socks5systemz | 1fa544646d6c53b124a6c43bdb0479fcd254e74dafe992c537ad40d7b7d0a850

General

Target

ee662511c5f8dbf74f7b8b5151464bd1.exe
Size

4.6MB
MD5

ee662511c5f8dbf74f7b8b5151464bd1
SHA1

5423c7913005bc5f19ab13cef9c405f97b54614a
SHA256

1fa544646d6c53b124a6c43bdb0479fcd254e74dafe992c537ad40d7b7d0a850
SHA512

c64cca3d608ee3e3045dcddaa17ac4540e11593e5064b6e549610739059c4c0fc515f442cf0346a27618e197df0c9796e6d761c935185282f54fc563fb823341
SSDEEP

98304:ti/pvA3Q7k+4dniEoqAmVTNKjmijbsjwZjUNHlyBmvVPahUhlFNTndZ7kq:0/pv0ekNdhoSt4jpbsjwiNHam9PXFx7L

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/496-147-0x0000000000850000-0x00000000008F2000-memory.dmp	family_socks5systemz
behavioral2/memory/496-146-0x0000000000850000-0x00000000008F2000-memory.dmp	family_socks5systemz
behavioral2/memory/496-157-0x0000000000850000-0x00000000008F2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
1944	is-F4VIN.tmp
1572	imaptestplugin.exe
496	imaptestplugin.exe

Loads dropped DLL 1 IoCs

pid	Process
1944	is-F4VIN.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1944	1444	ee662511c5f8dbf74f7b8b5151464bd1.exe	92
PID 1444 wrote to memory of 1944	1444	ee662511c5f8dbf74f7b8b5151464bd1.exe	92
PID 1444 wrote to memory of 1944	1444	ee662511c5f8dbf74f7b8b5151464bd1.exe	92
PID 1944 wrote to memory of 1572	1944	is-F4VIN.tmp	95
PID 1944 wrote to memory of 1572	1944	is-F4VIN.tmp	95
PID 1944 wrote to memory of 1572	1944	is-F4VIN.tmp	95
PID 1944 wrote to memory of 496	1944	is-F4VIN.tmp	96
PID 1944 wrote to memory of 496	1944	is-F4VIN.tmp	96
PID 1944 wrote to memory of 496	1944	is-F4VIN.tmp	96

C:\Users\Admin\AppData\Local\Temp\ee662511c5f8dbf74f7b8b5151464bd1.exe
"C:\Users\Admin\AppData\Local\Temp\ee662511c5f8dbf74f7b8b5151464bd1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\is-ARQPJ.tmp\is-F4VIN.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ARQPJ.tmp\is-F4VIN.tmp" /SL4 $70178 "C:\Users\Admin\AppData\Local\Temp\ee662511c5f8dbf74f7b8b5151464bd1.exe" 4637210 431616
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe
    "C:\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1572
- - C:\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe
    "C:\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe" -s
    3⤵
    - Executes dropped EXE
    PID:496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe

Filesize
2.0MB

MD5
937a42cdb075d7016f8865bbc762c282

SHA1
d2cdf35033232bf9e299c8acda00db01b00c8dc0

SHA256
14100be4dd3d1a91a5de44e19b486467161cece7bcdeed58b8fbdc3ed1eb6605

SHA512
72aaa90900983bc2993cbcb062f265a3f80298f431755c5bf653fb685c369a4cffb523b17985b8dffaaa2ef68e0c6e62c85fbc76a97051fd7f4c3809be433a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ARQPJ.tmp\is-F4VIN.tmp

Filesize
642KB

MD5
856bce6609a05646759555e24a534467

SHA1
800c78d9d82bc1d0d631bdd11a9b766b6b964d2d

SHA256
2e7e5e01fa3d18a2a76e33dd139dbf251f1dd2ab77aba843b7ef09e51cd86c1a

SHA512
5bbfca64610ed8c148a8e182de5e5568af34465698bf6cdd3f5ccc6857bb4b3d90cfc9e6f0f780464a2fe5c776e6ee69291877bb14b5f64b4e9d8791807af47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UUDV3.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/496-146-0x0000000000850000-0x00000000008F2000-memory.dmp

Filesize
648KB

Download
memory/496-152-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/496-168-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/496-165-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/496-162-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/496-159-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/496-157-0x0000000000850000-0x00000000008F2000-memory.dmp

Filesize
648KB

Download
memory/496-155-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/496-125-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/496-147-0x0000000000850000-0x00000000008F2000-memory.dmp

Filesize
648KB

Download
memory/496-129-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/496-132-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/496-133-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/496-136-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/496-139-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/496-142-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/496-145-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1444-1-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1444-16-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1572-122-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1572-119-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1572-118-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1572-116-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1944-127-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1944-115-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1944-7-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing