socks5systemz | e0201dcc999702ba770c7da01449c4643f44ff7e02d8613c8e901fcba13b5404

General

Target

56f2e82c10506d2ad399bbcd547fb4869909d7c9a64a3add918bf7534640d323.exe
Size

3.9MB
MD5

e850f5020fb5501d14bee48d7087e589
SHA1

f13d6f8987eb81173ada9be01be2a164f6b00ab8
SHA256

56f2e82c10506d2ad399bbcd547fb4869909d7c9a64a3add918bf7534640d323
SHA512

a8754ece133b7e30d9d38fe6974c02cd096c9887301fe6451bd5d0c17e8dabe7962372cb8c369579107677b77a086999dbafbfdf9cb10460cadb10035674b5d3
SSDEEP

98304:eiligBB2JqtMtultlsSUWNBD1uIyth/pXo5UOCBPA2MO3T7D5fPxIkS:rMATUulzLUWHhzq+wsWBP+r

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 5 IoCs

resource	yara_rule
behavioral2/memory/3296-142-0x0000000000920000-0x00000000009C2000-memory.dmp	family_socks5systemz
behavioral2/memory/3296-147-0x0000000000920000-0x00000000009C2000-memory.dmp	family_socks5systemz
behavioral2/memory/3296-154-0x0000000000920000-0x00000000009C2000-memory.dmp	family_socks5systemz
behavioral2/memory/3296-166-0x0000000000920000-0x00000000009C2000-memory.dmp	family_socks5systemz
behavioral2/memory/3296-167-0x0000000000920000-0x00000000009C2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
3552	is-RQ25J.tmp
3800	pcidevicechecker.exe
3296	pcidevicechecker.exe

Loads dropped DLL 1 IoCs

pid	Process
3552	is-RQ25J.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 3552	3592	56f2e82c10506d2ad399bbcd547fb4869909d7c9a64a3add918bf7534640d323.exe	89
PID 3592 wrote to memory of 3552	3592	56f2e82c10506d2ad399bbcd547fb4869909d7c9a64a3add918bf7534640d323.exe	89
PID 3592 wrote to memory of 3552	3592	56f2e82c10506d2ad399bbcd547fb4869909d7c9a64a3add918bf7534640d323.exe	89
PID 3552 wrote to memory of 1204	3552	is-RQ25J.tmp	97
PID 3552 wrote to memory of 1204	3552	is-RQ25J.tmp	97
PID 3552 wrote to memory of 1204	3552	is-RQ25J.tmp	97
PID 3552 wrote to memory of 3800	3552	is-RQ25J.tmp	93
PID 3552 wrote to memory of 3800	3552	is-RQ25J.tmp	93
PID 3552 wrote to memory of 3800	3552	is-RQ25J.tmp	93
PID 1204 wrote to memory of 1752	1204	net.exe	95
PID 1204 wrote to memory of 1752	1204	net.exe	95
PID 1204 wrote to memory of 1752	1204	net.exe	95
PID 3552 wrote to memory of 3296	3552	is-RQ25J.tmp	94
PID 3552 wrote to memory of 3296	3552	is-RQ25J.tmp	94
PID 3552 wrote to memory of 3296	3552	is-RQ25J.tmp	94

C:\Users\Admin\AppData\Local\Temp\56f2e82c10506d2ad399bbcd547fb4869909d7c9a64a3add918bf7534640d323.exe
"C:\Users\Admin\AppData\Local\Temp\56f2e82c10506d2ad399bbcd547fb4869909d7c9a64a3add918bf7534640d323.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Users\Admin\AppData\Local\Temp\is-5RV7N.tmp\is-RQ25J.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5RV7N.tmp\is-RQ25J.tmp" /SL4 $B0050 "C:\Users\Admin\AppData\Local\Temp\56f2e82c10506d2ad399bbcd547fb4869909d7c9a64a3add918bf7534640d323.exe" 3864290 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe
    "C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe" -i
    3⤵
    - Executes dropped EXE
    PID:3800
- - C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe
    "C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe" -s
    3⤵
    - Executes dropped EXE
    PID:3296
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 1113
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1113
1⤵
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe

Filesize
832KB

MD5
5c67c1391395093199b1a0e86ece9814

SHA1
b481c4bc48fbcda406f3d950822a3be2e7df70b3

SHA256
c469f2c61acb6a0f67825b16916017e15a2b2ce637d9b63acfeb03e910430ae5

SHA512
47cc66a3ee0d2bc682a787a46ced341fb5dd996b2a4c0f720dcc03b439c3b6fe975f56f09ecc99495a83afa4d81b8f7933fdfbde5cb1718fe7a391732acc4659

Download Submit
C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe

Filesize
257KB

MD5
2f0f099401ec09c93def71c3d94673d5

SHA1
37fb66b408204f33f527f89d16bdb877dbad6166

SHA256
ee732678a733f33ecd955be12ad3fd121289a64e745f8aa3d445bb2ac5fa14a9

SHA512
b2586a044328b2e39392f617bdc69c0a3a946bbebd53c0cf7cf32f6d1690ef13889585108cd656971adf4a9dc2cae460e385a0034dc1c4b179c07d519f0a1474

Download Submit
C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe

Filesize
320KB

MD5
b1da678af31bba4db4020459a09b332a

SHA1
a152926d415ed8e6d3b81dc815db54623cd7a931

SHA256
f37d1fbe00fa3bec83a4b752815aeb5d59aee2023da2d7723bff2473989829cf

SHA512
d071a772ec8f3b4a1b438b5c139570d287fafaa55d916615ebe43506575c73a946f85e95f8a5b6e878bce22d0d51e27564aae11c7b7710d008f7e2cd303e7065

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2GNEU.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5RV7N.tmp\is-RQ25J.tmp

Filesize
155KB

MD5
f1ed836319d0086c45f743180df05079

SHA1
726e1f52f92093d41173aaefb9297b50eb0fe6d6

SHA256
7db770d697915489407efced1de5affe22324e34870d919457180390c8d54212

SHA512
444bf94b0e6d858db7a872d075597d322b000142deef6405df622210dbf84316dff74fc6ff1e7fadbab9d2188fc584e722ce4da532c769ec702f71f87678a0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5RV7N.tmp\is-RQ25J.tmp

Filesize
92KB

MD5
0186461547d0bba32e1fe0b8b33f0895

SHA1
8fafd9dfff35b3b31a64b79729ed92d0a01044f3

SHA256
c470f414af61f873405e96fa11e602cf31c3f45dfc7858fd0b1fb83cb2ca5348

SHA512
7c11f6651ad15747577e13763690d6c06d9104e83929bc2a4ae454e8fbbd9226ff5ac296946929c16aeec27d12b779f7f35eac7930f45c5e6c1b1216b70b6787

Download Submit
memory/3296-131-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3296-154-0x0000000000920000-0x00000000009C2000-memory.dmp

Filesize
648KB

Download
memory/3296-175-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3296-172-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3296-123-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3296-121-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3296-168-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3296-167-0x0000000000920000-0x00000000009C2000-memory.dmp

Filesize
648KB

Download
memory/3296-166-0x0000000000920000-0x00000000009C2000-memory.dmp

Filesize
648KB

Download
memory/3296-163-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3296-126-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3296-160-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3296-157-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3296-130-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3296-134-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3296-137-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3296-140-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3296-142-0x0000000000920000-0x00000000009C2000-memory.dmp

Filesize
648KB

Download
memory/3296-146-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3296-147-0x0000000000920000-0x00000000009C2000-memory.dmp

Filesize
648KB

Download
memory/3296-150-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3296-153-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3552-127-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3552-125-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3552-7-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3592-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3592-124-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3592-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3800-115-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3800-114-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3800-119-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing