Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 23:46

General

  • Target

    68e7675785b775a8353108be7d4e673b57c01946cb20bdd53990855632686146.exe

  • Size

    218KB

  • MD5

    f98d7f2dee538cd41a91c6f2909c1aa5

  • SHA1

    9962328339b1576de6b48e509d8280a6ad78856a

  • SHA256

    68e7675785b775a8353108be7d4e673b57c01946cb20bdd53990855632686146

  • SHA512

    930c252bad77920d55b75ad1cb0be44b108d543177fd2ca4f778c252c6e71718fa4eb2eeccb999d2dba141d7172cbc00698b9b3dbd92163b823bc6e2586111a4

  • SSDEEP

    3072:kvm4SZsQrNzPrl6rjGMjp39d4u8iqddCxMIJOb2o5DsBPjim6hwM2H6:y1SyAJp6rjn1gOObn4b6h9h

Malware Config

Extracted

Family

simda

Attributes
  • dga

    gatyfus.com

    lyvyxor.com

    vojyqem.com

    qetyfuv.com

    puvyxil.com

    gahyqah.com

    lyryfyd.com

    vocyzit.com

    qegyqaq.com

    purydyv.com

    gacyzuz.com

    lygymoj.com

    vowydef.com

    qexylup.com

    pufymoq.com

    gaqydeb.com

    lyxylux.com

    vofymik.com

    qeqysag.com

    puzylyp.com

    gadyniw.com

    lymysan.com

    volykyc.com

    qedynul.com

    pumypog.com

    galykes.com

    lysynur.com

    vonypom.com

    qekykev.com

    pupybul.com

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Simda family
  • simda

    Simda is an infostealer written in C++.

  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68e7675785b775a8353108be7d4e673b57c01946cb20bdd53990855632686146.exe
    "C:\Users\Admin\AppData\Local\Temp\68e7675785b775a8353108be7d4e673b57c01946cb20bdd53990855632686146.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H6N4U6J0\login[2].htm

    Filesize

    168B

    MD5

    d57e3a550060f85d44a175139ea23021

    SHA1

    2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

    SHA256

    43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

    SHA512

    0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

  • C:\Users\Admin\AppData\Local\Temp\2EBC.tmp

    Filesize

    593B

    MD5

    926512864979bc27cf187f1de3f57aff

    SHA1

    acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

    SHA256

    b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

    SHA512

    f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

  • C:\Users\Admin\AppData\Local\Temp\71F5.tmp

    Filesize

    24KB

    MD5

    ba7dd2201336f53a03644abb6fb8665d

    SHA1

    0477de6d6ebb37bd3fcca0b888216581682896df

    SHA256

    d8d2b7b845902c1145f17ec8b0440c637811ba11b356b100e265534884f4f535

    SHA512

    27573399b0ac207c77aec240e41ad4f040ceacdf2c321bbb9f362b17756d9e5f1079ff168000235a05d68fc3b0ab22d8b3d4b95834deab2e3f662da4c0ad8d14

  • C:\Users\Admin\AppData\Local\Temp\7207.tmp

    Filesize

    1KB

    MD5

    692084285e53020aeb77073b8a3d75fd

    SHA1

    a26d57ac126813f4584765c38345f71e99c64632

    SHA256

    3d409ebf9b12b928a9368abbd5909e721db8bfc3b8131c143e7420231706c1fa

    SHA512

    5803b8b33dcaaf6769d4040acfd8127a65e6c5d11da96c8b1e391d295fb92b233ce857566a14b2bb479baeec4052d98717e748909e2e5317f57472d9d2bd4dc3

  • C:\Users\Admin\AppData\Local\Temp\9040.tmp

    Filesize

    1KB

    MD5

    5b4292fccd2f5607cecba6d90671e0ca

    SHA1

    69f4828b7b27de9540099622028f117c0735aaa5

    SHA256

    301fcac7689cb99b1858fd3661edf86cfdaed04e33e57150a2e788097fa25473

    SHA512

    d319e03ef57f93f102e4a6ead239629219014b5f7fdc324e37e379ec1f7e087b05b13d824a3d4b7917b6811b40f4e2435ceb1a09c5551ca506548579c684864c

  • C:\Users\Admin\AppData\Local\Temp\9051.tmp

    Filesize

    61KB

    MD5

    a213d2953087e01cd1ce9b07bc836d21

    SHA1

    a257e91277894fc87a1e5d1cc5a1aac8df5e02a7

    SHA256

    429f683f510c95edad25203d585dbeede8c38c6cfa0b4add5050c42f365491bd

    SHA512

    5db6f0c9ec19af753770080da871ce4c80dfd0df744ab4eebe1533f08d3cf59b559e8b97bdd2bd0cbd6008afe78b57580b22c52d61e137bfabea2fa328bd43db

  • C:\Users\Admin\AppData\Local\Temp\90B3.tmp

    Filesize

    41KB

    MD5

    64a7ae7b529a920497a0e2be29cf44d0

    SHA1

    b9f5d054179d8454b81c44903a15d625f7fe8e2d

    SHA256

    4480fb75f42ad5fb30f61b0267939e1cb73d3ea88b8ce90154de9e85bb29fb33

    SHA512

    f051a7d0cabadbb707999049dbddbaf9388f2315bc14c3cefddc07bdba0ee949425c4e085129065cd335d40b2b8dff5bb37f9ce91b1b45a1a17359a1fe6bceac

  • C:\Windows\apppatch\svchost.exe

    Filesize

    218KB

    MD5

    02033b7b96064e2242bb09115bdaf058

    SHA1

    e7e47189d2ea4f5daa1340c7c207c909590e9315

    SHA256

    aba98ddb3bfda21f1b48de519c671dfd0c605eeb38f26aa3e059d461758772ad

    SHA512

    9e5b43b4ffea51ec9f68307d2ddb3376b6721fb42b5cdb3a7f44cfa7e9ccfd209414134a6328179aaf32802d1668f1c7ece24627abf867722a672c18a6130db3

  • memory/224-51-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-78-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-27-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-34-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-79-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-46-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-77-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-76-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-75-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-45-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-73-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-72-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-70-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-69-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-68-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-67-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-66-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-65-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-64-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-63-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-62-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-61-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-60-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-59-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-58-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-57-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-56-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-55-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-52-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-53-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-22-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-50-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-49-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-48-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-11-0x0000000000400000-0x00000000005AE000-memory.dmp

    Filesize

    1.7MB

  • memory/224-20-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-74-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-44-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-43-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-42-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-41-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-40-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-39-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-38-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-37-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-36-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-33-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-32-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-31-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-30-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-29-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-28-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-26-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-24-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-71-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-54-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-35-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-25-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-23-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-18-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-47-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/224-15-0x0000000000400000-0x00000000005AE000-memory.dmp

    Filesize

    1.7MB

  • memory/224-17-0x0000000000400000-0x00000000005AE000-memory.dmp

    Filesize

    1.7MB

  • memory/224-16-0x00000000028C0000-0x0000000002968000-memory.dmp

    Filesize

    672KB

  • memory/2332-0-0x0000000002300000-0x0000000002351000-memory.dmp

    Filesize

    324KB

  • memory/2332-1-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/2332-14-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/2332-13-0x0000000002300000-0x0000000002351000-memory.dmp

    Filesize

    324KB

  • memory/2332-12-0x0000000000400000-0x00000000005AE000-memory.dmp

    Filesize

    1.7MB