socks5systemz | 3c21c1067f2f7fd008b20dda0422e4b50f679aadf5e91817889f58d759282f1d

General

Target

tuc5.exe
Size

4.6MB
MD5

bbd6c397ebe993fcc61895265adae480
SHA1

b087e55a6d6a15e4fbd09d4641e389c80e3be62f
SHA256

3c21c1067f2f7fd008b20dda0422e4b50f679aadf5e91817889f58d759282f1d
SHA512

637ab0dd6966a132163a96ed5189703f450f73cc14758d31143bce765d7d95c3809f66d5c27fede311417914a8b7ff4df63fd7a947dfd97e3eca2e10720ebf2e
SSDEEP

98304:joMwMk2nFZC/PkQ/dq5FrCGhhya/eAasl3WqfVkrqoBHQnYZS/4dm8:6t2FZLQ/iVoAH3zkmoCMC4dD

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 2 IoCs

resource	yara_rule
behavioral2/memory/3880-144-0x00000000006D0000-0x0000000000772000-memory.dmp	family_socks5systemz
behavioral2/memory/3880-155-0x00000000006D0000-0x0000000000772000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
3976	tuc5.tmp
3604	startenergyfreelibrary.exe
3880	startenergyfreelibrary.exe

Loads dropped DLL 1 IoCs

pid	Process
3976	tuc5.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3976	tuc5.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 3976	1120	tuc5.exe	26
PID 1120 wrote to memory of 3976	1120	tuc5.exe	26
PID 1120 wrote to memory of 3976	1120	tuc5.exe	26
PID 3976 wrote to memory of 3620	3976	tuc5.tmp	92
PID 3976 wrote to memory of 3620	3976	tuc5.tmp	92
PID 3976 wrote to memory of 3620	3976	tuc5.tmp	92
PID 3976 wrote to memory of 3604	3976	tuc5.tmp	88
PID 3976 wrote to memory of 3604	3976	tuc5.tmp	88
PID 3976 wrote to memory of 3604	3976	tuc5.tmp	88
PID 3620 wrote to memory of 4760	3620	net.exe	89
PID 3620 wrote to memory of 4760	3620	net.exe	89
PID 3620 wrote to memory of 4760	3620	net.exe	89
PID 3976 wrote to memory of 3880	3976	tuc5.tmp	90
PID 3976 wrote to memory of 3880	3976	tuc5.tmp	90
PID 3976 wrote to memory of 3880	3976	tuc5.tmp	90

C:\Users\Admin\AppData\Local\Temp\tuc5.exe
"C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\is-FNVGJ.tmp\tuc5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FNVGJ.tmp\tuc5.tmp" /SL5="$B022E,4620919,423424,C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe
    "C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe" -i
    3⤵
    - Executes dropped EXE
    PID:3604
- - C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe
    "C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe" -s
    3⤵
    - Executes dropped EXE
    PID:3880
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 183
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 183
1⤵
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe

Filesize
1.6MB

MD5
49d5f11c8252200e427bdbb3a2fc9a5d

SHA1
3681ca2aefd412fd59acdd7e37b7b5658d7d037a

SHA256
2fbb56193560aaa9ebce021b5ba6bbf33f08f6c0256f60f07361deefb4ad2fde

SHA512
0098c369ba4b26e2800cc109fa8ee5aa8efc93006c20a1442725e6e56a779e9f10c99b5f5e28ba7c81029df1c924b6802271b414b6abd96fb7ac71e9200ab855

Download Submit
C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe

Filesize
1.4MB

MD5
6ef2b91cc031311cc071dca05b08985d

SHA1
38e7613b038974edec241371f9b3134bc604ab2f

SHA256
09e3609be355289583b14211b04f76c72bd0efc7e6139f27e2d4236429a1504b

SHA512
128226fd71b854027c5f264386287a83388f18c94478fa0ef16811e8f542f3284f6b943a4acc2442cf72066c16558610bca9936baa3e2c3de187adaa7785f731

Download Submit
C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe

Filesize
156KB

MD5
fc1328f73cb3d709344baad13085e65b

SHA1
c6eee7e0b3e6d2926e9756a548aadf5980fe8483

SHA256
e1fa17ae9f1f6eae648a2d4709159c476c135168c5795f96eff4d9f259a4909b

SHA512
45717e883230e012a14e6913cd54e11923b6400652e7ca4841ee7cb3144c5ede6f960df92dc3a3177a719233dc0049e65747d6200bc4bc8b366f467f18e70bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FNVGJ.tmp\tuc5.tmp

Filesize
688KB

MD5
a7662827ecaeb4fc68334f6b8791b917

SHA1
f93151dd228d680aa2910280e51f0a84d0cad105

SHA256
05f159722d6905719d2d6f340981a293f40ab8a0d2d4a282c948066809d4af6d

SHA512
e9880b3f3ec9201e59114850e9c570d0ad6d3b0e04c60929a03cf983c62c505fcb6bb9dc3adeee88c78d43bd484159626b4a2f000a34b8883164c263f21e6f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FTOOP.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1120-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1120-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1120-125-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3604-115-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3604-116-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3604-120-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3880-145-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3880-144-0x00000000006D0000-0x0000000000772000-memory.dmp

Filesize
648KB

Download
memory/3880-122-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3880-174-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3880-127-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3880-171-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3880-132-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3880-131-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3880-135-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3880-138-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3880-141-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3880-124-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3880-148-0x00000000006D0000-0x0000000000772000-memory.dmp

Filesize
648KB

Download
memory/3880-168-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3880-151-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3880-154-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3880-155-0x00000000006D0000-0x0000000000772000-memory.dmp

Filesize
648KB

Download
memory/3880-158-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3880-161-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3880-164-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3976-10-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3976-128-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3976-126-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing