Analysis Overview
SHA256
a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77
Threat Level: Known bad
The file a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N was found to be: Known bad.
Malicious Activity Summary
Simda family
Modifies WinLogon for persistence
simda
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 22:32
Signatures
Simda family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 22:32
Reported
2024-11-05 22:34
Platform
win7-20241023-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\f42705ed = "v܉K÷3W+Y¿`²,\x13“gÚ÷¬W\x0f\"\u00ad8\x11k\"Å•.Ö“ˆÎ‹Ä|\x1be¨" | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\f42705ed = "v܉K÷3W+Y¿`²,\x13“gÚ÷¬W\x0f\"\u00ad8\x11k\"Å•.Ö“ˆÎ‹Ä|\x1be¨" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1968 wrote to memory of 2080 | N/A | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | C:\Windows\apppatch\svchost.exe |
| PID 1968 wrote to memory of 2080 | N/A | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | C:\Windows\apppatch\svchost.exe |
| PID 1968 wrote to memory of 2080 | N/A | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | C:\Windows\apppatch\svchost.exe |
| PID 1968 wrote to memory of 2080 | N/A | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe
"C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 92.123.128.143:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 69.162.80.55:80 | lysyfyj.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.212.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | ww6.galyqaz.com | udp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 199.59.243.227:80 | ww6.galyqaz.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 104.155.138.21:80 | lygynud.com | tcp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
Files
\Windows\AppPatch\svchost.exe
| MD5 | be28837b91b0a978da1c514d5a8bcdba |
| SHA1 | 0f0a1945080f6f8c4c67e44f997bea0040e102df |
| SHA256 | 01be7116db4d447ae2fd0c951e2a0eaf17b1be47e29d4c906e46a8fb2f621990 |
| SHA512 | 3d1db1d568b87fc4e1103e50901b5b84de3f67cb77a07a5df060a430fd198d2739f67e23b37a0ca67f2ddb6db57cf5644395ea766086e14e4a2bcf5169acf67f |
memory/1968-12-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2080-24-0x00000000021B0000-0x0000000002258000-memory.dmp
memory/2080-22-0x00000000021B0000-0x0000000002258000-memory.dmp
memory/2080-20-0x00000000021B0000-0x0000000002258000-memory.dmp
memory/2080-18-0x00000000021B0000-0x0000000002258000-memory.dmp
memory/2080-16-0x00000000021B0000-0x0000000002258000-memory.dmp
memory/2080-14-0x00000000021B0000-0x0000000002258000-memory.dmp
memory/2080-26-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-28-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-30-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-49-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-57-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-78-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-77-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-76-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-75-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-74-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-73-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-72-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-71-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-70-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-69-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-68-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-67-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-66-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-65-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-64-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-63-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-62-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-61-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-60-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-59-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-58-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-56-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-55-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-54-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-53-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-52-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-51-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-50-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-48-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-47-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-46-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-45-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-44-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-43-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-42-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-41-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-40-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-39-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-38-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-37-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-36-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-35-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-34-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-32-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2080-33-0x00000000023A0000-0x0000000002456000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9F56.tmp
| MD5 | 9fdcdb3907341c79a6418df710cbabe6 |
| SHA1 | 9f44538ccf74af30d44d673bf67517a7963cf815 |
| SHA256 | 8ee4d40598e455b7012ade473ebad7ed0b09c9e953b8b6c57294ccdf3cba4cad |
| SHA512 | afe1a216f3fb44c687dabf3fa51863971d5acf612aaac13fe6128403e3f2eb477df0a91c57a7122f6657c7dce0c05c57acde0b3fa9ce52e24a1d50ce322c7c0d |
C:\Users\Admin\AppData\Local\Temp\9EC3.tmp
| MD5 | 9641f0823a9076c0a33a5081e42f187c |
| SHA1 | f1f2634566b5a02ef8193f8544cc34ba6245c5a8 |
| SHA256 | 947b027246bacae99e7985f38e93f9d7bad342dd21c4527547bb7ddf0936444c |
| SHA512 | 7a7d05388056ca53c85907d0a5fcd4bc2f2badd37ea79cfe98d4bc2559b09a05671859447655495a5375ed85fe3638bd2cec9ed6f6663ac3cdc1581eb15a23b3 |
memory/2080-197-0x00000000023A0000-0x0000000002456000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-05 22:32
Reported
2024-11-05 22:34
Platform
win10v2004-20241007-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\dfd651cb = "\x1a<\v\x02ÄSí\x13»Ê*àV\x0eeMýå•É>«&ÔSÊ2HøÁPö=µnÌïE\x19×TÙ5t¬×¦\u008f¶¬F=ï%yܼ,eþ\fǦ\x1cÅ\u00ad•ÆÇ~\x17'Á-nå\u00ad´FôÝõ…ñžmEL,\u008d\aE´Å·¾É\f\u008dt\x1c~=1þí\x06M…\x1e¯¬f…Ž\\V%æ\x05Vå¿Ìtž.>¼í\x175}\\|NtÿUm´~9ôæ6é\rÁŒmDßô±DNMű6%uÕ\x01ù\x19\x1d\x01Õ}ž½‡Í„¦-_\x0fÔ~Õ„QYåÜ\a.\u008d-íßÞU\x1edŽÍ4\x1dÔa]Í„9=!=\u00adET&üGùüý®æü•\u008dw¤M?=]yÍæLåÔ)¦Õm\x14\\\x16]m\flΙM-^ütýE„Õå" | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\dfd651cb = "\x1a<\v\x02ÄSí\x13»Ê*àV\x0eeMýå•É>«&ÔSÊ2HøÁPö=µnÌïE\x19×TÙ5t¬×¦\u008f¶¬F=ï%yܼ,eþ\fǦ\x1cÅ\u00ad•ÆÇ~\x17'Á-nå\u00ad´FôÝõ…ñžmEL,\u008d\aE´Å·¾É\f\u008dt\x1c~=1þí\x06M…\x1e¯¬f…Ž\\V%æ\x05Vå¿Ìtž.>¼í\x175}\\|NtÿUm´~9ôæ6é\rÁŒmDßô±DNMű6%uÕ\x01ù\x19\x1d\x01Õ}ž½‡Í„¦-_\x0fÔ~Õ„QYåÜ\a.\u008d-íßÞU\x1edŽÍ4\x1dÔa]Í„9=!=\u00adET&üGùüý®æü•\u008dw¤M?=]yÍæLåÔ)¦Õm\x14\\\x16]m\flΙM-^ütýE„Õå" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2684 wrote to memory of 4248 | N/A | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2684 wrote to memory of 4248 | N/A | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2684 wrote to memory of 4248 | N/A | C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe
"C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 92.123.128.190:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 75.2.71.199:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | 190.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 69.162.80.55:80 | lysyfyj.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 75.2.71.199:443 | puzylyp.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 199.71.2.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.119.255.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.240.195.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | 205.71.79.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 211.203.162.178.in-addr.arpa | udp |
Files
C:\Windows\apppatch\svchost.exe
| MD5 | 2654e4070c8eb24da99fcca250b217fa |
| SHA1 | defeb127128af24d1e3691e51fd7e1f017756c34 |
| SHA256 | 8d159dc29e585669f6f24c835ec38df7df98044d761f84d6f8c40fb3558c3c14 |
| SHA512 | 8cd27c5ffa43e3b4d59ad0713c661314c44792ac2e8af99fbbd5446550315f738db015d8f5b158499352134baad368ec42bd337c1ac3ee5b061f29cb09439733 |
memory/2684-9-0x0000000000400000-0x000000000045F000-memory.dmp
memory/4248-10-0x0000000002720000-0x00000000027C8000-memory.dmp
memory/4248-11-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-15-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-13-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-20-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-18-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-16-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4248-183-0x0000000002B40000-0x0000000002BF6000-memory.dmp