Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31-10-2024 00:35

General

  • Target

    f0edecfd0cbd376841a3d0088f628ddf86c1bb08d765a106622ed2dbc4610b66N.exe

  • Size

    208KB

  • MD5

    1f1ec6f233c4dd5599493ff71dd88e10

  • SHA1

    99f06f5db53046f5157c2913e404c1819f4ecf06

  • SHA256

    f0edecfd0cbd376841a3d0088f628ddf86c1bb08d765a106622ed2dbc4610b66

  • SHA512

    f8bb7312c698116e10e541bdac5a7154ef0dc137ea8b5bc42cf8610d98402f72d7805d4620d64632cf4be861c78cfe8ee37a4b2b0d3842469b389fee19c061b7

  • SSDEEP

    6144:aOYX27lPBA3YDMw4lj6idlMlwl7/79C87:awBAy0rlMI5

Malware Config

Extracted

Family

simda

Attributes
  • dga

    gatyfus.com

    lyvyxor.com

    vojyqem.com

    qetyfuv.com

    puvyxil.com

    gahyqah.com

    lyryfyd.com

    vocyzit.com

    qegyqaq.com

    purydyv.com

    gacyzuz.com

    lygymoj.com

    vowydef.com

    qexylup.com

    pufymoq.com

    gaqydeb.com

    lyxylux.com

    vofymik.com

    qeqysag.com

    puzylyp.com

    gadyniw.com

    lymysan.com

    volykyc.com

    qedynul.com

    pumypog.com

    galykes.com

    lysynur.com

    vonypom.com

    qekykev.com

    pupybul.com

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Simda family
  • simda

    Simda is an infostealer written in C++.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0edecfd0cbd376841a3d0088f628ddf86c1bb08d765a106622ed2dbc4610b66N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0edecfd0cbd376841a3d0088f628ddf86c1bb08d765a106622ed2dbc4610b66N.exe"
    1⤵
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\64DB.tmp

    Filesize

    24KB

    MD5

    a5ab94cdb277c74f07275ecaccb09c6d

    SHA1

    7e1b6fcf89c223333a675b67ec139ee5b18b06b7

    SHA256

    82f388f94b52fb0d414e0cd26dfa3654a85083add2b0fc8f3474c35bc541a154

    SHA512

    39376baa9102386d9032072183120857c662d2cd8b4f0938c44b82c08c3f4720aee872c652572c924bb62e44d467c79c5e4e64e011c823621b7b98b740d3c3ac

  • C:\Users\Admin\AppData\Local\Temp\64DC.tmp

    Filesize

    42KB

    MD5

    2bc229362cd6a355b7921b5265c13caa

    SHA1

    9efdbc9eae8e27eefad6100b4c519ab5ab3b64bc

    SHA256

    84ca5eb83e7c1aa7737c6d0a2d2d047e43e8eaa8642a8c9f7994a9dcce1fe87c

    SHA512

    aa7e13c3cf5122fe3fb1ecc17826cb069f9222f252d6c99a8274a1fa9fe37355b2237d33540feb0ce53c54781eaa489ca4854c91fd0231014aefa2bff8ecc3ea

  • C:\Users\Admin\AppData\Local\Temp\69D7.tmp

    Filesize

    481B

    MD5

    1312a7bc3049958c8a2580a2c495ce93

    SHA1

    192d2dadab518547cffe692ef3a26e82412980c8

    SHA256

    7ee882c6dfef7d815e6dcb0cb0a08aaaa28dcf0f73296f218eb066e840fe7ca5

    SHA512

    16e2908a3d45d7515f0d2f22dcea463cb7fecb90c76d22d33b82841f468e4a72f1d1588d373c82f32a0e4dac42e709dbff507c03244d695207a2076926b2327d

  • \Windows\AppPatch\svchost.exe

    Filesize

    208KB

    MD5

    240025d4b8117dcecb027285c7f8b632

    SHA1

    02f172e45332f801bd87808fbe8149c2ceb35f71

    SHA256

    96c548ecdecb8587dfc6e75791256183bdba436dac4660d7f62b7f31e30d832c

    SHA512

    7e3a9911c6cd10b63254019c63ddbdc5ffa4c011f2af8832b87d7e497bcb9fa92e7acbb8b9a4d4f92795c4a35f915c2a401d0eaf09f3e0950b5d3393e81d13a8

  • memory/2644-69-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-34-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-24-0x00000000024A0000-0x0000000002548000-memory.dmp

    Filesize

    672KB

  • memory/2644-19-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

  • memory/2644-30-0x00000000024A0000-0x0000000002548000-memory.dmp

    Filesize

    672KB

  • memory/2644-32-0x00000000024A0000-0x0000000002548000-memory.dmp

    Filesize

    672KB

  • memory/2644-28-0x00000000024A0000-0x0000000002548000-memory.dmp

    Filesize

    672KB

  • memory/2644-33-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

  • memory/2644-26-0x00000000024A0000-0x0000000002548000-memory.dmp

    Filesize

    672KB

  • memory/2644-22-0x00000000024A0000-0x0000000002548000-memory.dmp

    Filesize

    672KB

  • memory/2644-67-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-38-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-36-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-45-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-46-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-72-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-84-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-83-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-82-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-81-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-80-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-79-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-78-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-77-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-76-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-75-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-74-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-73-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-71-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-70-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-68-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-20-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

  • memory/2644-21-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

  • memory/2644-66-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-65-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-64-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-63-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-62-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-61-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-60-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-58-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-57-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-56-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-55-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-54-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-53-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-52-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-51-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-50-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-49-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-48-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-47-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-44-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-43-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-59-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-42-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-41-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2644-40-0x0000000002830000-0x00000000028E6000-memory.dmp

    Filesize

    728KB

  • memory/2824-1-0x0000000000280000-0x00000000002D1000-memory.dmp

    Filesize

    324KB

  • memory/2824-18-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/2824-2-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/2824-0-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

  • memory/2824-17-0x0000000000280000-0x00000000002D1000-memory.dmp

    Filesize

    324KB

  • memory/2824-16-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB