Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 03:03

General

  • Target

    8fe8dfa61cad1d076e6013e07c3105bc65e92ea3e0387f003961779072cebc0cN.exe

  • Size

    212KB

  • MD5

    03a0924385387186617bd07c6ecda030

  • SHA1

    5eda62b6642fa0699c49dab9f5467fae0e305014

  • SHA256

    8fe8dfa61cad1d076e6013e07c3105bc65e92ea3e0387f003961779072cebc0c

  • SHA512

    f0bed6935cbb5d0014f7dfde2146ec2ec902aab7ea8c416348b9213cfab0476b727f0ccfc6146219ae51b8ac37373f1422e5fb834abab5cce2503266167fa7fc

  • SSDEEP

    3072:5GwPsm1VrwxOsf0juzv8j4P1Hr6krr4IEhx9QZe2gO9mG9UHA30Vt3E/vDjb:5G/iVkO20SFgBhxtW9mG9+Umt3Ezjb

Malware Config

Extracted

Family

simda

Attributes
  • dga

    gatyfus.com

    lyvyxor.com

    vojyqem.com

    qetyfuv.com

    puvyxil.com

    gahyqah.com

    lyryfyd.com

    vocyzit.com

    qegyqaq.com

    purydyv.com

    gacyzuz.com

    lygymoj.com

    vowydef.com

    qexylup.com

    pufymoq.com

    gaqydeb.com

    lyxylux.com

    vofymik.com

    qeqysag.com

    puzylyp.com

    gadyniw.com

    lymysan.com

    volykyc.com

    qedynul.com

    pumypog.com

    galykes.com

    lysynur.com

    vonypom.com

    qekykev.com

    pupybul.com

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Simda family
  • simda

    Simda is an infostealer written in C++.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fe8dfa61cad1d076e6013e07c3105bc65e92ea3e0387f003961779072cebc0cN.exe
    "C:\Users\Admin\AppData\Local\Temp\8fe8dfa61cad1d076e6013e07c3105bc65e92ea3e0387f003961779072cebc0cN.exe"
    1⤵
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2944.tmp

    Filesize

    1KB

    MD5

    99311a72db99cf4bd55f1b33113fad0b

    SHA1

    849186cba9435016ae6b1c2f271c6072e2da2cc9

    SHA256

    92582d267abfa47e71a2bf000d1cc2199ee5ed7fe9748ada08f281619f8d9690

    SHA512

    67486dc74fc96d3876289bb85e86f8b74ec13b422654e6340c0774d893a0c7a83e6207d593e3e594339d1841a9fd116f9de2823a2e504f56057fb919f7e9279c

  • C:\Users\Admin\AppData\Local\Temp\65C6.tmp

    Filesize

    24KB

    MD5

    e339ee452c7afce2a2c1d2dda7852449

    SHA1

    117de703a5ba78ac1171177d0e19ad98ec74d3d0

    SHA256

    2fd09910c19ae1648eedbe70b88a9728fa1e7850065e7c1abcb2b080f40aa1f2

    SHA512

    6b27dd7f8e5becbd594ae6edd87ba80f8d369516889eafa2fd39d20554da137fd011e6f4d3893a7d971941ce74a1bb208313af52ab53112a23f9022e2dd9a156

  • C:\Users\Admin\AppData\Local\Temp\6636.tmp

    Filesize

    1KB

    MD5

    3d440d4bc14f81271cfe492e8ead7525

    SHA1

    110e9f73234558829a05cd3a62d67d4a8ca17478

    SHA256

    841ccccda5fd0ce7c5f582ae9e8756d10860826af42534df89cd7053013f6d9a

    SHA512

    c4df6245378fdccb02546da8eea28d09af00a46ac9246a0c61beb1a55fd82250f0ae96b44679d2c275f26f3042a751a10b6508e91d096dcff95563a397a43be6

  • C:\Users\Admin\AppData\Local\Temp\8762.tmp

    Filesize

    593B

    MD5

    926512864979bc27cf187f1de3f57aff

    SHA1

    acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

    SHA256

    b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

    SHA512

    f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

  • C:\Users\Admin\AppData\Local\Temp\F288.tmp

    Filesize

    1KB

    MD5

    c82b388f670f4ce8735abe1af207002e

    SHA1

    302ca1e954514ec9e40907babf80abc691f2b38a

    SHA256

    c77142697f1259aab21276ed2efca22d3b07ba87a55b0e98774ca173d6a245a9

    SHA512

    cd2184edb69722e86603bc8240ab247b260c70dae489aa46815af929cfa49b48ca87cb344090359b3ae2d893052d0103be0732845865ded1309bfd787c5936ed

  • C:\Users\Admin\AppData\Local\Temp\F28D.tmp

    Filesize

    42KB

    MD5

    0851f92f6a1c83ea662994853e71b8a1

    SHA1

    89603671c74703921cb83d06098c8e70baf1e4cd

    SHA256

    72e0fc883f1a37e742fc427b9baf39d2cb6998ddb83f5d41107d9958e46d982c

    SHA512

    a16bb49025b321e072ce1136d84f33397b6551cb4e1443f465ff0cd13b580cf78b02fffc6df911be89e9c74aa5fc184c6b39cd36c2ddb07143b1efe2e5eaba92

  • \Windows\AppPatch\svchost.exe

    Filesize

    212KB

    MD5

    0e68dd3d304fed21e52212ad71086a38

    SHA1

    fc130576b377c269188071801d338bd059ca3ae1

    SHA256

    95b272902d4fb590b4a30037f5f4e8d469b02b946f85535be111c49bf1ab2df2

    SHA512

    fe92a3cb2fcfd8cb8227070f9f89abf465abf3ed3d37de7c55f04d7325dd4eea06085a9b6b332e181b3a00f03cf6c2823389921f5044a2adee77509487cb8107

  • memory/2832-66-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-38-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-21-0x0000000000400000-0x00000000005B8000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-22-0x0000000001F30000-0x0000000001FD8000-memory.dmp

    Filesize

    672KB

  • memory/2832-32-0x0000000001F30000-0x0000000001FD8000-memory.dmp

    Filesize

    672KB

  • memory/2832-30-0x0000000001F30000-0x0000000001FD8000-memory.dmp

    Filesize

    672KB

  • memory/2832-28-0x0000000001F30000-0x0000000001FD8000-memory.dmp

    Filesize

    672KB

  • memory/2832-24-0x0000000001F30000-0x0000000001FD8000-memory.dmp

    Filesize

    672KB

  • memory/2832-33-0x0000000000400000-0x00000000005B8000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-26-0x0000000001F30000-0x0000000001FD8000-memory.dmp

    Filesize

    672KB

  • memory/2832-57-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-36-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-34-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-48-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-83-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-82-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-80-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-79-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-78-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-76-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-75-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-74-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-72-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-71-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-69-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-68-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-61-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-17-0x0000000000400000-0x00000000005B8000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-64-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-62-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-58-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-20-0x0000000000400000-0x00000000005B8000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-40-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-55-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-53-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-52-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-50-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-49-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-47-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-46-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-84-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-81-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-77-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-45-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-73-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-44-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-70-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-67-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-65-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-43-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-63-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-60-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-59-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-42-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-56-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-54-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-51-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2832-41-0x0000000002100000-0x00000000021B6000-memory.dmp

    Filesize

    728KB

  • memory/2888-16-0x0000000000400000-0x00000000005B8000-memory.dmp

    Filesize

    1.7MB

  • memory/2888-19-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/2888-18-0x0000000000270000-0x00000000002C1000-memory.dmp

    Filesize

    324KB

  • memory/2888-0-0x0000000000400000-0x00000000005B8000-memory.dmp

    Filesize

    1.7MB

  • memory/2888-2-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/2888-1-0x0000000000270000-0x00000000002C1000-memory.dmp

    Filesize

    324KB