socks5systemz | 6269c0afcf708d6b8bb3d7fa200009f6a177d60b6c5f9b174278dab56f716af1

General

Target

1decbe120e5beaff817bc6dd186e2013.exe
Size

4.6MB
MD5

1decbe120e5beaff817bc6dd186e2013
SHA1

4cbcb2ad2f50862b0910a036dd2fd12aa4a23f50
SHA256

6269c0afcf708d6b8bb3d7fa200009f6a177d60b6c5f9b174278dab56f716af1
SHA512

53f3ed6987f25a7e3aab470adb10df0a9408a4e5541c53a979761414a3fc2ec35cd3432927d30b60b9616c5e0472a5078222a163a96b5a620d247f4a8f5a830f
SSDEEP

98304:Ni/pvA3Q7kcOH1+TnUcumzJip7MDUzVm+3VvNppfc0ufQF3EMUc3Qq518SKH68S8:U/pv0ek5+7UVHoDUN3V5fc0wm0ZcgqwH

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/4144-151-0x00000000008D0000-0x0000000000972000-memory.dmp	family_socks5systemz
behavioral2/memory/4144-152-0x00000000008D0000-0x0000000000972000-memory.dmp	family_socks5systemz
behavioral2/memory/4144-161-0x00000000008D0000-0x0000000000972000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2156	is-QBRP1.tmp
4184	imaptestplugin.exe
4144	imaptestplugin.exe

Loads dropped DLL 1 IoCs

pid	Process
2156	is-QBRP1.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 2156	4984	1decbe120e5beaff817bc6dd186e2013.exe	92
PID 4984 wrote to memory of 2156	4984	1decbe120e5beaff817bc6dd186e2013.exe	92
PID 4984 wrote to memory of 2156	4984	1decbe120e5beaff817bc6dd186e2013.exe	92
PID 2156 wrote to memory of 456	2156	is-QBRP1.tmp	94
PID 2156 wrote to memory of 456	2156	is-QBRP1.tmp	94
PID 2156 wrote to memory of 456	2156	is-QBRP1.tmp	94
PID 2156 wrote to memory of 4184	2156	is-QBRP1.tmp	96
PID 2156 wrote to memory of 4184	2156	is-QBRP1.tmp	96
PID 2156 wrote to memory of 4184	2156	is-QBRP1.tmp	96
PID 456 wrote to memory of 4372	456	net.exe	97
PID 456 wrote to memory of 4372	456	net.exe	97
PID 456 wrote to memory of 4372	456	net.exe	97
PID 2156 wrote to memory of 4144	2156	is-QBRP1.tmp	98
PID 2156 wrote to memory of 4144	2156	is-QBRP1.tmp	98
PID 2156 wrote to memory of 4144	2156	is-QBRP1.tmp	98

C:\Users\Admin\AppData\Local\Temp\1decbe120e5beaff817bc6dd186e2013.exe
"C:\Users\Admin\AppData\Local\Temp\1decbe120e5beaff817bc6dd186e2013.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Users\Admin\AppData\Local\Temp\is-NHF4S.tmp\is-QBRP1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NHF4S.tmp\is-QBRP1.tmp" /SL4 $601FA "C:\Users\Admin\AppData\Local\Temp\1decbe120e5beaff817bc6dd186e2013.exe" 4639228 431616
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 1111
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 1111
      4⤵
      PID:4372
- - C:\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe
    "C:\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe" -i
    3⤵
    - Executes dropped EXE
    PID:4184
- - C:\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe
    "C:\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe" -s
    3⤵
    - Executes dropped EXE
    PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IMAP test plugin\imaptestplugin.exe

Filesize
2.0MB

MD5
4e7770ab4d7d3d54e561c2a858d8e143

SHA1
934b42fcd49c3941b343b40684de6e2e472465ce

SHA256
d0b40fa656228e88dfc924f2e285629770676a51b908c1011811a302fd18e2c0

SHA512
39add98c0bc46632a2fb625583b2a5d931b80b14b8b244f085c3b9f2a1729b3f1eb6de9963462fa7405609de5f0999be6f62b55eb9bfdb0c7575cc72d1e01870

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHF4S.tmp\is-QBRP1.tmp

Filesize
642KB

MD5
856bce6609a05646759555e24a534467

SHA1
800c78d9d82bc1d0d631bdd11a9b766b6b964d2d

SHA256
2e7e5e01fa3d18a2a76e33dd139dbf251f1dd2ab77aba843b7ef09e51cd86c1a

SHA512
5bbfca64610ed8c148a8e182de5e5568af34465698bf6cdd3f5ccc6857bb4b3d90cfc9e6f0f780464a2fe5c776e6ee69291877bb14b5f64b4e9d8791807af47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OBBDG.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/2156-127-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2156-18-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2156-8-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2156-128-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4144-146-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4144-133-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4144-168-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4144-166-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4144-162-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4144-161-0x00000000008D0000-0x0000000000972000-memory.dmp

Filesize
648KB

Download
memory/4144-125-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4144-158-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4144-155-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4144-130-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4144-132-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4144-152-0x00000000008D0000-0x0000000000972000-memory.dmp

Filesize
648KB

Download
memory/4144-136-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4144-139-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4144-142-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4144-151-0x00000000008D0000-0x0000000000972000-memory.dmp

Filesize
648KB

Download
memory/4184-122-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4184-119-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4184-118-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4184-117-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4984-4-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4984-2-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4984-17-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4984-0-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing