socks5systemz | b12aff75a9a173c15b91ad9b89718f7e73dcd72d97a623d732c4b24f52872b65

General

Target

tuc2.exe
Size

4.5MB
MD5

33d656492325072faf15c45a164487c6
SHA1

ac01c9853d8acba4025369e2aee2487a2f31a232
SHA256

b12aff75a9a173c15b91ad9b89718f7e73dcd72d97a623d732c4b24f52872b65
SHA512

2344f6290a3adf46182abb2587f5b2ca335a59902f96da3c0296497d83444f9047781e3ea9deff3c9c7aa00aa85205e68eb291d0fb9d5450232635942936f705
SSDEEP

98304:QSV6RmOv3vsD3ieHPRuLiWnx2XtEwJdVTio0O4dm8:Cmg3vc3iEPRuZitEm0O4dD

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/768-150-0x0000000000810000-0x00000000008B2000-memory.dmp	family_socks5systemz
behavioral2/memory/768-156-0x0000000000810000-0x00000000008B2000-memory.dmp	family_socks5systemz
behavioral2/memory/768-163-0x0000000000810000-0x00000000008B2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
3624	tuc2.tmp
4120	smartimagestorage.exe
768	smartimagestorage.exe

Loads dropped DLL 3 IoCs

pid	Process
3624	tuc2.tmp
3624	tuc2.tmp
3624	tuc2.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	81.31.197.38

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3624	tuc2.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3624	3076	tuc2.exe	87
PID 3076 wrote to memory of 3624	3076	tuc2.exe	87
PID 3076 wrote to memory of 3624	3076	tuc2.exe	87
PID 3624 wrote to memory of 936	3624	tuc2.tmp	95
PID 3624 wrote to memory of 936	3624	tuc2.tmp	95
PID 3624 wrote to memory of 936	3624	tuc2.tmp	95
PID 3624 wrote to memory of 4120	3624	tuc2.tmp	94
PID 3624 wrote to memory of 4120	3624	tuc2.tmp	94
PID 3624 wrote to memory of 4120	3624	tuc2.tmp	94
PID 936 wrote to memory of 1960	936	net.exe	92
PID 936 wrote to memory of 1960	936	net.exe	92
PID 936 wrote to memory of 1960	936	net.exe	92
PID 3624 wrote to memory of 768	3624	tuc2.tmp	93
PID 3624 wrote to memory of 768	3624	tuc2.tmp	93
PID 3624 wrote to memory of 768	3624	tuc2.tmp	93

C:\Users\Admin\AppData\Local\Temp\tuc2.exe
"C:\Users\Admin\AppData\Local\Temp\tuc2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\AppData\Local\Temp\is-OLMFT.tmp\tuc2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-OLMFT.tmp\tuc2.tmp" /SL5="$800A2,4453908,54272,C:\Users\Admin\AppData\Local\Temp\tuc2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Users\Admin\AppData\Local\Smart Image Storage\smartimagestorage.exe
    "C:\Users\Admin\AppData\Local\Smart Image Storage\smartimagestorage.exe" -s
    3⤵
    - Executes dropped EXE
    PID:768
- - C:\Users\Admin\AppData\Local\Smart Image Storage\smartimagestorage.exe
    "C:\Users\Admin\AppData\Local\Smart Image Storage\smartimagestorage.exe" -i
    3⤵
    - Executes dropped EXE
    PID:4120
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 163
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 163
1⤵
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Smart Image Storage\smartimagestorage.exe

Filesize
893KB

MD5
ad242898ee9a6b5fd657aea7e585f944

SHA1
0f2aa2e11d33ea2ad7918ae4cb64d7a2303da3b1

SHA256
e65c7d76ac08ff30250f737585702aa90f3d3667e7dada35d2c3de2f60cd1692

SHA512
cc37521a6c3d79be20a36561b3961e13f2da1779c4126ae54c3411a2592e790582f6316b8a4d2f2825bc786a95d6ec01deb2603009995639bc34dc2de6f60b57

Download Submit
C:\Users\Admin\AppData\Local\Smart Image Storage\smartimagestorage.exe

Filesize
92KB

MD5
c42cc7d44d09523719648d6f749b4d29

SHA1
53285513bfd29b56c3448873493d5f825d2729a9

SHA256
f8800c4e144acfc3f2c8a552592ee28ce52eac391b84d908b606d99aeeeb75ab

SHA512
a3111a140906d9282cc0515e152368d140188cccb6c0e7b242470c374cf991d34e5bcefb26b13115b15403ca502011416ad184fa5bb9a2b603d5eb93d48c6d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LAEN3.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LAEN3.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OLMFT.tmp\tuc2.tmp

Filesize
688KB

MD5
a7662827ecaeb4fc68334f6b8791b917

SHA1
f93151dd228d680aa2910280e51f0a84d0cad105

SHA256
05f159722d6905719d2d6f340981a293f40ab8a0d2d4a282c948066809d4af6d

SHA512
e9880b3f3ec9201e59114850e9c570d0ad6d3b0e04c60929a03cf983c62c505fcb6bb9dc3adeee88c78d43bd484159626b4a2f000a34b8883164c263f21e6f4a

Download Submit
memory/768-135-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/768-162-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/768-130-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/768-132-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/768-181-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/768-178-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/768-175-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/768-172-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/768-169-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/768-166-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/768-163-0x0000000000810000-0x00000000008B2000-memory.dmp

Filesize
648KB

Download
memory/768-159-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/768-156-0x0000000000810000-0x00000000008B2000-memory.dmp

Filesize
648KB

Download
memory/768-139-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/768-140-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/768-143-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/768-146-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/768-149-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/768-150-0x0000000000810000-0x00000000008B2000-memory.dmp

Filesize
648KB

Download
memory/768-155-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/3076-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3076-133-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3076-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3624-136-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3624-134-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3624-10-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4120-123-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/4120-124-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/4120-127-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/4120-128-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing