Analysis

  • max time kernel
    112s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2024 17:47

General

  • Target

    dcd09b58f4dea75ad8070d05ed245cbf620008e270e1539e4591188f490a3a8fN.exe

  • Size

    218KB

  • MD5

    e94152886e58a68be25d530c1af93ff0

  • SHA1

    75ff304c859e0a74c0daccb377a84677256cf010

  • SHA256

    dcd09b58f4dea75ad8070d05ed245cbf620008e270e1539e4591188f490a3a8f

  • SHA512

    8877079e6caee41bd1ad93750cf0f18afc1e856292595c423b2979967751823e817d431137838e23ab9341ce93fb53dd1beb6a9a938b5b57a2eaca207959140e

  • SSDEEP

    3072:9vm4SZsQrNzPrl6rjGMjp39d4u8iqddCxMIJOb2o5DsBPjim6hwM2H6:x1SyAJp6rjn1gOObn4b6h9h

Malware Config

Extracted

Family

simda

Attributes
  • dga

    gatyfus.com

    lyvyxor.com

    vojyqem.com

    qetyfuv.com

    puvyxil.com

    gahyqah.com

    lyryfyd.com

    vocyzit.com

    qegyqaq.com

    purydyv.com

    gacyzuz.com

    lygymoj.com

    vowydef.com

    qexylup.com

    pufymoq.com

    gaqydeb.com

    lyxylux.com

    vofymik.com

    qeqysag.com

    puzylyp.com

    gadyniw.com

    lymysan.com

    volykyc.com

    qedynul.com

    pumypog.com

    galykes.com

    lysynur.com

    vonypom.com

    qekykev.com

    pupybul.com

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Simda family
  • simda

    Simda is an infostealer written in C++.

  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dcd09b58f4dea75ad8070d05ed245cbf620008e270e1539e4591188f490a3a8fN.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd09b58f4dea75ad8070d05ed245cbf620008e270e1539e4591188f490a3a8fN.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3596
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2YUS9Q6F\login[2].htm

    Filesize

    168B

    MD5

    d57e3a550060f85d44a175139ea23021

    SHA1

    2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

    SHA256

    43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

    SHA512

    0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

  • C:\Users\Admin\AppData\Local\Temp\7667.tmp

    Filesize

    24KB

    MD5

    995b16a228254fd825bc9e116a3497d6

    SHA1

    8a914847b9c82caf58f78092b1ef332e66f515f2

    SHA256

    4ac454759ec69b0bdaf95679de4741ab23f36e87cf7baceb594d318e7585f6d5

    SHA512

    51612c593ffbf5c7cb8a070c9fb0a08f0b8dfdf85a792310d93e4d64b0cbb5508199fd277a3e0fd7d40bbb0c0ed5ae192b01519b7c9eff2a145708b4b82a03e3

  • C:\Users\Admin\AppData\Local\Temp\7679.tmp

    Filesize

    1KB

    MD5

    94577e3e9007195104bfc660afbea227

    SHA1

    70a4d6f341620161ee6ab4062ae46d3ee61bb830

    SHA256

    89a712f50395a6b81be2970d22fce2b4f52c32af30127445d4833f126025c35b

    SHA512

    55599401d53ab20e38894000cea2066648d4bfa1aaccd230c694c4186affef6eeb304a63100d19654c70bfd2d69069ca2ea4ec2cddc2967496aee822d45ad186

  • C:\Users\Admin\AppData\Local\Temp\CA0B.tmp

    Filesize

    593B

    MD5

    926512864979bc27cf187f1de3f57aff

    SHA1

    acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

    SHA256

    b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

    SHA512

    f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

  • C:\Users\Admin\AppData\Local\Temp\DE82.tmp

    Filesize

    60KB

    MD5

    714225b73762df90e7e7318f092ada1d

    SHA1

    bea17d67445eb7e2f002588015871606330b9c6f

    SHA256

    b8ceeb1247e4db5ff82b73a2f9206535644f43cf46b85fd8421e83ae9112a38e

    SHA512

    9dd1d59ed05d242922081138813a39e0d844c3d1f63691ee55957a48982132a7905336abf0bfa986c5395bf0db95d5df8ec0b8a9e50a216fd59b01c792ab1443

  • C:\Users\Admin\AppData\Local\Temp\DF37.tmp

    Filesize

    481B

    MD5

    3d107c718fefc9abe5a58fc42b30795a

    SHA1

    7aa6226066590662e3001b731c7773b42d03e749

    SHA256

    b4b696dec8a9dd8cbdde1e7003203dc5581b4cbf527d67cd9b12edf33810d58d

    SHA512

    6fed1ed0f3cb29abdadcbb272f1e8df7d28b8a185e2571176a7da523ea6ab95732aeae4c4a63f7e2a2fc537e41cbf7c0eaf0c6cd1e9ad41222f5a3652f651dd5

  • C:\Windows\apppatch\svchost.exe

    Filesize

    218KB

    MD5

    f9fa9a1395c3a87397d15aed69f9aea7

    SHA1

    3fccadb7ba548240b5ed7545a8544d6b458e4883

    SHA256

    0aa6ed1785a5a5bea628a06e4bbb28bc47c7074802bda321e17a3f17a9c24b49

    SHA512

    8fbd0aad3e5942ba1e9474f26b56809dd56ab018719ff2946c55028ae3678e2c727b5c95acc5e418576142ba06c98a2ea51e6317ca5011495a262f5a447e3739

  • memory/3596-0-0x0000000002320000-0x0000000002371000-memory.dmp

    Filesize

    324KB

  • memory/3596-1-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/3596-10-0x0000000000400000-0x00000000005AE000-memory.dmp

    Filesize

    1.7MB

  • memory/3596-13-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/3596-12-0x0000000002320000-0x0000000002371000-memory.dmp

    Filesize

    324KB

  • memory/4868-58-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-53-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-18-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-22-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-20-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-49-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-68-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-79-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-78-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-77-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-76-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-75-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-74-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-73-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-72-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-71-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-69-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-67-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-66-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-65-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-64-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-63-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-62-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-61-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-60-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-59-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-16-0x00000000028D0000-0x0000000002978000-memory.dmp

    Filesize

    672KB

  • memory/4868-57-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-56-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-55-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-54-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-17-0x0000000000400000-0x00000000005AE000-memory.dmp

    Filesize

    1.7MB

  • memory/4868-52-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-51-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-50-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-48-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-47-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-46-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-45-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-44-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-43-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-42-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-41-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-40-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-39-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-38-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-37-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-35-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-34-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-33-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-32-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-30-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-29-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-27-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-25-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-24-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-70-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-36-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-15-0x0000000000400000-0x00000000005AE000-memory.dmp

    Filesize

    1.7MB

  • memory/4868-14-0x0000000000400000-0x00000000005AE000-memory.dmp

    Filesize

    1.7MB

  • memory/4868-31-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-28-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-26-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/4868-23-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB