socks5systemz | 08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d

General

Target

08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe
Size

4.5MB
MD5

fd82388cccd686f54503bc41929b39b8
SHA1

24fd01b0318aaf739b204a456e5f64a19c271e6d
SHA256

08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d
SHA512

ca5924175338b1741ff79135dbab883403ffd03012cd7914ac173f778159e99c11c115cdad3b085aa67eb9b9136ff9c76cd5a8775f9abc3c35524468a2242c59
SSDEEP

98304:QHfMnRjsJoLAX5/0LUlwSL/9gv+7AaIk4dm8:ts6MX5fwSSN24dD

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 5 IoCs

resource	yara_rule
behavioral2/memory/2624-148-0x00000000007D0000-0x0000000000872000-memory.dmp	family_socks5systemz
behavioral2/memory/2624-154-0x00000000007D0000-0x0000000000872000-memory.dmp	family_socks5systemz
behavioral2/memory/2624-161-0x00000000007D0000-0x0000000000872000-memory.dmp	family_socks5systemz
behavioral2/memory/2624-175-0x00000000007D0000-0x0000000000872000-memory.dmp	family_socks5systemz
behavioral2/memory/2624-174-0x00000000007D0000-0x0000000000872000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
1196	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp
5008	pip-master-std-lib.exe
2624	pip-master-std-lib.exe

Loads dropped DLL 3 IoCs

pid	Process
1196	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp
1196	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp
1196	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1196	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 1196	464	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe	89
PID 464 wrote to memory of 1196	464	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe	89
PID 464 wrote to memory of 1196	464	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe	89
PID 1196 wrote to memory of 3980	1196	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	97
PID 1196 wrote to memory of 3980	1196	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	97
PID 1196 wrote to memory of 3980	1196	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	97
PID 1196 wrote to memory of 5008	1196	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	96
PID 1196 wrote to memory of 5008	1196	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	96
PID 1196 wrote to memory of 5008	1196	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	96
PID 3980 wrote to memory of 1364	3980	net.exe	93
PID 3980 wrote to memory of 1364	3980	net.exe	93
PID 3980 wrote to memory of 1364	3980	net.exe	93
PID 1196 wrote to memory of 2624	1196	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	94
PID 1196 wrote to memory of 2624	1196	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	94
PID 1196 wrote to memory of 2624	1196	08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp	94

C:\Users\Admin\AppData\Local\Temp\08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe
"C:\Users\Admin\AppData\Local\Temp\08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:464
- C:\Users\Admin\AppData\Local\Temp\is-N9QKM.tmp\08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-N9QKM.tmp\08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp" /SL5="$A0044,4463661,54272,C:\Users\Admin\AppData\Local\Temp\08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe
    "C:\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2624
- - C:\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe
    "C:\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe" -i
    3⤵
    - Executes dropped EXE
    PID:5008
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 153
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 153
1⤵
PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe

Filesize
108KB

MD5
bca28f58d8ab921bb166f59f95aa76c6

SHA1
599151f5e3d3371c45e1f6ccf898cedd4f2ec4ab

SHA256
6fbb9a03b37e3e767a9a017a5cc4fd8c051b5ab6b9e1019a40a8a9b5bcc1e5ed

SHA512
47fe4b8beeb8d09f89096f13078ef5ea1fc8583e0c9cd3c1689d180d868e554c7cda1948c1c4b93afef59274979f5a50017d2ce25297b1757a9f1714543c2994

Download Submit
C:\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe

Filesize
124KB

MD5
7cbff9a89d3f614dfa1b4a3155a0c51d

SHA1
9735cfad3cc9bf9d6e1994b7e6de1fd0b5a9597f

SHA256
0a4a2d4bdd304507dc51e1cb9acedb73f6b2ca891892e48cac3620801e71bde5

SHA512
3cbdce7890733cce72b9a0d244e8da4cceb23c1626f472814bd1146714b85bac37d653daa1323fcfbf2499a8ea9ce1d8f844e2753dfd0834e062fefd80a054d1

Download Submit
C:\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe

Filesize
57KB

MD5
9386d1c6a3b5e26a1bfb3b077fdac0c8

SHA1
9d3f6dc57e450f2f059f7c28938266a398b607eb

SHA256
d753a0457d15dc536ff864df83886972e0071c40388df6b095fcd6af21c4cb61

SHA512
4505a9845d23b6a43007abd4fcab1bc75f61bf3a7a19cac660d9efb68531f1dcfcf2750566a488db1a82e79bb0bf88b710db43fe6351190550d7b69d62b771a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JUIRS.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JUIRS.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N9QKM.tmp\08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp

Filesize
688KB

MD5
a7662827ecaeb4fc68334f6b8791b917

SHA1
f93151dd228d680aa2910280e51f0a84d0cad105

SHA256
05f159722d6905719d2d6f340981a293f40ab8a0d2d4a282c948066809d4af6d

SHA512
e9880b3f3ec9201e59114850e9c570d0ad6d3b0e04c60929a03cf983c62c505fcb6bb9dc3adeee88c78d43bd484159626b4a2f000a34b8883164c263f21e6f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N9QKM.tmp\08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d.tmp

Filesize
521KB

MD5
02f6871dfee76f65be5fa2987197a10f

SHA1
5d3196a500bb67eba8d3cf8fa1029a102c39e5ff

SHA256
b74463c0ba71ddcbe49cb4ce08eaaaf4d873f0e1acf19560048a570d878ab967

SHA512
bc5ef19d12128ca5bb65ed6596297d6d82205e36c166aa5c064d922d8224a1012f5c27ef28820799f6c2e6547a1c59b59423d3342935e0b645e4b4026b16a1b0

Download Submit
memory/464-131-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/464-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1196-12-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1196-134-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1196-132-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2624-161-0x00000000007D0000-0x0000000000872000-memory.dmp

Filesize
648KB

Download
memory/2624-153-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2624-182-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2624-133-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2624-179-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2624-137-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2624-138-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2624-141-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2624-144-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2624-147-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2624-148-0x00000000007D0000-0x0000000000872000-memory.dmp

Filesize
648KB

Download
memory/2624-130-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2624-154-0x00000000007D0000-0x0000000000872000-memory.dmp

Filesize
648KB

Download
memory/2624-157-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2624-160-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2624-174-0x00000000007D0000-0x0000000000872000-memory.dmp

Filesize
648KB

Download
memory/2624-164-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2624-167-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2624-170-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2624-173-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2624-175-0x00000000007D0000-0x0000000000872000-memory.dmp

Filesize
648KB

Download
memory/5008-122-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/5008-123-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/5008-127-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing