socks5systemz | 08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d

General

Target

08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe
Size

4.5MB
MD5

fd82388cccd686f54503bc41929b39b8
SHA1

24fd01b0318aaf739b204a456e5f64a19c271e6d
SHA256

08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d
SHA512

ca5924175338b1741ff79135dbab883403ffd03012cd7914ac173f778159e99c11c115cdad3b085aa67eb9b9136ff9c76cd5a8775f9abc3c35524468a2242c59
SSDEEP

98304:QHfMnRjsJoLAX5/0LUlwSL/9gv+7AaIk4dm8:ts6MX5fwSSN24dD

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1596-158-0x00000000024B0000-0x0000000002552000-memory.dmp	family_socks5systemz
behavioral1/memory/1596-156-0x00000000024B0000-0x0000000002552000-memory.dmp	family_socks5systemz
behavioral1/memory/1596-167-0x00000000024B0000-0x0000000002552000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp
844	pip-master-std-lib.exe
1596	pip-master-std-lib.exe

Loads dropped DLL 6 IoCs

pid	Process
2076	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe
1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp
1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp
1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp
1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp
1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	81.31.197.38

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1832	2076	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe	20
PID 2076 wrote to memory of 1832	2076	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe	20
PID 2076 wrote to memory of 1832	2076	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe	20
PID 2076 wrote to memory of 1832	2076	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe	20
PID 2076 wrote to memory of 1832	2076	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe	20
PID 2076 wrote to memory of 1832	2076	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe	20
PID 2076 wrote to memory of 1832	2076	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe	20
PID 1832 wrote to memory of 840	1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	19
PID 1832 wrote to memory of 840	1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	19
PID 1832 wrote to memory of 840	1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	19
PID 1832 wrote to memory of 840	1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	19
PID 1832 wrote to memory of 844	1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	17
PID 1832 wrote to memory of 844	1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	17
PID 1832 wrote to memory of 844	1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	17
PID 1832 wrote to memory of 844	1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	17
PID 840 wrote to memory of 2456	840	net.exe	16
PID 840 wrote to memory of 2456	840	net.exe	16
PID 840 wrote to memory of 2456	840	net.exe	16
PID 840 wrote to memory of 2456	840	net.exe	16
PID 1832 wrote to memory of 1596	1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	33
PID 1832 wrote to memory of 1596	1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	33
PID 1832 wrote to memory of 1596	1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	33
PID 1832 wrote to memory of 1596	1832	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	33

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 153
1⤵
PID:2456

C:\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe
"C:\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe" -i
1⤵
- Executes dropped EXE
PID:844

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 153
1⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Temp\is-7JB0H.tmp\08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7JB0H.tmp\08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp" /SL5="$400F4,4463661,54272,C:\Users\Admin\AppData\Local\Temp\08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe
  "C:\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe" -s
  2⤵
  - Executes dropped EXE
  PID:1596

C:\Users\Admin\AppData\Local\Temp\08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe
"C:\Users\Admin\AppData\Local\Temp\08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe

Filesize
93KB

MD5
81931cd6ff3ea2eda31eb8e4cbb0adde

SHA1
3071c77bd6d21e386f16a93a6c49569c9dd094d8

SHA256
d640dfb58af3aca776f408f548c54144de7734439bf574654fbca47821653044

SHA512
ef729aff5f2c2b8396c2047445e6d02114150d25ab53fc5a11efb35c0989843d46f39dd3cd95e8ca42a58177c2bcafb6860b9ef8680dea26f2fcb7b2387e24de

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7JB0H.tmp\08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp

Filesize
382KB

MD5
6e4278aef0f6eb0a54563b193f54e071

SHA1
8c15d3869f6852fef0afcac57a5253a1ef7d395b

SHA256
5f6582d7b9930a57a2e932ed8757a6249f9cd92005a36e6db97d0d883a29f207

SHA512
ed1df98d61ca583c535e54b994d1b33d14ec56c59f7a24128c11d6de63840e04c92d6a00e391f60021243fdf17cc6cc2f26ff36ca058c4bf303b7c5a4484b2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7JB0H.tmp\08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp

Filesize
688KB

MD5
a7662827ecaeb4fc68334f6b8791b917

SHA1
f93151dd228d680aa2910280e51f0a84d0cad105

SHA256
05f159722d6905719d2d6f340981a293f40ab8a0d2d4a282c948066809d4af6d

SHA512
e9880b3f3ec9201e59114850e9c570d0ad6d3b0e04c60929a03cf983c62c505fcb6bb9dc3adeee88c78d43bd484159626b4a2f000a34b8883164c263f21e6f4a

Download Submit
\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe

Filesize
384KB

MD5
8ccf6226c3787c083022a5b5b2943b9c

SHA1
735b3bd442b1e402e0441516f8d60d280eea2512

SHA256
bc0633301946559bcfb38733992be62ac9fb2fdd29fdcb271294690581672cc1

SHA512
1202fc78cfa6d57a708f64a9687ee017a877a289a0c4ea4429c3319af441694fad0b9842660757db0f73b7ddbd4b8e2b4a3a670d4b7df1ad69909f80b87a86da

Download Submit
\Users\Admin\AppData\Local\Temp\is-KPAJR.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-KPAJR.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-KPAJR.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/844-131-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/844-127-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/844-130-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/844-126-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1596-157-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1596-163-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1596-185-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1596-182-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1596-179-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1596-135-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1596-138-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1596-176-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1596-173-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1596-170-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1596-167-0x00000000024B0000-0x0000000002552000-memory.dmp

Filesize
648KB

Download
memory/1596-143-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1596-144-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1596-147-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1596-150-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1596-153-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1596-166-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1596-158-0x00000000024B0000-0x0000000002552000-memory.dmp

Filesize
648KB

Download
memory/1596-156-0x00000000024B0000-0x0000000002552000-memory.dmp

Filesize
648KB

Download
memory/1596-133-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1832-140-0x0000000003230000-0x0000000003368000-memory.dmp

Filesize
1.2MB

Download
memory/1832-139-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1832-137-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1832-16-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1832-125-0x0000000003230000-0x0000000003368000-memory.dmp

Filesize
1.2MB

Download
memory/2076-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2076-136-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2076-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing