Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 01:49

General

  • Target

    a01d2dc5c6b9102ebd980dfa098ee3570deb263c0b9de8ee286352f21f058692.exe

  • Size

    355KB

  • MD5

    7c23aa408c7f3d69d4e2cd9cb761c391

  • SHA1

    f388c851f53c44756fab44dfeb714f04bbc9648e

  • SHA256

    a01d2dc5c6b9102ebd980dfa098ee3570deb263c0b9de8ee286352f21f058692

  • SHA512

    4d6cf62aafc615ea78027ac7dc5e3def3392d0bab4f0997c8ea5416730e34b546abcc1b6e161d4b11b704aabbe0e89af9b85bea5a102be8992e42dfcd661a961

  • SSDEEP

    6144:KgEmWPDNND9yRPzLq+YXFqaZiMLic9kzVd7EAC4TSs9Ei:MmWhND9yJz+b1FcMLmp2ATTSsd

Malware Config

Extracted

Family

simda

Attributes
  • dga

    gatyfus.com

    lyvyxor.com

    vojyqem.com

    qetyfuv.com

    puvyxil.com

    gahyqah.com

    lyryfyd.com

    vocyzit.com

    qegyqaq.com

    purydyv.com

    gacyzuz.com

    lygymoj.com

    vowydef.com

    qexylup.com

    pufymoq.com

    gaqydeb.com

    lyxylux.com

    vofymik.com

    qeqysag.com

    puzylyp.com

    gadyniw.com

    lymysan.com

    volykyc.com

    qedynul.com

    pumypog.com

    galykes.com

    lysynur.com

    vonypom.com

    qekykev.com

    pupybul.com

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Simda family
  • simda

    Simda is an infostealer written in C++.

  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a01d2dc5c6b9102ebd980dfa098ee3570deb263c0b9de8ee286352f21f058692.exe
    "C:\Users\Admin\AppData\Local\Temp\a01d2dc5c6b9102ebd980dfa098ee3570deb263c0b9de8ee286352f21f058692.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2300

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPUS7TYC\login[1].htm

    Filesize

    162B

    MD5

    4f8e702cc244ec5d4de32740c0ecbd97

    SHA1

    3adb1f02d5b6054de0046e367c1d687b6cdf7aff

    SHA256

    9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

    SHA512

    21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HOI3BGS3\login[2].htm

    Filesize

    593B

    MD5

    3b03d93d3487806337b5c6443ce7a62d

    SHA1

    93a7a790bb6348606cbdaf5daeaaf4ea8cf731d0

    SHA256

    7392749832c70fcfc2d440d7afc2f880000dd564930d95d634eb1199fa15de30

    SHA512

    770977beaeedafc5c98d0c32edc8c6c850f05e9f363bc9997fa73991646b02e5d40ceed0017b06caeab0db86423844bc4b0a9f0df2d8239230e423a7bfbd4a88

  • C:\Users\Admin\AppData\Local\Temp\E468.tmp

    Filesize

    593B

    MD5

    926512864979bc27cf187f1de3f57aff

    SHA1

    acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

    SHA256

    b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

    SHA512

    f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

  • C:\Users\Admin\AppData\Local\Temp\F44B.tmp

    Filesize

    61KB

    MD5

    505934e4794554d70c85ebe72380ca61

    SHA1

    7ba49cf0730112f950fa755a5d0da5c8329ce31b

    SHA256

    39286c560bb6b2b1dd28298529352b1965c6808e619b8c6b1b3ddd4ea41d91b4

    SHA512

    a5d41fdd2393d2a352f4958c6c21dd40c5d5d4b9dd562ed60a26083a4cabd6e65ab906b20abff12fc473588a437245ec0370e2ba827a7d4af8dad9d443747416

  • C:\Users\Admin\AppData\Local\Temp\F45C.tmp

    Filesize

    24KB

    MD5

    7b560628cc95015a7ee5cc4a07cf825b

    SHA1

    3f76ff8edb20926c35c9a02997bf3509bd71879b

    SHA256

    f671a92c70c883d811965cbdc160b5ea93054309529ec287b9babddbd8cea480

    SHA512

    b7cb79c91c67d6bd2e34009f37a9f1befd2cdd2485a0e08575bd290847028c29b01c18ddce04cbf21dca724a870c338258eaec4867a3f5e8827a5ebebfdee486

  • C:\Users\Admin\AppData\Local\Temp\F47F.tmp

    Filesize

    1KB

    MD5

    99ec9c84656a80191f74d9aab2239113

    SHA1

    7dec19192719beb15fdc9ea710eececa7cf4e9fe

    SHA256

    09a8c3d39571c48d7e662d87c8fe205ce24c55c1b7a7d2d28a3fb5469746f1fc

    SHA512

    c476c73a8a0788661d57e939ecb9846af2bf1192dc005abafb16c594e18d7e3bb682316ddffe7d6c139c6ba6cd9212bd27b2bf8535d1575bd0a2160cd368a0e9

  • C:\Users\Admin\AppData\Local\Temp\F51D.tmp

    Filesize

    42KB

    MD5

    5b349494dc689fc073086c817cbd24e8

    SHA1

    966573d8be9e40053c4ac883aa910ffb2e41b516

    SHA256

    e2d7f6b5de1d3568a62fb74ad8c7ee73789155b7850456e15b084da26fb3ed9e

    SHA512

    3e43c83efdee02024f853a769c77380735973b5ae3c3b2cd43f022186d6e98fa07f689d7080eaa6d7717fbc62a93913e7fa66f2dca9031b7d34dbb4f54d9f248

  • C:\Users\Admin\AppData\Local\Temp\F51D.tmp

    Filesize

    42KB

    MD5

    fdb04be3542f1f8ae4209cfa9860f48b

    SHA1

    e2df2ca07e33b9d7e936db64adcb1a35304f82bb

    SHA256

    dfee0b042ee77ee0e6bd7b2adaaff48220d0299f6f9a8c5e63e70ae8cbd704b9

    SHA512

    2c9aa73cc52cdaf70dbe5e1fab14fc090db0913eb3fe1bb60e7afe557373267cb3a42bc7cd98ce2ccb3b15ab7de53b4ad506e81d8f0cd26f7a8ef6e0994e69dc

  • C:\Windows\apppatch\svchost.exe

    Filesize

    355KB

    MD5

    de5ae1814471c5342b6c89ac0e3b32c5

    SHA1

    5aa9ca4e5502def01bb8e6b6a0ddb23b599c38c5

    SHA256

    989911314bed16dda2f54596e14ad0def7bef272231f1d9c20f21f9bc2afe037

    SHA512

    13887501eb320d175501684c16885017a99118cad1d3e0fda75ee670fc59ee2b1c32558be2a646d911385f0b4ddd267618bd191836f2765b37e0edbc2749fa19

  • memory/1724-9-0x0000000000490000-0x00000000004EF000-memory.dmp

    Filesize

    380KB

  • memory/2300-43-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-35-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-36-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-41-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-42-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-71-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-70-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-67-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-65-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-61-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-52-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-50-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-49-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-48-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-47-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-46-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-45-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-44-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-13-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-39-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-40-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-38-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-37-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-17-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-33-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-31-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-30-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-27-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-28-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-26-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-25-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-22-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-23-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-21-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-20-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-19-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-18-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-34-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-15-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-11-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-10-0x0000000002E40000-0x0000000002EE8000-memory.dmp

    Filesize

    672KB

  • memory/2300-32-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-29-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-24-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-16-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB

  • memory/2300-310-0x0000000002F30000-0x0000000002FE6000-memory.dmp

    Filesize

    728KB