Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 21:51

General

  • Target

    386fe3604a7fff1cea0e5c096eaac74b412e0a8124c2fe2e046c7bb563ac7747.exe

  • Size

    202KB

  • MD5

    51850514535840a08177c8c8ed984ea2

  • SHA1

    cf9857b90d83fdc53db79296a3d89988eec65da6

  • SHA256

    386fe3604a7fff1cea0e5c096eaac74b412e0a8124c2fe2e046c7bb563ac7747

  • SHA512

    a0d09fbd04eea4b66930bb6308ab43dd88136b98b5de6daa014d300d601342be9eaac351590653f41360ae24c0fee3c545bff0796a1cc3d37f8cf771f06425a7

  • SSDEEP

    3072:a8nh2Hrp3Tlp+soN3BY2ZBHetwcyf1w5DYRZPQaQrhu8ihDNugrBVgc8gbmT2PcF:7nw9lEs3hhyaubQTkhbrBVL8gbmT2Pc

Malware Config

Extracted

Family

simda

Attributes
  • dga

    gatyfus.com

    lyvyxor.com

    vojyqem.com

    qetyfuv.com

    puvyxil.com

    gahyqah.com

    lyryfyd.com

    vocyzit.com

    qegyqaq.com

    purydyv.com

    gacyzuz.com

    lygymoj.com

    vowydef.com

    qexylup.com

    pufymoq.com

    gaqydeb.com

    lyxylux.com

    vofymik.com

    qeqysag.com

    puzylyp.com

    gadyniw.com

    lymysan.com

    volykyc.com

    qedynul.com

    pumypog.com

    galykes.com

    lysynur.com

    vonypom.com

    qekykev.com

    pupybul.com

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Simda family
  • simda

    Simda is an infostealer written in C++.

  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\386fe3604a7fff1cea0e5c096eaac74b412e0a8124c2fe2e046c7bb563ac7747.exe
    "C:\Users\Admin\AppData\Local\Temp\386fe3604a7fff1cea0e5c096eaac74b412e0a8124c2fe2e046c7bb563ac7747.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JAZ6MGFU\login[3].htm

    Filesize

    168B

    MD5

    d57e3a550060f85d44a175139ea23021

    SHA1

    2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

    SHA256

    43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

    SHA512

    0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

  • C:\Users\Admin\AppData\Local\Temp\2CFC.tmp

    Filesize

    24KB

    MD5

    e152562692b501ab6ca9ec9842cb30dd

    SHA1

    36066e566ce5fd3a22b8bbba69137cbe209a6c88

    SHA256

    255782e2df9ac109f11664d14446c58b45533e2de657aa49b325ca4a99cb1805

    SHA512

    21a1b80b760735f4f4f842e3b2ce2dc53f8419c35046069e1e69a59598b3f5da12865a839d2f88fe143b7b932dbfae23257050eb36076e37060924a74149667a

  • C:\Users\Admin\AppData\Local\Temp\30BC.tmp

    Filesize

    1KB

    MD5

    d530c0092dfa31f5ecb0d1857b8beccd

    SHA1

    439d2cccc83b9c98f66aaae97a98609f6759f2a1

    SHA256

    1c5e72298110d54c2d0dba131fbb7406a969805771f4097cc749dddc2b50e416

    SHA512

    e0112a3810bec2f761a57982be01c7b2aed53b3b910f9c3c978ac85d687175487e0fcb72e7bf83d063d390238e934ae6328ea419c18f32865bf264ba735d8796

  • C:\Users\Admin\AppData\Local\Temp\57D4.tmp

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Users\Admin\AppData\Local\Temp\57D4.tmp

    Filesize

    593B

    MD5

    926512864979bc27cf187f1de3f57aff

    SHA1

    acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

    SHA256

    b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

    SHA512

    f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

  • C:\Users\Admin\AppData\Local\Temp\9510.tmp

    Filesize

    61KB

    MD5

    c63617ef784a4c2b909a2b2f58a3f5dc

    SHA1

    a40b6a0a5279beaef07b48a3371731d33bc4219e

    SHA256

    0230da925f87a5eb2a77ec9b6bc6c3fc9f67f91ab33ecf241d837172139e9387

    SHA512

    9ede6614ef52de1dd7d4d779a2b811268bea0b39e018bfd431ead372187c1c6b2b0777d8cf857fd0fcabf940752b48d901895c3ca538449b16746de322698d69

  • C:\Users\Admin\AppData\Local\Temp\9582.tmp

    Filesize

    42KB

    MD5

    da93d285cfd5d10f7615fda03af86606

    SHA1

    f16a365000714fae021ff00ee4390c3716bb375c

    SHA256

    9aaede650d09cfdfcc6242e631a0e3160b2e5a5318a2eb2610bd10cee4592ef7

    SHA512

    098af59160372472c74228f76be0e31ce1937ddcc3913587046af6e1f9490eca7620811f09d2fb9a3d61fed75c8669aa804c39fb85b1bb04c10da966ef56d14a

  • C:\Windows\apppatch\svchost.exe

    Filesize

    202KB

    MD5

    a4a070bb3b24d91705613bc8709550e2

    SHA1

    49d430bb53319677d765e390215dc132cb192a66

    SHA256

    81583a278c35c7c225caf51b8bf4137f17d245052beb9fd491d335e356646ff4

    SHA512

    2eab5eb6586e544f98ae2d8a33f66867d0ddf783a68e3de0e684a453068f54b8b0593785fbd037b714ed2517897174ee48f8c16a8e14a383d20cc72ddf6e2f0e

  • memory/180-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-78-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-77-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-76-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-75-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-74-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-73-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-11-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/180-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp

    Filesize

    728KB

  • memory/180-16-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/180-15-0x0000000002740000-0x00000000027E8000-memory.dmp

    Filesize

    672KB

  • memory/2124-0-0x00000000021B0000-0x00000000021B3000-memory.dmp

    Filesize

    12KB

  • memory/2124-1-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/2124-14-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/2124-13-0x00000000021B0000-0x00000000021B3000-memory.dmp

    Filesize

    12KB