Analysis

  • max time kernel
    142s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 23:46

General

  • Target

    68e7675785b775a8353108be7d4e673b57c01946cb20bdd53990855632686146.exe

  • Size

    218KB

  • MD5

    f98d7f2dee538cd41a91c6f2909c1aa5

  • SHA1

    9962328339b1576de6b48e509d8280a6ad78856a

  • SHA256

    68e7675785b775a8353108be7d4e673b57c01946cb20bdd53990855632686146

  • SHA512

    930c252bad77920d55b75ad1cb0be44b108d543177fd2ca4f778c252c6e71718fa4eb2eeccb999d2dba141d7172cbc00698b9b3dbd92163b823bc6e2586111a4

  • SSDEEP

    3072:kvm4SZsQrNzPrl6rjGMjp39d4u8iqddCxMIJOb2o5DsBPjim6hwM2H6:y1SyAJp6rjn1gOObn4b6h9h

Malware Config

Extracted

Family

simda

Attributes
  • dga

    gatyfus.com

    lyvyxor.com

    vojyqem.com

    qetyfuv.com

    puvyxil.com

    gahyqah.com

    lyryfyd.com

    vocyzit.com

    qegyqaq.com

    purydyv.com

    gacyzuz.com

    lygymoj.com

    vowydef.com

    qexylup.com

    pufymoq.com

    gaqydeb.com

    lyxylux.com

    vofymik.com

    qeqysag.com

    puzylyp.com

    gadyniw.com

    lymysan.com

    volykyc.com

    qedynul.com

    pumypog.com

    galykes.com

    lysynur.com

    vonypom.com

    qekykev.com

    pupybul.com

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Simda family
  • simda

    Simda is an infostealer written in C++.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68e7675785b775a8353108be7d4e673b57c01946cb20bdd53990855632686146.exe
    "C:\Users\Admin\AppData\Local\Temp\68e7675785b775a8353108be7d4e673b57c01946cb20bdd53990855632686146.exe"
    1⤵
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\124C.tmp

    Filesize

    593B

    MD5

    926512864979bc27cf187f1de3f57aff

    SHA1

    acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

    SHA256

    b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

    SHA512

    f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

  • C:\Users\Admin\AppData\Local\Temp\DDA0.tmp

    Filesize

    1KB

    MD5

    c78f7811f8c726c0eab5c405b58e3f16

    SHA1

    731bb9db6d3ac8383071ae5c11403ee72329e357

    SHA256

    4f6280b64891d83127c5820d2c8b0f3d4307e32b5f93070fe3f0f43e751fb7c2

    SHA512

    f1e36bd7664b11ba09d9c511bd58c3d503b31a11c56e6c1f28710ce3fc30992e9198077ef252ec909db957d2650e9b04a673bfa9514fd71c015c78d0d361107e

  • C:\Users\Admin\AppData\Local\Temp\F7C8.tmp

    Filesize

    24KB

    MD5

    e9f28d77a9a9a01a3ed0c43b272be43c

    SHA1

    9382da7ca6b8df49e9b831b5ef39d050176276bc

    SHA256

    b206a5bad604679ef51fee8bc235a5744c85fca27187f8e4051bbaa8177218f6

    SHA512

    56af3686dbc3ae5c90a54677df141eab57908fd096f7a39563f1c9ee2a0ca9578266c7cbaa30b702ac27c0649c77ca27a9865af7f783cf5d127dab46a576bccf

  • C:\Users\Admin\AppData\Local\Temp\F80A.tmp

    Filesize

    1KB

    MD5

    da07c50efd72c5f22861c8b1a171b20a

    SHA1

    db44d805ccf28f556219a8c6a2d735178f354e02

    SHA256

    d13d8b66c44ecf73a18eec1531f7cc33f8b3183b2f39e2f6f416c0bcae157478

    SHA512

    bac68f3a3b22d324bedb8fe207e4df7ffafbdc4855613db3e18606c7f30b0cdb273c349fd8872e5c1966ef20871170025ed17d043513fe8c98e1f339a384d36c

  • C:\Users\Admin\AppData\Local\Temp\F82C.tmp

    Filesize

    42KB

    MD5

    6100fe1c10680428347fd3076074ca5b

    SHA1

    0ce265775ad36078624792a37334a32a308c266e

    SHA256

    62e022ef07b13a34c5133f088b4f38f5adbbbb90407c966508a75d395bb29a3c

    SHA512

    2982ba1a9a16184849f0befc9f3c9d9a03e65c06eddb23eb9bb366659618b1b53a47cbd70617b6fc0961d84ccc66f365df52247cba6a91056695e3b955220ef5

  • C:\Windows\AppPatch\svchost.exe

    Filesize

    218KB

    MD5

    f0515f89e8f65c1dfc67a60818721a8b

    SHA1

    114f18eb134b8853622e07455b4071006244e199

    SHA256

    e8ac61ce39be12c3d2632ede05d5b1ed6c60357432aec1e8472ef80e88822ca1

    SHA512

    ae00dcfb62d9b2383f4e43b26ed0d0395107b650c31598dddc619fe93604bd25ca8294951762a0a1d63f0b25826b9ba2bbf9c8b872f6eb1d01eb95cf5e288fea

  • memory/2200-0-0x0000000000220000-0x0000000000271000-memory.dmp

    Filesize

    324KB

  • memory/2200-1-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/2200-17-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/2200-16-0x0000000000220000-0x0000000000271000-memory.dmp

    Filesize

    324KB

  • memory/2200-15-0x0000000000400000-0x00000000005AE000-memory.dmp

    Filesize

    1.7MB

  • memory/2828-72-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-66-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-28-0x0000000002400000-0x00000000024A8000-memory.dmp

    Filesize

    672KB

  • memory/2828-31-0x0000000000400000-0x00000000005AE000-memory.dmp

    Filesize

    1.7MB

  • memory/2828-26-0x0000000002400000-0x00000000024A8000-memory.dmp

    Filesize

    672KB

  • memory/2828-24-0x0000000002400000-0x00000000024A8000-memory.dmp

    Filesize

    672KB

  • memory/2828-22-0x0000000002400000-0x00000000024A8000-memory.dmp

    Filesize

    672KB

  • memory/2828-32-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-34-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-36-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-52-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-54-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-84-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-83-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-82-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-81-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-80-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-79-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-78-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-76-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-75-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-74-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-73-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-20-0x0000000002400000-0x00000000024A8000-memory.dmp

    Filesize

    672KB

  • memory/2828-71-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-70-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-69-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-68-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-67-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-30-0x0000000002400000-0x00000000024A8000-memory.dmp

    Filesize

    672KB

  • memory/2828-65-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-63-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-62-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-61-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-60-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-59-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-58-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-57-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-56-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-55-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-53-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-51-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-50-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-49-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-47-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-45-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-44-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-43-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-77-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-42-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-41-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-40-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-64-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-39-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-48-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-46-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB

  • memory/2828-19-0x0000000000400000-0x00000000005AE000-memory.dmp

    Filesize

    1.7MB

  • memory/2828-18-0x0000000000400000-0x00000000005AE000-memory.dmp

    Filesize

    1.7MB

  • memory/2828-38-0x00000000025B0000-0x0000000002666000-memory.dmp

    Filesize

    728KB