Analysis

  • max time kernel
    141s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 23:57

General

  • Target

    68e7675785b775a8353108be7d4e673b57c01946cb20bdd53990855632686146.exe

  • Size

    218KB

  • MD5

    f98d7f2dee538cd41a91c6f2909c1aa5

  • SHA1

    9962328339b1576de6b48e509d8280a6ad78856a

  • SHA256

    68e7675785b775a8353108be7d4e673b57c01946cb20bdd53990855632686146

  • SHA512

    930c252bad77920d55b75ad1cb0be44b108d543177fd2ca4f778c252c6e71718fa4eb2eeccb999d2dba141d7172cbc00698b9b3dbd92163b823bc6e2586111a4

  • SSDEEP

    3072:kvm4SZsQrNzPrl6rjGMjp39d4u8iqddCxMIJOb2o5DsBPjim6hwM2H6:y1SyAJp6rjn1gOObn4b6h9h

Malware Config

Extracted

Family

simda

Attributes
  • dga

    gatyfus.com

    lyvyxor.com

    vojyqem.com

    qetyfuv.com

    puvyxil.com

    gahyqah.com

    lyryfyd.com

    vocyzit.com

    qegyqaq.com

    purydyv.com

    gacyzuz.com

    lygymoj.com

    vowydef.com

    qexylup.com

    pufymoq.com

    gaqydeb.com

    lyxylux.com

    vofymik.com

    qeqysag.com

    puzylyp.com

    gadyniw.com

    lymysan.com

    volykyc.com

    qedynul.com

    pumypog.com

    galykes.com

    lysynur.com

    vonypom.com

    qekykev.com

    pupybul.com

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Simda family
  • simda

    Simda is an infostealer written in C++.

  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68e7675785b775a8353108be7d4e673b57c01946cb20bdd53990855632686146.exe
    "C:\Users\Admin\AppData\Local\Temp\68e7675785b775a8353108be7d4e673b57c01946cb20bdd53990855632686146.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HA5FC889\login[1].htm

    Filesize

    168B

    MD5

    d57e3a550060f85d44a175139ea23021

    SHA1

    2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

    SHA256

    43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

    SHA512

    0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

  • C:\Users\Admin\AppData\Local\Temp\486.tmp

    Filesize

    24KB

    MD5

    ac3eea8020d54fbeb91af736aafed61d

    SHA1

    a88b2295b9529697073bd356a7c8cd79fdab758c

    SHA256

    7352b14db1536e3ae15ac7ae082b0ba5865a9fce05b9fca100290b27626e4dd2

    SHA512

    606330997c1a3eccf397160cbd77d24781ef78490def91ac9837ff0eff01fafdc1029d41830eed9eed91c01bf1365acde08af4f6e949631f758fdef053a8e7cf

  • C:\Users\Admin\AppData\Local\Temp\488.tmp

    Filesize

    61KB

    MD5

    20075caa7461526e022da5b0e84780be

    SHA1

    8570bfa38bc5565282fcd2e4b88353516a6efdaa

    SHA256

    1129b532f4fb222929721cc222681a1b1dc2d4dba49c923fac1bcd2618e19a90

    SHA512

    1a22fea1eac123f790e7c737073fba937ebd1110227f8e0af3c2adfecedc9101e59f949cacad2e68413d75706b46083d3e496f0df82ba2d69afa3eefe827a168

  • C:\Users\Admin\AppData\Local\Temp\50C.tmp

    Filesize

    42KB

    MD5

    27fba15ae2e0e5ca1381f0041f83f33f

    SHA1

    37e8089807ff4c6e15583382e674b29d2df4cc87

    SHA256

    1b08e80f829e3a44150506f6b42cf87487bafbd8c89f332ed25a05557cdd44ae

    SHA512

    effa90ad0c6dc84989564561c56f60c450b726a9a31c1701f535addcf999ea6ceff1899822300678e7e46c74bb5a27e8b82ddc286cbfd65fb5ac651982ee2a54

  • C:\Users\Admin\AppData\Local\Temp\50C.tmp

    Filesize

    42KB

    MD5

    02daaf640713b82b21c564401e5465e6

    SHA1

    ce4cc46ae6e06a4810773ddb066e7ca5c0c55c44

    SHA256

    6c1ed163614a06cdab80e2ba6402d39643a327824e62b265ed2f4991ecd65fc1

    SHA512

    f49f9b14928524ee66c21e59564dab5ec5059220b0fa4da2b9cd325af71374d59206834f68fe1d6f225ed94c478db73c87880e910b149f4ac95244a5e3ac4ae7

  • C:\Users\Admin\AppData\Local\Temp\F196.tmp

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Users\Admin\AppData\Local\Temp\F196.tmp

    Filesize

    593B

    MD5

    926512864979bc27cf187f1de3f57aff

    SHA1

    acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

    SHA256

    b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

    SHA512

    f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

  • C:\Windows\apppatch\svchost.exe

    Filesize

    218KB

    MD5

    bafc694e7e585d4a455d2ebaa3dc0e35

    SHA1

    dca4b63ba4c5714493016785c49f65070e47fce2

    SHA256

    0c2e89dab2b1ddfbb74e9017a69e6d0db345cd9aab82ec5cc6e3a62486c5b143

    SHA512

    18a9882cc81a8bba58939f825d59e1ccca1857c23a25f00570c0ee967d3bc6342edc88a82eb9834ff3212d619ebdb5092ec18e36ba58987e9929f0619c03532a

  • memory/2540-51-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-73-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-44-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-79-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-78-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-46-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-76-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-75-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-74-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-45-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-72-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-71-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-70-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-69-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-68-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-67-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-66-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-65-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-64-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-63-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-62-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-61-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-60-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-59-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-58-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-57-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-56-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-55-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-53-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-52-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-22-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-50-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-49-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-48-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-47-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-77-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-28-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-43-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-42-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-41-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-40-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-39-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-38-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-37-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-36-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-35-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-34-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-33-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-32-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-31-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-30-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-29-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-27-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-26-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-25-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-24-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-23-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-54-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-20-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-18-0x0000000002D00000-0x0000000002DB6000-memory.dmp

    Filesize

    728KB

  • memory/2540-14-0x0000000000400000-0x00000000005AE000-memory.dmp

    Filesize

    1.7MB

  • memory/2540-17-0x0000000000400000-0x00000000005AE000-memory.dmp

    Filesize

    1.7MB

  • memory/2540-16-0x00000000028D0000-0x0000000002978000-memory.dmp

    Filesize

    672KB

  • memory/2540-15-0x0000000000400000-0x00000000005AE000-memory.dmp

    Filesize

    1.7MB

  • memory/3152-0-0x0000000000760000-0x00000000007B1000-memory.dmp

    Filesize

    324KB

  • memory/3152-1-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/3152-11-0x0000000000400000-0x00000000005AE000-memory.dmp

    Filesize

    1.7MB

  • memory/3152-13-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/3152-12-0x0000000000760000-0x00000000007B1000-memory.dmp

    Filesize

    324KB