Analysis
-
max time kernel
146s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10-01-2024 03:10
Static task
static1
Behavioral task
behavioral1
Sample
3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.exe
Resource
win10v2004-20231215-en
General
-
Target
3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.exe
-
Size
4.6MB
-
MD5
89c4b89bfe3c467d402be1652d128fae
-
SHA1
7563e12553a9baef657da94329f211883dad5dbf
-
SHA256
3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e
-
SHA512
6c3827371fcf256bf9ee681fcfc9cd44896eae59e43a5f31b7c0580c034a5cd1ec09a31d17e9bb943bab8ae9d5c05be70cc2bae3e514deb29a49739df89dc08b
-
SSDEEP
98304:jX2LPehZtMJlsykp+UMzCqwpnYKx3tTa5HVfWt0VW+iDmGaKi2u1i0I+pqIjYd49:b4PIF1nYKxQ51fY0I+JN2b0xIIj24dD
Malware Config
Signatures
-
Detect Socks5Systemz Payload 2 IoCs
resource yara_rule behavioral1/memory/1520-160-0x0000000002480000-0x0000000002522000-memory.dmp family_socks5systemz behavioral1/memory/1520-169-0x0000000002480000-0x0000000002522000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
pid Process 1896 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp 588 startenergyfreelibrary.exe 1520 startenergyfreelibrary.exe -
Loads dropped DLL 5 IoCs
pid Process 2044 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.exe 1896 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp 1896 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp 1896 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp 1896 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Runs net.exe
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1896 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1896 2044 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.exe 28 PID 2044 wrote to memory of 1896 2044 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.exe 28 PID 2044 wrote to memory of 1896 2044 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.exe 28 PID 2044 wrote to memory of 1896 2044 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.exe 28 PID 2044 wrote to memory of 1896 2044 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.exe 28 PID 2044 wrote to memory of 1896 2044 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.exe 28 PID 2044 wrote to memory of 1896 2044 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.exe 28 PID 1896 wrote to memory of 1580 1896 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp 29 PID 1896 wrote to memory of 1580 1896 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp 29 PID 1896 wrote to memory of 1580 1896 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp 29 PID 1896 wrote to memory of 1580 1896 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp 29 PID 1896 wrote to memory of 588 1896 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp 32 PID 1896 wrote to memory of 588 1896 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp 32 PID 1896 wrote to memory of 588 1896 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp 32 PID 1896 wrote to memory of 588 1896 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp 32 PID 1580 wrote to memory of 1100 1580 net.exe 31 PID 1580 wrote to memory of 1100 1580 net.exe 31 PID 1580 wrote to memory of 1100 1580 net.exe 31 PID 1580 wrote to memory of 1100 1580 net.exe 31 PID 1896 wrote to memory of 1520 1896 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp 35 PID 1896 wrote to memory of 1520 1896 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp 35 PID 1896 wrote to memory of 1520 1896 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp 35 PID 1896 wrote to memory of 1520 1896 3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.exe"C:\Users\Admin\AppData\Local\Temp\3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\is-OPL1S.tmp\3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp"C:\Users\Admin\AppData\Local\Temp\is-OPL1S.tmp\3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp" /SL5="$70120,4621585,423424,C:\Users\Admin\AppData\Local\Temp\3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 1833⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 1834⤵PID:1100
-
-
-
C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe"C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe" -i3⤵
- Executes dropped EXE
PID:588
-
-
C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe"C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe" -s3⤵
- Executes dropped EXE
PID:1520
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD5612ed5f4ac1b9a20b90f7f848cf3e589
SHA107b5ccfc349af5be7199decf845c553d858c13fb
SHA256f86e6d663e1249827d069edb214d5ba169e5fe4a14a10e1c8bde6c2892714856
SHA51283c02bfd4422cbc287e61d92ca0f74889b0e0eec89465bf1f5b4d635ecbe412909f9f254f15b09063dce5adbc37a9fc50b127d715e5a31f32dac40f7f5d22025
-
Filesize
648KB
MD547ab8f0e9c2d42cc1bd59391c7400e66
SHA10f6c5efdbd2c5d17063a63e8a5e2d7954ad599b8
SHA256cfd25718e5d2d7564b67ba592e13bf5299429fb69f7f938c9cc5d986dc8bce49
SHA512264f8214aea6972768177df8276de391bb3869fe928b030bdb90e3f5f2db753cc57820b3d61276f00d6b3fa3d9cf745ab0b4dbe0ee7fd4a8b5a2c42ee9ff8e14
-
Filesize
1.8MB
MD59038475b574b38f03ff0393931abda4a
SHA1a701ae2c012f7e435ff3411fbceb8f47630b94ec
SHA256640ae1d599f1f568b6ca2b7bf4440b998976b263b40f874150a4ed5ed87097bd
SHA51254f22137ff819135108c30a70e434c0732dcd3be024d37e4316a935cc2bd4c951f3fa299ae64d254b80dd00cb41d6f36d48d7d834cd14515358a19e98270b330
-
Filesize
1.3MB
MD5415281afddaba5c97cc9758057b191fb
SHA1223689a7b86b20016fa8eba2db274b213648ba51
SHA256844cfdf70d93ba47ccb09518147c458cf614971a6ab1d72dd877b3901ad2f768
SHA5129504c9b47af3cbcf69c80857c9f59f9d4eacc7a1d7d38783aea37baa643d129854445581deead5376ccee3b1078e22b2a34b5445af5c465edf31a12adb244f70
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-OPL1S.tmp\3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp
Filesize688KB
MD5a7662827ecaeb4fc68334f6b8791b917
SHA1f93151dd228d680aa2910280e51f0a84d0cad105
SHA25605f159722d6905719d2d6f340981a293f40ab8a0d2d4a282c948066809d4af6d
SHA512e9880b3f3ec9201e59114850e9c570d0ad6d3b0e04c60929a03cf983c62c505fcb6bb9dc3adeee88c78d43bd484159626b4a2f000a34b8883164c263f21e6f4a