Analysis

  • max time kernel
    146s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2024 03:10

General

  • Target

    3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.exe

  • Size

    4.6MB

  • MD5

    89c4b89bfe3c467d402be1652d128fae

  • SHA1

    7563e12553a9baef657da94329f211883dad5dbf

  • SHA256

    3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e

  • SHA512

    6c3827371fcf256bf9ee681fcfc9cd44896eae59e43a5f31b7c0580c034a5cd1ec09a31d17e9bb943bab8ae9d5c05be70cc2bae3e514deb29a49739df89dc08b

  • SSDEEP

    98304:jX2LPehZtMJlsykp+UMzCqwpnYKx3tTa5HVfWt0VW+iDmGaKi2u1i0I+pqIjYd49:b4PIF1nYKxQ51fY0I+JN2b0xIIj24dD

Malware Config

Signatures

  • Detect Socks5Systemz Payload 2 IoCs
  • Socks5Systemz

    Socks5Systemz is a botnet written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Runs net.exe
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.exe
    "C:\Users\Admin\AppData\Local\Temp\3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Users\Admin\AppData\Local\Temp\is-OPL1S.tmp\3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-OPL1S.tmp\3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp" /SL5="$70120,4621585,423424,C:\Users\Admin\AppData\Local\Temp\3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Windows\SysWOW64\net.exe
        "C:\Windows\system32\net.exe" helpmsg 183
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1580
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 helpmsg 183
          4⤵
            PID:1100
        • C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe
          "C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe" -i
          3⤵
          • Executes dropped EXE
          PID:588
        • C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe
          "C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe" -s
          3⤵
          • Executes dropped EXE
          PID:1520

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe

      Filesize

      124KB

      MD5

      612ed5f4ac1b9a20b90f7f848cf3e589

      SHA1

      07b5ccfc349af5be7199decf845c553d858c13fb

      SHA256

      f86e6d663e1249827d069edb214d5ba169e5fe4a14a10e1c8bde6c2892714856

      SHA512

      83c02bfd4422cbc287e61d92ca0f74889b0e0eec89465bf1f5b4d635ecbe412909f9f254f15b09063dce5adbc37a9fc50b127d715e5a31f32dac40f7f5d22025

    • C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe

      Filesize

      648KB

      MD5

      47ab8f0e9c2d42cc1bd59391c7400e66

      SHA1

      0f6c5efdbd2c5d17063a63e8a5e2d7954ad599b8

      SHA256

      cfd25718e5d2d7564b67ba592e13bf5299429fb69f7f938c9cc5d986dc8bce49

      SHA512

      264f8214aea6972768177df8276de391bb3869fe928b030bdb90e3f5f2db753cc57820b3d61276f00d6b3fa3d9cf745ab0b4dbe0ee7fd4a8b5a2c42ee9ff8e14

    • C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe

      Filesize

      1.8MB

      MD5

      9038475b574b38f03ff0393931abda4a

      SHA1

      a701ae2c012f7e435ff3411fbceb8f47630b94ec

      SHA256

      640ae1d599f1f568b6ca2b7bf4440b998976b263b40f874150a4ed5ed87097bd

      SHA512

      54f22137ff819135108c30a70e434c0732dcd3be024d37e4316a935cc2bd4c951f3fa299ae64d254b80dd00cb41d6f36d48d7d834cd14515358a19e98270b330

    • \Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe

      Filesize

      1.3MB

      MD5

      415281afddaba5c97cc9758057b191fb

      SHA1

      223689a7b86b20016fa8eba2db274b213648ba51

      SHA256

      844cfdf70d93ba47ccb09518147c458cf614971a6ab1d72dd877b3901ad2f768

      SHA512

      9504c9b47af3cbcf69c80857c9f59f9d4eacc7a1d7d38783aea37baa643d129854445581deead5376ccee3b1078e22b2a34b5445af5c465edf31a12adb244f70

    • \Users\Admin\AppData\Local\Temp\is-099BQ.tmp\_isetup\_iscrypt.dll

      Filesize

      2KB

      MD5

      a69559718ab506675e907fe49deb71e9

      SHA1

      bc8f404ffdb1960b50c12ff9413c893b56f2e36f

      SHA256

      2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

      SHA512

      e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

    • \Users\Admin\AppData\Local\Temp\is-099BQ.tmp\_isetup\_shfoldr.dll

      Filesize

      22KB

      MD5

      92dc6ef532fbb4a5c3201469a5b5eb63

      SHA1

      3e89ff837147c16b4e41c30d6c796374e0b8e62c

      SHA256

      9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

      SHA512

      9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    • \Users\Admin\AppData\Local\Temp\is-OPL1S.tmp\3b20d2b68fa07bffa05fb0c61332ef5dbdd5aae247471d7c9a98e753b4a00a8e.tmp

      Filesize

      688KB

      MD5

      a7662827ecaeb4fc68334f6b8791b917

      SHA1

      f93151dd228d680aa2910280e51f0a84d0cad105

      SHA256

      05f159722d6905719d2d6f340981a293f40ab8a0d2d4a282c948066809d4af6d

      SHA512

      e9880b3f3ec9201e59114850e9c570d0ad6d3b0e04c60929a03cf983c62c505fcb6bb9dc3adeee88c78d43bd484159626b4a2f000a34b8883164c263f21e6f4a

    • memory/588-132-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/588-135-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/588-121-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/588-123-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/588-120-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/1520-155-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/1520-160-0x0000000002480000-0x0000000002522000-memory.dmp

      Filesize

      648KB

    • memory/1520-178-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/1520-175-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/1520-172-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/1520-169-0x0000000002480000-0x0000000002522000-memory.dmp

      Filesize

      648KB

    • memory/1520-168-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/1520-137-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/1520-139-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/1520-142-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/1520-145-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/1520-146-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/1520-149-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/1520-152-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/1520-165-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/1520-158-0x0000000000400000-0x00000000005C5000-memory.dmp

      Filesize

      1.8MB

    • memory/1896-118-0x0000000002ED0000-0x0000000003095000-memory.dmp

      Filesize

      1.8MB

    • memory/1896-14-0x0000000000240000-0x0000000000241000-memory.dmp

      Filesize

      4KB

    • memory/1896-124-0x0000000000400000-0x00000000004BC000-memory.dmp

      Filesize

      752KB

    • memory/1896-129-0x0000000002ED0000-0x0000000003095000-memory.dmp

      Filesize

      1.8MB

    • memory/1896-127-0x0000000000240000-0x0000000000241000-memory.dmp

      Filesize

      4KB

    • memory/2044-122-0x0000000000400000-0x000000000046E000-memory.dmp

      Filesize

      440KB

    • memory/2044-0-0x0000000000400000-0x000000000046E000-memory.dmp

      Filesize

      440KB