socks5systemz | 9397e1a3bd7e94ae5213d8dc4edef5e73fe8c6f0306196a1ffae832a3976e9ac

General

Target

5f4371e9fcc21652c9fb3867f64d4941.exe
Size

4.5MB
MD5

5f4371e9fcc21652c9fb3867f64d4941
SHA1

a19d69302a3993f2aca91d73bdc128e47b6ce174
SHA256

9397e1a3bd7e94ae5213d8dc4edef5e73fe8c6f0306196a1ffae832a3976e9ac
SHA512

3c736528fd01383b6fb37a30b306ccd0cfa6b2129cea650263d0a5488e1052c6348acac115ad394c7c70b647d42dc55f4811bd2321b11c3c4c6a37f9c8d21536
SSDEEP

98304:QDC5jNxoKkMBuu/KJmiuK3gqLkWSTGHVs49M4dm8:YCj6KPBuh8XUgqLXHLM4dD

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/4848-154-0x0000000000880000-0x0000000000922000-memory.dmp	family_socks5systemz
behavioral2/memory/4848-148-0x0000000000880000-0x0000000000922000-memory.dmp	family_socks5systemz
behavioral2/memory/4848-161-0x0000000000880000-0x0000000000922000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
1928	5f4371e9fcc21652c9fb3867f64d4941.tmp
2672	dvdreportviewer.exe
4848	dvdreportviewer.exe

Loads dropped DLL 3 IoCs

pid	Process
1928	5f4371e9fcc21652c9fb3867f64d4941.tmp
1928	5f4371e9fcc21652c9fb3867f64d4941.tmp
1928	5f4371e9fcc21652c9fb3867f64d4941.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1928	5f4371e9fcc21652c9fb3867f64d4941.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 1928	4312	5f4371e9fcc21652c9fb3867f64d4941.exe	89
PID 4312 wrote to memory of 1928	4312	5f4371e9fcc21652c9fb3867f64d4941.exe	89
PID 4312 wrote to memory of 1928	4312	5f4371e9fcc21652c9fb3867f64d4941.exe	89
PID 1928 wrote to memory of 1704	1928	5f4371e9fcc21652c9fb3867f64d4941.tmp	94
PID 1928 wrote to memory of 1704	1928	5f4371e9fcc21652c9fb3867f64d4941.tmp	94
PID 1928 wrote to memory of 1704	1928	5f4371e9fcc21652c9fb3867f64d4941.tmp	94
PID 1928 wrote to memory of 2672	1928	5f4371e9fcc21652c9fb3867f64d4941.tmp	92
PID 1928 wrote to memory of 2672	1928	5f4371e9fcc21652c9fb3867f64d4941.tmp	92
PID 1928 wrote to memory of 2672	1928	5f4371e9fcc21652c9fb3867f64d4941.tmp	92
PID 1704 wrote to memory of 3536	1704	net.exe	91
PID 1704 wrote to memory of 3536	1704	net.exe	91
PID 1704 wrote to memory of 3536	1704	net.exe	91
PID 1928 wrote to memory of 4848	1928	5f4371e9fcc21652c9fb3867f64d4941.tmp	95
PID 1928 wrote to memory of 4848	1928	5f4371e9fcc21652c9fb3867f64d4941.tmp	95
PID 1928 wrote to memory of 4848	1928	5f4371e9fcc21652c9fb3867f64d4941.tmp	95

C:\Users\Admin\AppData\Local\Temp\5f4371e9fcc21652c9fb3867f64d4941.exe
"C:\Users\Admin\AppData\Local\Temp\5f4371e9fcc21652c9fb3867f64d4941.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Local\Temp\is-SSR65.tmp\5f4371e9fcc21652c9fb3867f64d4941.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SSR65.tmp\5f4371e9fcc21652c9fb3867f64d4941.tmp" /SL5="$8022C,4446766,54272,C:\Users\Admin\AppData\Local\Temp\5f4371e9fcc21652c9fb3867f64d4941.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Local\DVD Drive report viewer\dvdreportviewer.exe
    "C:\Users\Admin\AppData\Local\DVD Drive report viewer\dvdreportviewer.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2672
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 1103
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1704
- - C:\Users\Admin\AppData\Local\DVD Drive report viewer\dvdreportviewer.exe
    "C:\Users\Admin\AppData\Local\DVD Drive report viewer\dvdreportviewer.exe" -s
    3⤵
    - Executes dropped EXE
    PID:4848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1103
1⤵
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DVD Drive report viewer\dvdreportviewer.exe

Filesize
1024KB

MD5
6dd32bf998ded90dbb75fd9adc21e861

SHA1
d9ee6ca1688fe0e563ddc6a945798d8a04c50f77

SHA256
bb95d78447bb10869a3cad272392b42ea83b7d78d903fe00d81c0ac9ae2e2fb6

SHA512
c12a76f26301111503e78ce2c9daf80d66cbf8e61905200bc0b0b29905028bfd6111e2c16c69fff3762096ba752a317ca30603eb05e2c0b3ebb10650de5c8951

Download Submit
C:\Users\Admin\AppData\Local\DVD Drive report viewer\dvdreportviewer.exe

Filesize
832KB

MD5
7b5c1a7d9fc6b0fef2be24cc0990f8b1

SHA1
45932467c4ec8617d41a86d76e5d7d931f96ccea

SHA256
059bd0590b1b6e0497d342c2f64a0f0348e492a5cf7e02190301ab0bbbe94cce

SHA512
38c6baf40629beb564943ce680dd5d2136d5352b3d65fd6aff823b235ca28cfc851ee092ea378cf019c631efc276f1feb4ae4278efc71d1392af79a6b7af26b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OLND5.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OLND5.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SSR65.tmp\5f4371e9fcc21652c9fb3867f64d4941.tmp

Filesize
111KB

MD5
809465a767988f3342e7028154fb1589

SHA1
85abaa8c4e80931562dc9b93f2c63b05e9c76970

SHA256
3c57cdd6f778e883f220be4483a9971970c9e7a3519bb7fdad219d8669e4fc2b

SHA512
51cb9c7d83c9ea18a02da6178ca3fc3e738985289b700e5d3677d307c378bc7638ad5b87df382503fede706e892dfa3d70a62751003d082e1c278c6c5a5195d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SSR65.tmp\5f4371e9fcc21652c9fb3867f64d4941.tmp

Filesize
688KB

MD5
a7662827ecaeb4fc68334f6b8791b917

SHA1
f93151dd228d680aa2910280e51f0a84d0cad105

SHA256
05f159722d6905719d2d6f340981a293f40ab8a0d2d4a282c948066809d4af6d

SHA512
e9880b3f3ec9201e59114850e9c570d0ad6d3b0e04c60929a03cf983c62c505fcb6bb9dc3adeee88c78d43bd484159626b4a2f000a34b8883164c263f21e6f4a

Download Submit
memory/1928-134-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1928-132-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1928-13-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2672-121-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2672-125-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2672-126-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2672-122-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4312-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4312-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4312-131-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4848-133-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-153-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-128-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-137-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-138-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-141-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-144-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-147-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-154-0x0000000000880000-0x0000000000922000-memory.dmp

Filesize
648KB

Download
memory/4848-130-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-148-0x0000000000880000-0x0000000000922000-memory.dmp

Filesize
648KB

Download
memory/4848-157-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-160-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-161-0x0000000000880000-0x0000000000922000-memory.dmp

Filesize
648KB

Download
memory/4848-164-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-167-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-170-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-173-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-177-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-180-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing