Analysis

  • max time kernel
    112s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2024 20:04

General

  • Target

    82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe

  • Size

    355KB

  • MD5

    6837a64724aa786027231b4177ce9cc0

  • SHA1

    09e20caf534983f6ee8f59f432561f6a4c075d63

  • SHA256

    82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7

  • SHA512

    7097662678890f619c24287c752370221dd2329074020c4b76e9a3c2b44aefed99c2f57e9f12e15f12c85926a8ac91820c0d17dde76fc04dd928fa2fc98b3355

  • SSDEEP

    6144:N3EmWPDNND9yRPzLq+YXFqaZiMLic9kzVd7EAC4TSs9EiS:imWhND9yJz+b1FcMLmp2ATTSsdS

Malware Config

Extracted

Family

simda

Attributes
  • dga

    gatyfus.com

    lyvyxor.com

    vojyqem.com

    qetyfuv.com

    puvyxil.com

    gahyqah.com

    lyryfyd.com

    vocyzit.com

    qegyqaq.com

    purydyv.com

    gacyzuz.com

    lygymoj.com

    vowydef.com

    qexylup.com

    pufymoq.com

    gaqydeb.com

    lyxylux.com

    vofymik.com

    qeqysag.com

    puzylyp.com

    gadyniw.com

    lymysan.com

    volykyc.com

    qedynul.com

    pumypog.com

    galykes.com

    lysynur.com

    vonypom.com

    qekykev.com

    pupybul.com

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Simda family
  • simda

    Simda is an infostealer written in C++.

  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe
    "C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7244.tmp

    Filesize

    24KB

    MD5

    fb2540ed67331de7a2f36b85b4ecfccc

    SHA1

    9c38224415758a01833a967764d5ed7e3d159c30

    SHA256

    9804fc0f51c2f0235b92aa65ad2c7c3adcd442d390284a6254ca81c6e5a84861

    SHA512

    63d602be64ccfd9d329d96175ff19668c2f4d0eca4769bcb040178d2fa067eff9076463e6e7091b7f975a53a8191896656c079aa1d2bf0f87dec9667617973d3

  • C:\Users\Admin\AppData\Local\Temp\7390.tmp

    Filesize

    60KB

    MD5

    34291ae450c67112732e6f7cd82a9465

    SHA1

    ba7e50685dfb5e73c0d4d5ec076a9a4454ddf52b

    SHA256

    dca6e572a28fcf10f45fdc747a70e7dd7fb238fbfc8ef6f0a925b30b1cbbfc42

    SHA512

    3f6acee36fe24089439a211aafaf96a84b7e394bc508cbda72d576ada20d4a4968edb5c2914fb92499b2f80c6a9dc4f20101460808fdf5066db41701d083df29

  • C:\Users\Admin\AppData\Local\Temp\748E.tmp

    Filesize

    2KB

    MD5

    3abbcc4a381002de3f5237989cc2994b

    SHA1

    04848ee9b26116c308b63333fafca8c2bb4635c4

    SHA256

    ffd92dc37c64bbac288c25e33b6f7475d09a491752a589b39a9de29725d8ef5c

    SHA512

    45c1c5639cbf41d70ef40ec7d930063041bd181cf2e7a28e162daf2520319c0afcacfb4c2861af6c4f985476ccf03926cc47aa15b94a47732b7e5da0548ec87c

  • C:\Windows\apppatch\svchost.exe

    Filesize

    355KB

    MD5

    71eaaf16441f0da728fd8e880f74f6ea

    SHA1

    aa914a1d6e1c030bab030406eba74ca8f8936b1d

    SHA256

    f1aeff89ae77e1c5fa79566a9fe4bb1dc656a98845145ca928738a826c18c11e

    SHA512

    3a826cc54cfc0e587fee036c276cbfbdb51b5afa92fc0dda7e4e5b9f2b52aa1787529cdba4151baf8e904f5b022a38dfec87da535106f619543a9472b66f4d76

  • memory/740-10-0x0000000002940000-0x00000000029E8000-memory.dmp

    Filesize

    672KB

  • memory/740-15-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-13-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-11-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-17-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-21-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-70-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-72-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-71-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-69-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-67-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-66-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-65-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-64-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-63-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-61-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-60-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-59-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-58-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-57-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-56-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-55-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-68-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-62-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-54-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-53-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-52-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-50-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-49-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-48-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-47-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-45-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-41-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-38-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-39-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-37-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-36-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-35-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-34-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-32-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-29-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-28-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-26-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-25-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-23-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-22-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-20-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-19-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-18-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-51-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-46-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-44-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-42-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-43-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-40-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-33-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-31-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-30-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-27-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-24-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-16-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/740-176-0x0000000002B30000-0x0000000002BE6000-memory.dmp

    Filesize

    728KB

  • memory/5036-8-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB