socks5systemz | 35b4d405ec078d4a5e3ea6d9e9ec2657962c8122e59ffc3dd5f52534f31fd52d

General

Target

tuc2.exe
Size

4.7MB
MD5

fb4906179ab0a40e7a54f2f973c5a885
SHA1

d6ce6dba1dfefd352c74d859750ad81b0f615d7f
SHA256

35b4d405ec078d4a5e3ea6d9e9ec2657962c8122e59ffc3dd5f52534f31fd52d
SHA512

8bdd1baa6d46e8aedcd12b8b1f923b15c8f436899ce20d2853d0448000ee89ba2ae58d786ee7b7405ac796d85faccf684d7346075b3cd251355f786e5db9eb62
SSDEEP

98304:QJDPl3J/vseAHsUlPmjUs0E++Wxrn4P1DJ8fCXibV:4RJ/clPnUMre1DJ8bV

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2960-156-0x00000000021D0000-0x0000000002272000-memory.dmp	family_socks5systemz
behavioral1/memory/2960-168-0x00000000021D0000-0x0000000002272000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2284	tuc2.tmp
2172	videosetplugin.exe
2960	videosetplugin.exe

Loads dropped DLL 6 IoCs

pid	Process
3036	tuc2.exe
2284	tuc2.tmp
2284	tuc2.tmp
2284	tuc2.tmp
2284	tuc2.tmp
2284	tuc2.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2284	tuc2.tmp

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2284	3036	tuc2.exe	28
PID 3036 wrote to memory of 2284	3036	tuc2.exe	28
PID 3036 wrote to memory of 2284	3036	tuc2.exe	28
PID 3036 wrote to memory of 2284	3036	tuc2.exe	28
PID 3036 wrote to memory of 2284	3036	tuc2.exe	28
PID 3036 wrote to memory of 2284	3036	tuc2.exe	28
PID 3036 wrote to memory of 2284	3036	tuc2.exe	28
PID 2284 wrote to memory of 1472	2284	tuc2.tmp	29
PID 2284 wrote to memory of 1472	2284	tuc2.tmp	29
PID 2284 wrote to memory of 1472	2284	tuc2.tmp	29
PID 2284 wrote to memory of 1472	2284	tuc2.tmp	29
PID 2284 wrote to memory of 2172	2284	tuc2.tmp	31
PID 2284 wrote to memory of 2172	2284	tuc2.tmp	31
PID 2284 wrote to memory of 2172	2284	tuc2.tmp	31
PID 2284 wrote to memory of 2172	2284	tuc2.tmp	31
PID 1472 wrote to memory of 660	1472	net.exe	32
PID 1472 wrote to memory of 660	1472	net.exe	32
PID 1472 wrote to memory of 660	1472	net.exe	32
PID 1472 wrote to memory of 660	1472	net.exe	32
PID 2284 wrote to memory of 2960	2284	tuc2.tmp	33
PID 2284 wrote to memory of 2960	2284	tuc2.tmp	33
PID 2284 wrote to memory of 2960	2284	tuc2.tmp	33
PID 2284 wrote to memory of 2960	2284	tuc2.tmp	33

C:\Users\Admin\AppData\Local\Temp\tuc2.exe
"C:\Users\Admin\AppData\Local\Temp\tuc2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\is-KA360.tmp\tuc2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KA360.tmp\tuc2.tmp" /SL5="$8001C,4678778,54272,C:\Users\Admin\AppData\Local\Temp\tuc2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 1123
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 1123
      4⤵
      PID:660
- - C:\Users\Admin\AppData\Local\Video set plugin\videosetplugin.exe
    "C:\Users\Admin\AppData\Local\Video set plugin\videosetplugin.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2172
- - C:\Users\Admin\AppData\Local\Video set plugin\videosetplugin.exe
    "C:\Users\Admin\AppData\Local\Video set plugin\videosetplugin.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Video set plugin\videosetplugin.exe

Filesize
1.8MB

MD5
c4e2b66722df32b5d9c1e10c8a08d29f

SHA1
cb40005b5d4a8cd2fbff88c2e169cc64fcdb9555

SHA256
08e868999944f545fb7f30a1d625a172bdcaba6b4ad13263a1661636d5d22608

SHA512
0233b97a49614fe116ffdf0c5acab7e25d54c52f383ce8f341703d20cfa538206d0f9e5ad313a8b6c912950d4f4eff0dc6de7ece06a1988daf7599e5b5e7682d

Download Submit
C:\Users\Admin\AppData\Local\Video set plugin\videosetplugin.exe

Filesize
1.8MB

MD5
52873e47948fe5c06b8244b0672bebd3

SHA1
89a7cbb02d9b942b699292fc17c0d2275910f729

SHA256
6708f341ea4ef9e3c34656acceb5d593a733b0a618af9409e798ba3bfd347d19

SHA512
d0a56c9b5387f5b244f64e6affe6c6a2c1b0efd7538afc3b9e97d3646f86764bb82a3455175d2826ff505d6be0f94c696515a4aa0b2c8307b76b84c5d702f5d2

Download Submit
\Users\Admin\AppData\Local\Temp\is-2DSHJ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-2DSHJ.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-2DSHJ.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-KA360.tmp\tuc2.tmp

Filesize
688KB

MD5
eaf0354c6ea59246416f73ec28fb11af

SHA1
ee6cf822ff6d82f4ae958d90eeba282d5ef48da1

SHA256
958c0e917da7df3215b28005fae0acacdba44ce4afa8bcdced6aafc1357d7fee

SHA512
68bdf0502f0432be7f45fe41b16d0d0fd9f8bf69613651c5bf0e26307f8b404eb32e19155538c44925950ada495e4fc524ee07a6aaa34f2284d6718b49501150

Download Submit
\Users\Admin\AppData\Local\Video set plugin\videosetplugin.exe

Filesize
1.3MB

MD5
816ebe5ba580f965ba27024a268797a2

SHA1
49f8f2128fe08314df848619e77200962b57d7a4

SHA256
7dc291054ad60997f7e3c5a437096ab04d5d7a095fa5f43249bbeb265073bb7b

SHA512
45c180be170a885c9298817f61ad633d31b8e097cb75e9a6c855d7ac0d77d54ee453bd8a01ff188f91fc5077f8f8547f245d63fe022f317f448d6df6b4da39d4

Download Submit
memory/2172-124-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2172-125-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2172-126-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2172-129-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2284-135-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2284-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2284-123-0x0000000002F30000-0x00000000030FD000-memory.dmp

Filesize
1.8MB

Download
memory/2284-140-0x0000000002F30000-0x00000000030FD000-memory.dmp

Filesize
1.8MB

Download
memory/2284-137-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2960-136-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2960-155-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2960-185-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2960-133-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2960-131-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2960-141-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2960-142-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2960-145-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2960-146-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2960-149-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2960-152-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2960-182-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2960-156-0x00000000021D0000-0x0000000002272000-memory.dmp

Filesize
648KB

Download
memory/2960-162-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2960-165-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2960-168-0x00000000021D0000-0x0000000002272000-memory.dmp

Filesize
648KB

Download
memory/2960-169-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2960-172-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2960-175-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2960-178-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/3036-134-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3036-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing