
  • simda

    Simda is an infostealer written in C++.

  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f769fcf3131c1cd9bbe155c827371eca3a9b07f446729dcc939d27a5703609abN.exe
    "C:\Users\Admin\AppData\Local\Temp\f769fcf3131c1cd9bbe155c827371eca3a9b07f446729dcc939d27a5703609abN.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\login[2].htm

    Filesize

    168B

    MD5

    d57e3a550060f85d44a175139ea23021

    SHA1

    2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

    SHA256

    43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

    SHA512

    0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\login[5].htm

    Filesize

    593B

    MD5

    3b03d93d3487806337b5c6443ce7a62d

    SHA1

    93a7a790bb6348606cbdaf5daeaaf4ea8cf731d0

    SHA256

    7392749832c70fcfc2d440d7afc2f880000dd564930d95d634eb1199fa15de30

    SHA512

    770977beaeedafc5c98d0c32edc8c6c850f05e9f363bc9997fa73991646b02e5d40ceed0017b06caeab0db86423844bc4b0a9f0df2d8239230e423a7bfbd4a88

  • C:\Users\Admin\AppData\Local\Temp\CEFC.tmp

    Filesize

    593B

    MD5

    926512864979bc27cf187f1de3f57aff

    SHA1

    acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

    SHA256

    b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

    SHA512

    f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

  • C:\Users\Admin\AppData\Local\Temp\DFEB.tmp

    Filesize

    60KB

    MD5

    3e2b538c5b3738e21a45ba11a31bdea5

    SHA1

    5d3658a6de18178cfe216d76f236f14cfcf909b7

    SHA256

    c877bdb35d8f8f877ccc36c014e93b0de1937a4e57e84f29a34bebe1f5849441

    SHA512

    254f7152d4a678ff1d14bddc56692557f7b9da2ee221a7278015a2a2e2179c8a7f61176f3024d138b87be0d53fb1998b6e99b83ec67dd09657a6f07287606d79

  • C:\Users\Admin\AppData\Local\Temp\E00C.tmp

    Filesize

    98KB

    MD5

    ae6e0e218eaff6ec773ca1629f43699d

    SHA1

    eeb14583e413a206e34e2f647ec651ae6d7bb813

    SHA256

    54a775e23d850ad832a4f51465af8a12774018d72c646d8fa1dae612330f0391

    SHA512

    4a9ba23c18c3a84ebad0903a1f9d9f86847eda524942d25fb463986fc7825dc0ae5c8596ae13749204357211a912bcf05e4f1eb112630815aa6847321d4b6db7

  • C:\Users\Admin\AppData\Local\Temp\E00C.tmp

    Filesize

    98KB

    MD5

    62cc928ba8ee76d56b6059de3182a88d

    SHA1

    242480b1240b26def97294f94b776ba01b396a67

    SHA256

    aa4df607806143af119650958ef0a300b057ca70141eff4799dd076f53043f4c

    SHA512

    490d1f5b1820ce555d83cdf1fd35d5817118332c292f83e346192ce109fde9a707a52135707764abb051e4962d7d2d3969ffd64149c93337d58e58d5fd3bb3fa

  • C:\Windows\apppatch\svchost.exe

    Filesize

    230KB

    MD5

    841de23106bebdf29677a44de1106f9d

    SHA1

    777250804de3b26c1c644def4d4154498fc637ac

    SHA256

    46d0a649b80d0370d4fc1144f2f64a642bc8ad9fb0866234d9b7cc3aa1540c6e

    SHA512

    8b0c5101f7b58a32c395aca7d1de0e92e6518b90c2d2c65201682b201316f55bc5d23095270762258163afc12d23a045262862757d157a55fc5fd0e7f8b0ee0c

  • memory/1936-0-0x0000000000400000-0x00000000004FD000-memory.dmp

    Filesize

    1012KB

  • memory/1936-13-0x0000000000400000-0x00000000004FD000-memory.dmp

    Filesize

    1012KB

  • memory/1936-15-0x0000000002290000-0x00000000022E1000-memory.dmp

    Filesize

    324KB

  • memory/1936-16-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/1936-2-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/1936-1-0x0000000002290000-0x00000000022E1000-memory.dmp

    Filesize

    324KB

  • memory/3488-62-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-53-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-22-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-24-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-30-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-28-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-37-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-74-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-79-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-78-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-77-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-76-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-75-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-73-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-72-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-71-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-70-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-68-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-67-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-66-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-65-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-64-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-63-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-19-0x0000000000400000-0x00000000004FD000-memory.dmp

    Filesize

    1012KB

  • memory/3488-61-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-69-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-58-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-57-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-56-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-55-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-54-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-20-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-52-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-51-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-50-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-49-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-48-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-46-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-44-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-43-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-42-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-41-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-40-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-39-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-36-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-35-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-34-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-60-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-33-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-32-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-31-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-29-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-26-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-27-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-25-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-47-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-18-0x0000000002E00000-0x0000000002EA8000-memory.dmp

    Filesize

    672KB

  • memory/3488-17-0x0000000000400000-0x00000000004FD000-memory.dmp

    Filesize

    1012KB

  • memory/3488-14-0x0000000000400000-0x00000000004FD000-memory.dmp

    Filesize

    1012KB

  • memory/3488-12-0x0000000000400000-0x00000000004FD000-memory.dmp

    Filesize

    1012KB

  • memory/3488-45-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB

  • memory/3488-38-0x0000000002FF0000-0x00000000030A6000-memory.dmp

    Filesize

    728KB