Malware Analysis Report

2024-12-07 14:29

Sample ID 241116-qn18xsxekl
Target cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8
SHA256 cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8

Threat Level: Known bad

The file cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8 was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

simda

Simda family

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-16 13:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-16 13:25

Reported

2024-11-16 13:27

Platform

win7-20241023-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe"

Signatures

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\f6410e20 = "C:\\Windows\\apppatch\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Defender\galynuh.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\qexyhuv.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\lygynud.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\vofycot.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\lymyxid.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\pupydeq.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\pupycag.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\galyqaz.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\qetyfuv.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\vonypom.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\vocyzit.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\gadyciz.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\lyxynyx.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\vojyqem.com C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\MuiCache C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\apppatch\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\apppatch\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe

"C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 95.101.143.219:80 www.bing.com tcp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 vojyjof.com udp
US 23.253.46.64:80 gahyqah.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
US 172.67.173.131:80 qegyhig.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 199.59.243.227:80 vojyqem.com tcp
US 75.2.71.199:80 puzylyp.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 8.8.8.8:53 lysyfyj.com udp
US 44.221.84.105:80 vocyzit.com tcp
US 23.253.46.64:80 gahyqah.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 75.2.71.199:80 puzylyp.com tcp
US 172.67.173.131:443 qegyhig.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 172.67.173.131:443 qegyhig.com tcp
US 8.8.8.8:53 ww5.galyqaz.com udp
US 13.248.148.254:80 ww5.galyqaz.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
NL 5.79.71.225:80 gatyfus.com tcp
DE 178.162.217.107:80 gatyfus.com tcp
NL 85.17.31.82:80 gatyfus.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 lymylyr.com udp
US 76.223.54.146:80 pupydeq.com tcp
US 3.94.10.34:80 lygynud.com tcp
US 104.21.26.151:80 lysyvan.com tcp
US 18.208.156.248:80 pupycag.com tcp
CN 103.150.10.48:80 lyrysor.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 104.21.26.151:443 lysyvan.com tcp
CN 103.150.10.48:80 lyrysor.com tcp
US 8.8.8.8:53 qedysov.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 vonyket.com udp
US 8.8.8.8:53 pupypiv.com udp
US 8.8.8.8:53 lykynyj.com udp
US 8.8.8.8:53 qebykap.com udp
US 8.8.8.8:53 gatypub.com udp
US 8.8.8.8:53 vojybek.com udp
US 8.8.8.8:53 puvyjop.com udp
US 8.8.8.8:53 lyrytun.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 gacyhis.com udp
US 8.8.8.8:53 vowyrym.com udp
US 8.8.8.8:53 pufycol.com udp
US 8.8.8.8:53 lyxygud.com udp
US 8.8.8.8:53 qeqyreq.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 pumywaq.com udp
US 8.8.8.8:53 lysyxux.com udp
US 8.8.8.8:53 volygyf.com udp
US 8.8.8.8:53 qekyfeg.com udp
US 8.8.8.8:53 qetylyv.com udp
US 8.8.8.8:53 ganyqow.com udp
US 8.8.8.8:53 vopyzuc.com udp
US 8.8.8.8:53 pujydag.com udp
US 8.8.8.8:53 lyvymir.com udp
US 8.8.8.8:53 lysysod.com udp
US 8.8.8.8:53 qekynuq.com udp
US 8.8.8.8:53 pumylel.com udp
US 8.8.8.8:53 ganykaz.com udp
US 8.8.8.8:53 vopypif.com udp
US 8.8.8.8:53 gahydoh.com udp
US 8.8.8.8:53 lyvyjox.com udp
US 8.8.8.8:53 purylev.com udp
US 8.8.8.8:53 qetytug.com udp
US 8.8.8.8:53 gahyvew.com udp
US 8.8.8.8:53 qexynyp.com udp
US 8.8.8.8:53 vocyjic.com udp
US 8.8.8.8:53 gaqykab.com udp
US 8.8.8.8:53 purytyg.com udp
US 8.8.8.8:53 lygyvar.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 gaqyreh.com udp
US 8.8.8.8:53 vocymut.com udp
US 8.8.8.8:53 lygysij.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 puzyguv.com udp
US 8.8.8.8:53 qedyxip.com udp
US 8.8.8.8:53 galyfyb.com udp
US 8.8.8.8:53 vonyqok.com udp
US 8.8.8.8:53 lymywaj.com udp
US 8.8.8.8:53 lykyfen.com udp
US 8.8.8.8:53 qebyqil.com udp
US 8.8.8.8:53 gatyzys.com udp
US 8.8.8.8:53 pupyxup.com udp
US 8.8.8.8:53 vojydam.com udp
US 8.8.8.8:53 puvymul.com udp
US 8.8.8.8:53 lyryled.com udp
US 8.8.8.8:53 qegysoq.com udp
US 8.8.8.8:53 vowykaf.com udp
US 8.8.8.8:53 pufypiq.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 gacynuz.com udp
US 103.224.212.210:80 lyxynyx.com tcp
US 76.223.67.189:80 qexyhuv.com tcp
US 44.221.84.105:80 gadyciz.com tcp
US 103.224.182.252:80 vofycot.com tcp
US 64.225.91.73:80 galynuh.com tcp
US 8.8.8.8:53 ww16.vofycot.com udp
DE 64.190.63.136:80 ww16.vofycot.com tcp
HK 154.85.183.50:80 qegyval.com tcp
US 8.8.8.8:53 ww25.lyxynyx.com udp
US 199.59.243.227:80 ww25.lyxynyx.com tcp

Files

memory/2096-0-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2096-1-0x00000000002F0000-0x0000000000342000-memory.dmp

memory/2096-2-0x0000000000400000-0x000000000045F000-memory.dmp

\Windows\AppPatch\svchost.exe

MD5 4094a4173b26494b80d131d6ddf6c5dd
SHA1 df6567e72306912dd70388a7009b0fe600870794
SHA256 ff4c71b7c22a1ac962b0c94b1d5fe75867c1f09e7e45120fa15a987b8bcb4967
SHA512 1caa1f31cd41e6fe25a0f4f443325c4fb38f75ac8b54d5a8563c6c0009292532228d3ee188a37e05a1e9c5e54c42a02666a8dec1787b11812b3b560987c47ccd

memory/2096-18-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2096-21-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2004-22-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2004-20-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2004-23-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2096-19-0x00000000002F0000-0x0000000000342000-memory.dmp

memory/2004-29-0x0000000002290000-0x000000000233A000-memory.dmp

memory/2004-35-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2004-34-0x0000000002290000-0x000000000233A000-memory.dmp

memory/2004-32-0x0000000002290000-0x000000000233A000-memory.dmp

memory/2004-30-0x0000000002290000-0x000000000233A000-memory.dmp

memory/2004-26-0x0000000002290000-0x000000000233A000-memory.dmp

memory/2004-24-0x0000000002290000-0x000000000233A000-memory.dmp

memory/2004-38-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-36-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-41-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-49-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-86-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-85-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-83-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-82-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-81-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-80-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-79-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-78-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-77-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-76-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-75-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-74-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-73-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-72-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-71-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-70-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-69-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-67-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-66-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-65-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-64-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-63-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-62-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-61-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-60-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-59-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-58-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-57-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-56-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-55-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-54-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-53-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-52-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-51-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-48-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-47-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-84-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-46-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-68-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-45-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-44-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-43-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-42-0x0000000002440000-0x00000000024F7000-memory.dmp

memory/2004-50-0x0000000002440000-0x00000000024F7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MZ8G9S2N\login[1].htm

MD5 d57e3a550060f85d44a175139ea23021
SHA1 2c5cb3428a322c9709a34d04dd86fe7628f8f0a6
SHA256 43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c
SHA512 0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-16 13:25

Reported

2024-11-16 13:27

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe"

Signatures

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\5669d350 = "C:\\Windows\\apppatch\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Defender\galyqaz.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\vonypom.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\lymyxid.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\vojyqem.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\qetyfuv.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\vocyzit.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\gahyqah.com C:\Windows\apppatch\svchost.exe N/A
File created C:\Program Files (x86)\Windows Defender\puzylyp.com C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\MuiCache C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\apppatch\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\apppatch\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe

"C:\Users\Admin\AppData\Local\Temp\cf07426b0204507c217498d2094013ae997a03beebfed43ef9d535d55f050aa8.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
GB 95.101.143.219:80 www.bing.com tcp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 219.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 gahyhob.com udp
US 104.21.30.183:80 qegyhig.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 3.94.10.34:80 lymyxid.com tcp
DE 178.162.203.226:80 gatyfus.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 44.221.84.105:80 qetyfuv.com tcp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 volykyc.com udp
US 208.100.26.245:80 lyvyxor.com tcp
US 99.83.170.3:80 puzylyp.com tcp
US 162.255.119.102:80 gahyqah.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 199.59.243.227:80 vojyqem.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 99.83.170.3:443 puzylyp.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
DE 91.195.240.19:80 www.gahyqah.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 8.8.8.8:53 183.30.21.104.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 3.170.83.99.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 227.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 102.119.255.162.in-addr.arpa udp
US 8.8.8.8:53 19.240.195.91.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
NL 5.79.71.205:80 gatyfus.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
DE 178.162.203.211:80 gatyfus.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 211.203.162.178.in-addr.arpa udp
DE 178.162.203.211:80 gatyfus.com tcp
NL 5.79.71.225:80 gatyfus.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
NL 85.17.31.82:80 gatyfus.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
US 8.8.8.8:53 202.203.162.178.in-addr.arpa udp

Files

memory/2084-0-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2084-1-0x0000000002590000-0x00000000025E2000-memory.dmp

memory/2084-2-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Windows\apppatch\svchost.exe

MD5 b24e8b25ca9471956ff2eb5c10dbcf42
SHA1 353a375f5fd16b1446f3ad79cd55d640310ea5d9
SHA256 6b4b72a31619219b8a42db330e5666755f23a8718835366b5ad61207ac0c7796
SHA512 26a823afdfd41ac76f027f6e3ad3519973adc92b0f72c675b85657bb83d9d49b068375341217338b3434ddb9ecbed747f8ca20c840a03487d230e308cedb9c38

memory/4776-14-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2084-18-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2084-17-0x0000000002590000-0x00000000025E2000-memory.dmp

memory/4776-16-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2084-15-0x0000000000400000-0x0000000000495000-memory.dmp

memory/4776-19-0x0000000000400000-0x0000000000495000-memory.dmp

memory/4776-21-0x0000000000400000-0x0000000000495000-memory.dmp

memory/4776-20-0x0000000002E00000-0x0000000002EAA000-memory.dmp

memory/4776-22-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-26-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-24-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-29-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-80-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-78-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-76-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-75-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-74-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-73-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-72-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-71-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-69-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-67-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-66-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-65-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-64-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-63-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-62-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-61-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-60-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-59-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-58-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-57-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-56-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-55-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-54-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-52-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-51-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-49-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-48-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-47-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-46-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-45-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-44-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-43-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-42-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-41-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-40-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-38-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-37-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-36-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-35-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-34-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-32-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-31-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-30-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-28-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-27-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-81-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-79-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-77-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-70-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-68-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-53-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-50-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-39-0x0000000002FB0000-0x0000000003067000-memory.dmp

memory/4776-33-0x0000000002FB0000-0x0000000003067000-memory.dmp