socks5systemz | 7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba

General

Target

7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.exe
Size

4.6MB
MD5

93c9a67a0f183f4f1d9e3fdc7e8f8e69
SHA1

dacbe33276dc970cc778a4f62407ddb1ae65f64e
SHA256

7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba
SHA512

ec623ef15667f28d4e55da66f9846050da1bd78f0664f4d621090962ddd47855a4b4401bfa55253b687b441b0da59aa5c8ad3d50f1676264fb76c0cae54df77e
SSDEEP

98304:Qr/6Qib7v2y401+uJM5Opa5iSYasIHvvaNjTfcrXKNWf/8ITZJJ1yK9/4dm8:Y6Qizj+OmOpa5iPnIHa+20dTZL9/4dD

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/2680-154-0x0000000000730000-0x00000000007D2000-memory.dmp	family_socks5systemz
behavioral2/memory/2680-148-0x0000000000730000-0x00000000007D2000-memory.dmp	family_socks5systemz
behavioral2/memory/2680-161-0x0000000000730000-0x00000000007D2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
3824	7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp
220	printqueuemessaging.exe
2680	printqueuemessaging.exe

Loads dropped DLL 3 IoCs

pid	Process
3824	7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp
3824	7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp
3824	7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3824	7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 3824	5080	7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.exe	90
PID 5080 wrote to memory of 3824	5080	7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.exe	90
PID 5080 wrote to memory of 3824	5080	7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.exe	90
PID 3824 wrote to memory of 4576	3824	7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp	93
PID 3824 wrote to memory of 4576	3824	7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp	93
PID 3824 wrote to memory of 4576	3824	7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp	93
PID 3824 wrote to memory of 220	3824	7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp	97
PID 3824 wrote to memory of 220	3824	7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp	97
PID 3824 wrote to memory of 220	3824	7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp	97
PID 4576 wrote to memory of 2892	4576	net.exe	95
PID 4576 wrote to memory of 2892	4576	net.exe	95
PID 4576 wrote to memory of 2892	4576	net.exe	95
PID 3824 wrote to memory of 2680	3824	7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp	94
PID 3824 wrote to memory of 2680	3824	7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp	94
PID 3824 wrote to memory of 2680	3824	7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp	94

C:\Users\Admin\AppData\Local\Temp\7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.exe
"C:\Users\Admin\AppData\Local\Temp\7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\is-HGE8I.tmp\7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HGE8I.tmp\7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp" /SL5="$C002E,4573314,54272,C:\Users\Admin\AppData\Local\Temp\7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 192
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 192
      4⤵
      PID:2892
- - C:\Users\Admin\AppData\Local\Print Queue Messaging\printqueuemessaging.exe
    "C:\Users\Admin\AppData\Local\Print Queue Messaging\printqueuemessaging.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2680
- - C:\Users\Admin\AppData\Local\Print Queue Messaging\printqueuemessaging.exe
    "C:\Users\Admin\AppData\Local\Print Queue Messaging\printqueuemessaging.exe" -i
    3⤵
    - Executes dropped EXE
    PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Print Queue Messaging\printqueuemessaging.exe

Filesize
893KB

MD5
9213e27616582dee1ad4f5cec73ee881

SHA1
cccc0cca7b390fd19c2bcc212ea7ca689dd52187

SHA256
c99750048ff5e576535ccf1c5aae655e85248edc7dde00f46b7a669ad48f49c2

SHA512
3b30ed9c7bfaa9f2a634e82055ac110eb6f143f341ae0e90203bd1e7d2f4c5f81e49d2607b3d97762a4751e61bf436dfece1f264a02caabf1762b6894a0f71f6

Download Submit
C:\Users\Admin\AppData\Local\Print Queue Messaging\printqueuemessaging.exe

Filesize
832KB

MD5
f7e050aaa97267ee9601de833eafaf18

SHA1
54ceadb4e33607bdf80ceac0130341ee31a8ca33

SHA256
d97ab730a769ba4538f819f0ef8bbf57b39bd4b1a29522a7645e8ede0608898a

SHA512
b8a046c1a94f24d90151ca5d0ebe0dc2b2be8f7c374d1b1c640cf88147dd895c15a059e1c24294bae14bd280c7bb58e7709738235151aefbdc77d0e861af9238

Download Submit
C:\Users\Admin\AppData\Local\Print Queue Messaging\printqueuemessaging.exe

Filesize
92KB

MD5
b79b1ac4f708fe159f96adcebad15928

SHA1
61c5c99c6d488e993b0ce87847b422e99797d3b4

SHA256
d9655cb2cb8f132f46155844e4539202479a0b1ef64505695e528465e5e06799

SHA512
4a25e4f6dcb4b2147dafdd3491f8ef2b5127f61c8ff313865ac05c54053816ffd6e2e8db1eb41e21626cd45da00b520678377b8b9a0e8241618256e0fcf5b41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HGE8I.tmp\7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp

Filesize
688KB

MD5
a7662827ecaeb4fc68334f6b8791b917

SHA1
f93151dd228d680aa2910280e51f0a84d0cad105

SHA256
05f159722d6905719d2d6f340981a293f40ab8a0d2d4a282c948066809d4af6d

SHA512
e9880b3f3ec9201e59114850e9c570d0ad6d3b0e04c60929a03cf983c62c505fcb6bb9dc3adeee88c78d43bd484159626b4a2f000a34b8883164c263f21e6f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HGE8I.tmp\7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp

Filesize
129KB

MD5
c8472a0ff7e934184a260d079b3c9427

SHA1
01e790b2cacd0f691cd30fa1f40e7a91e623ecba

SHA256
c47b003d9de62a24d131ffcccb93b106a16f5087058ddb22b06f77025e41208a

SHA512
801ae09d9dff931e5f3d494d3348ebabd5844e66690e280e698b3d26358ba1bba5399501f756a81cdecd101a6ea7f9770ed48099982f6791dbcabac8be45d3c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U7AJP.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U7AJP.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
memory/220-125-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/220-122-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/220-121-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/220-126-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2680-157-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2680-164-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2680-130-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2680-180-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2680-177-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2680-133-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2680-173-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2680-170-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2680-138-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2680-137-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2680-141-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2680-144-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2680-147-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2680-153-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2680-154-0x0000000000730000-0x00000000007D2000-memory.dmp

Filesize
648KB

Download
memory/2680-148-0x0000000000730000-0x00000000007D2000-memory.dmp

Filesize
648KB

Download
memory/2680-167-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2680-160-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2680-161-0x0000000000730000-0x00000000007D2000-memory.dmp

Filesize
648KB

Download
memory/2680-129-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/3824-134-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/3824-132-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3824-10-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/5080-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5080-131-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing