socks5systemz | 1fa544646d6c53b124a6c43bdb0479fcd254e74dafe992c537ad40d7b7d0a850

Analysis

max time kernel
146s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee662511c5f8dbf74f7b8b5151464bd1.exe
Size

4.6MB
MD5

ee662511c5f8dbf74f7b8b5151464bd1
SHA1

5423c7913005bc5f19ab13cef9c405f97b54614a
SHA256

1fa544646d6c53b124a6c43bdb0479fcd254e74dafe992c537ad40d7b7d0a850
SHA512

c64cca3d608ee3e3045dcddaa17ac4540e11593e5064b6e549610739059c4c0fc515f442cf0346a27618e197df0c9796e6d761c935185282f54fc563fb823341
SSDEEP

98304:ti/pvA3Q7k+4dniEoqAmVTNKjmijbsjwZjUNHlyBmvVPahUhlFNTndZ7kq:0/pv0ekNdhoSt4jpbsjwiNHam9PXFx7L

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 2 IoCs

resource	yara_rule
behavioral1/memory/1316-156-0x00000000026E0000-0x0000000002782000-memory.dmp	family_socks5systemz
behavioral1/memory/1316-167-0x00000000026E0000-0x0000000002782000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2112	is-S0VPK.tmp
2792	imaptestplugin.exe
1316	imaptestplugin.exe

Loads dropped DLL 10 IoCs

pid	Process
1140	ee662511c5f8dbf74f7b8b5151464bd1.exe
2112	is-S0VPK.tmp
2112	is-S0VPK.tmp
2112	is-S0VPK.tmp
2112	is-S0VPK.tmp
2792	imaptestplugin.exe
2792	imaptestplugin.exe
2112	is-S0VPK.tmp
1316	imaptestplugin.exe
1316	imaptestplugin.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 2112	1140	ee662511c5f8dbf74f7b8b5151464bd1.exe	28
PID 1140 wrote to memory of 2112	1140	ee662511c5f8dbf74f7b8b5151464bd1.exe	28
PID 1140 wrote to memory of 2112	1140	ee662511c5f8dbf74f7b8b5151464bd1.exe	28
PID 1140 wrote to memory of 2112	1140	ee662511c5f8dbf74f7b8b5151464bd1.exe	28
PID 1140 wrote to memory of 2112	1140	ee662511c5f8dbf74f7b8b5151464bd1.exe	28
PID 1140 wrote to memory of 2112	1140	ee662511c5f8dbf74f7b8b5151464bd1.exe	28
PID 1140 wrote to memory of 2112	1140	ee662511c5f8dbf74f7b8b5151464bd1.exe	28
PID 2112 wrote to memory of 2792	2112	is-S0VPK.tmp	29
PID 2112 wrote to memory of 2792	2112	is-S0VPK.tmp	29
PID 2112 wrote to memory of 2792	2112	is-S0VPK.tmp	29
PID 2112 wrote to memory of 2792	2112	is-S0VPK.tmp	29
PID 2112 wrote to memory of 2792	2112	is-S0VPK.tmp	29
PID 2112 wrote to memory of 2792	2112	is-S0VPK.tmp	29
PID 2112 wrote to memory of 2792	2112	is-S0VPK.tmp	29
PID 2112 wrote to memory of 1316	2112	is-S0VPK.tmp	30
PID 2112 wrote to memory of 1316	2112	is-S0VPK.tmp	30
PID 2112 wrote to memory of 1316	2112	is-S0VPK.tmp	30
PID 2112 wrote to memory of 1316	2112	is-S0VPK.tmp	30
PID 2112 wrote to memory of 1316	2112	is-S0VPK.tmp	30
PID 2112 wrote to memory of 1316	2112	is-S0VPK.tmp	30
PID 2112 wrote to memory of 1316	2112	is-S0VPK.tmp	30

C:\Users\Admin\AppData\Local\Temp\ee662511c5f8dbf74f7b8b5151464bd1.exe
"C:\Users\Admin\AppData\Local\Temp\ee662511c5f8dbf74f7b8b5151464bd1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\is-FU913.tmp\is-S0VPK.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FU913.tmp\is-S0VPK.tmp" /SL4 $5014E "C:\Users\Admin\AppData\Local\Temp\ee662511c5f8dbf74f7b8b5151464bd1.exe" 4637210 431616
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe
    "C:\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe" -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2792
- - C:\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe
    "C:\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe" -s
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe

Filesize
388KB

MD5
4c218d514e1bed87c43669ab8c319329

SHA1
060fdfa4a7b00d628b79f8bcf6431d0c9e8f8262

SHA256
edce3bbbe83262e85f422a76ac52227e3c6a6d10b90e6ec0e75195e8e151f9d0

SHA512
af19275b0b0cbfd14598e82541f392c6eb0b98db56c5ab2854a1042cc60fd790f25a61acf64140037c5b650a6337124f46c92a6d05432a49f680350106554dba

Download Submit
C:\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe

Filesize
50KB

MD5
cde50589dab596ec51edffa863579a8c

SHA1
676b6a1f16ea920bcc069eb23af11b9f9bb9e092

SHA256
5a86f407fc5e22c0902e782fc97a1dd6121b60aa1c3bd42e94853a5e7bc657d0

SHA512
cba13a200dc8e09b735302f46ab66bcd12033add347035ed46bab7d4035da5405eb2ec6b3417f4035a34761c639f5b344d79ce47dbe659d03fc77f9186852699

Download Submit
C:\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe

Filesize
16KB

MD5
b0da9ad2e195a5d6a5860402c7b02dd7

SHA1
a4a133c616f7bab27aef181ff5e24890d0208c7c

SHA256
7c0e8553f6e2bb07aee0f5ade59e3b4294c416b2465c2c9d1fb262459b5e3a5c

SHA512
1fb0825a4414e63d64d53d995a5fecc8e3118a6dd337651b710636414027d4bd2e7038ae302097e2592cc3f314f59a28b9bb0559f68cd5cb25c0cafb62fc29ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FU913.tmp\is-S0VPK.tmp

Filesize
212KB

MD5
8e4b24fe84fe0901bbde7ad17ba09898

SHA1
34088023683e36e3bb336ec5fcc1e3d7eacb343e

SHA256
09dae890f1fdc78e0a6e55cb3a0dba9f309198952609345a6727bca42cce1e01

SHA512
c1ed43d913344e55acd0ed20d9741525466f17ea017f407e2a0b89c5018b850dc10c6a4a9cde0bc1e40d0cb0d3c1f2d4858e739fba9b3f37c24bcb2c6d0b119f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FU913.tmp\is-S0VPK.tmp

Filesize
29KB

MD5
502040d47be09186be5dde4be59003fd

SHA1
52bb4db604bed61fea7b5b160a405d590f6558ca

SHA256
953c5e4a4c40e576887dfc6bb63e353a921f2fb6bc1eac821ea1abca01085f40

SHA512
66de2e82312d46c886a048fe7cbef4e45480fef27fa5a0ccaf0b9492cc14cbad5fe92cf2da925de6adea6b55b15241766bdf2d193f80f0d1352f8d6e9346dc97

Download Submit
\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe

Filesize
704KB

MD5
cdf552f894d7846c31e225fb5e0fdaab

SHA1
a86818e97736735daad86b29201017849a19dcf7

SHA256
43c29f7df3635cd6b087128205c34109febf3b0464863b5d606da4ba3ee99c98

SHA512
3d600541cd40f2457fcb347a51693717588ac79c8be4aa598974ba25b20a9d998840bf8a282d037c65fe3336dab6a8b68b089e4d8ffe197929ec0069c4347748

Download Submit
\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe

Filesize
45KB

MD5
517af39f175f0e269ce5aed442081ca4

SHA1
6b130cfaf74224ff0ddab9fdc55362a9aded2ec2

SHA256
4cde2166901b9587facd3315ca9ae5bdee64501ef9346803fcdc6f2a32d8a799

SHA512
66bb146d8281d789fbff778844ddced0325b41dbad82758ec8f6e892039d92e8c1f1f89f34951b5bf288168bfe15f2589ae099f256305d48a38ddf42cd0f22c2

Download Submit
\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe

Filesize
114KB

MD5
1f766ee344dfcc8b46e79e145f51d948

SHA1
339ec4cc51321acf18ae8dc4c70e38033adeb74a

SHA256
4e66702565483c1356b5b47b4605abc066b45b5bb217eddf7607fe4f3240dc9f

SHA512
95cd0ee535db6e5bf53aa0b51b1bdf922c2d3915fabed76b749892f0366694cc2fa4a7166f36475dd2fa1f9480560744f370aaab18e7c4ca75277bd0b1b79b76

Download Submit
\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe

Filesize
108KB

MD5
9961934a63746ac8f0753c84a9b40e31

SHA1
e6ab972ba2737b1fab31bda29da4d0d6e5f99c82

SHA256
22edd7c0bfc664b66bd78eed26dbff4aa4c1196ec3463ed1db0068dc2fcfcf7e

SHA512
f6a71eeaf57a51535c7f1257b344ce4dadd7e79bd4b9e769553129bd9b0b6608906d40d0f411dcb0867f2ca434038005288a766ca6989a53d2fa5f66fcdb8a9e

Download Submit
\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe

Filesize
61KB

MD5
a92f985b31f28d25c5a489a806a27010

SHA1
74f7b32a2762faf8f55cc2716a3641de82b76d51

SHA256
eb82c3c8586f97e917666d6cc11f7932c182a87f9e484154f17452a5b75b30d2

SHA512
6d53d59884ae04f6b16da43b776263d2c218131e153f4052d8c9cdb8d717a2a1ba26d2297698ef88346180cf884d89e4b30865a15b42728259e17bd98052ff66

Download Submit
\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe

Filesize
168KB

MD5
db0010a762b6a0dd449d4b844fc5e896

SHA1
4ad4974fb44fea92cf2de4ba10eb1373079ae587

SHA256
648c826a96c0c4eb967e20b24ca53d511591d2153fe9e03c3ec78f119435b142

SHA512
5ad7de71c3b505e01d8fda95e75cdab183cf1bc87c1a8138c38ae54964b738e7bbfa29408bc4c94e860b5f185dadbbc3819feb7a715d7e28703c0ffaed93345f

Download Submit
\Users\Admin\AppData\Local\Temp\is-FU913.tmp\is-S0VPK.tmp

Filesize
425KB

MD5
46fceaf6948b8fa8a8966df1947bf804

SHA1
b6fac7bf64e43c63d16a254f8713aef5c94e08bd

SHA256
9b89026202a71ef1f38c4681342660fc65886af8d548f395e663a20b00809839

SHA512
1b6c91ae59087cc266b73b430689a839c3cae69b9b7732c91af40f5f299de3ef5a548a96cc3a01cb2e40347fe5bda08fb7cf86b3a15fc53a21c9152f6289bfd8

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q5PJM.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q5PJM.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1140-135-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1140-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1140-0-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1316-142-0x0000000000DA0000-0x0000000000FA8000-memory.dmp

Filesize
2.0MB

Download
memory/1316-161-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1316-131-0x0000000000DA0000-0x0000000000FA8000-memory.dmp

Filesize
2.0MB

Download
memory/1316-132-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1316-146-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1316-184-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1316-134-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1316-181-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1316-177-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1316-174-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1316-138-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1316-141-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1316-145-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1316-171-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1316-168-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1316-149-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1316-152-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1316-155-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1316-156-0x00000000026E0000-0x0000000002782000-memory.dmp

Filesize
648KB

Download
memory/1316-167-0x00000000026E0000-0x0000000002782000-memory.dmp

Filesize
648KB

Download
memory/1316-164-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2112-117-0x0000000003260000-0x0000000003468000-memory.dmp

Filesize
2.0MB

Download
memory/2112-137-0x0000000003260000-0x0000000003468000-memory.dmp

Filesize
2.0MB

Download
memory/2112-136-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2792-125-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2792-122-0x0000000000BF0000-0x0000000000DF8000-memory.dmp

Filesize
2.0MB

Download
memory/2792-123-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2792-126-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download