socks5systemz | 53cec1cb9e1e36cb8842d8e2a0a8eaf95f371adf94de813e9814ffe7453e9b4c

Analysis

max time kernel
143s
max time network
132s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13/01/2024, 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe
Size

3.9MB
MD5

eb7073f79738bc3871d8fdcdda2f6d07
SHA1

660b50ca01cb57643dabc899305bb56272874070
SHA256

836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e
SHA512

5b271b1d56ff77f62dccde03c94c7767b4133cc1467f6f85ffec08cdcec8efcb91c8657d2c308db9af576a54abaeb5738b837edce123d05c655968573c9da4ac
SSDEEP

98304:Ci5y4bUjbSiDmlFQh0GSRxSe5hbFSXQrUCngi+5PpkE:n5boj5D+yh0GSrSUbIALngrF

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1492-159-0x0000000002A70000-0x0000000002B12000-memory.dmp	family_socks5systemz
behavioral1/memory/1492-157-0x0000000002A70000-0x0000000002B12000-memory.dmp	family_socks5systemz
behavioral1/memory/1492-168-0x0000000002A70000-0x0000000002B12000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
3008	is-8BO6G.tmp
1756	pcidevicechecker.exe
1492	pcidevicechecker.exe

Loads dropped DLL 10 IoCs

pid	Process
1868	836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe
3008	is-8BO6G.tmp
3008	is-8BO6G.tmp
3008	is-8BO6G.tmp
3008	is-8BO6G.tmp
1756	pcidevicechecker.exe
1756	pcidevicechecker.exe
3008	is-8BO6G.tmp
1492	pcidevicechecker.exe
1492	pcidevicechecker.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 3008	1868	836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe	28
PID 1868 wrote to memory of 3008	1868	836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe	28
PID 1868 wrote to memory of 3008	1868	836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe	28
PID 1868 wrote to memory of 3008	1868	836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe	28
PID 1868 wrote to memory of 3008	1868	836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe	28
PID 1868 wrote to memory of 3008	1868	836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe	28
PID 1868 wrote to memory of 3008	1868	836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe	28
PID 3008 wrote to memory of 1984	3008	is-8BO6G.tmp	29
PID 3008 wrote to memory of 1984	3008	is-8BO6G.tmp	29
PID 3008 wrote to memory of 1984	3008	is-8BO6G.tmp	29
PID 3008 wrote to memory of 1984	3008	is-8BO6G.tmp	29
PID 3008 wrote to memory of 1984	3008	is-8BO6G.tmp	29
PID 3008 wrote to memory of 1984	3008	is-8BO6G.tmp	29
PID 3008 wrote to memory of 1984	3008	is-8BO6G.tmp	29
PID 3008 wrote to memory of 1756	3008	is-8BO6G.tmp	31
PID 3008 wrote to memory of 1756	3008	is-8BO6G.tmp	31
PID 3008 wrote to memory of 1756	3008	is-8BO6G.tmp	31
PID 3008 wrote to memory of 1756	3008	is-8BO6G.tmp	31
PID 3008 wrote to memory of 1756	3008	is-8BO6G.tmp	31
PID 3008 wrote to memory of 1756	3008	is-8BO6G.tmp	31
PID 3008 wrote to memory of 1756	3008	is-8BO6G.tmp	31
PID 1984 wrote to memory of 300	1984	net.exe	32
PID 1984 wrote to memory of 300	1984	net.exe	32
PID 1984 wrote to memory of 300	1984	net.exe	32
PID 1984 wrote to memory of 300	1984	net.exe	32
PID 1984 wrote to memory of 300	1984	net.exe	32
PID 1984 wrote to memory of 300	1984	net.exe	32
PID 1984 wrote to memory of 300	1984	net.exe	32
PID 3008 wrote to memory of 1492	3008	is-8BO6G.tmp	33
PID 3008 wrote to memory of 1492	3008	is-8BO6G.tmp	33
PID 3008 wrote to memory of 1492	3008	is-8BO6G.tmp	33
PID 3008 wrote to memory of 1492	3008	is-8BO6G.tmp	33
PID 3008 wrote to memory of 1492	3008	is-8BO6G.tmp	33
PID 3008 wrote to memory of 1492	3008	is-8BO6G.tmp	33
PID 3008 wrote to memory of 1492	3008	is-8BO6G.tmp	33

C:\Users\Admin\AppData\Local\Temp\836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe
"C:\Users\Admin\AppData\Local\Temp\836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\is-RQ1VI.tmp\is-8BO6G.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RQ1VI.tmp\is-8BO6G.tmp" /SL4 $40016 "C:\Users\Admin\AppData\Local\Temp\836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe" 3871317 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 1113
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 1113
      4⤵
      PID:300
- - C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe
    "C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe" -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1756
- - C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe
    "C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe" -s
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe

Filesize
1.4MB

MD5
dc7e6ed1524f0d260c528ee3a50cadb6

SHA1
324483612b56afd8a53932c82c978e4afe24cb69

SHA256
3341d7723338e483faec539aa0b31a848b2c304224fd4a3b50f2228f7443ce68

SHA512
bf58c3ecc197ae2f316b356b5c39b382a7c5dc9aceb8e380fd25e4a6ebc4b6d89472b5126b706a822b9b3121aff57ec4b319b56da799a1c0da00e3ccfd917bf2

Download Submit
C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe

Filesize
320KB

MD5
5f4dedcac7fa31721b221e1fe63f26d8

SHA1
571a64c529ba6db0f0614aaa7b40714d1ebd9355

SHA256
30221cd29638738bb4d8a13d423bfb5e367b3c708684bbbdf27a8f70f8b9ce91

SHA512
6a8364ccfd9b4d155c401356fcfb35d771036539344c484c2e383ebcf947739743de04f329e42059df6f50987e63ace5e21173665c5c6367573eedc4300f9ea2

Download Submit
\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe

Filesize
1.3MB

MD5
5befc62262b279b3dcae99e8db56885e

SHA1
211a5b6e4bf8f577ce06f55f5af420ec824f4f88

SHA256
45340acae9ac9396287630a89ab23e2032611f6796c89cf1d87fa04f2aed0012

SHA512
16a08f5672b7ff21fb45e974da35fae94a996f9b7f3f5822e9306abdada92e2f27f75c25f23f55f24d20f3ceecc014dcdd6342f7a15e077d37c8f396cc453efe

Download Submit
\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe

Filesize
193KB

MD5
4406ea950d0b54f70628b5d2d675d8fc

SHA1
04c3c6b793e225014c9ddbd5c7262f98ffd7b251

SHA256
6014b6288c7a3089bbac94771dd51d407c94ca9df0b8c3be363f9ec0059371b1

SHA512
89e1b30d7fdb78f4fdb396d26347d52a49fe393c02bb1d7ed54b0bddfb59cc5e09e4c4a9294f626c21fe4447eb54c59fa4d6c4547508be84fb0a7fac8121a962

Download Submit
\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe

Filesize
256KB

MD5
b6c8465d4e33f3e8cb435c843a6b2667

SHA1
2d5ced5cb0608f99138ec016a2d168d65b6c7e6e

SHA256
d29a7c8d6e61a31318f0b46196a96c8b5988d7d2b85ac3dc19409c998a65a673

SHA512
00a8f09f3e15219612744e492f4c9ffbab99cbca9dd8dab45625ea92086c0517edc3fa56aef3397b1216b1aa048e9df74d3f9c1eb722bb10745e01b1492ff457

Download Submit
\Users\Admin\AppData\Local\Temp\is-98I2U.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-98I2U.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-RQ1VI.tmp\is-8BO6G.tmp

Filesize
642KB

MD5
856bce6609a05646759555e24a534467

SHA1
800c78d9d82bc1d0d631bdd11a9b766b6b964d2d

SHA256
2e7e5e01fa3d18a2a76e33dd139dbf251f1dd2ab77aba843b7ef09e51cd86c1a

SHA512
5bbfca64610ed8c148a8e182de5e5568af34465698bf6cdd3f5ccc6857bb4b3d90cfc9e6f0f780464a2fe5c776e6ee69291877bb14b5f64b4e9d8791807af47a

Download Submit
memory/1492-171-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1492-187-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1492-184-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1492-180-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1492-177-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1492-174-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1492-157-0x0000000002A70000-0x0000000002B12000-memory.dmp

Filesize
648KB

Download
memory/1492-133-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1492-134-0x0000000000C60000-0x0000000000E56000-memory.dmp

Filesize
2.0MB

Download
memory/1492-168-0x0000000002A70000-0x0000000002B12000-memory.dmp

Filesize
648KB

Download
memory/1492-136-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1492-167-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1492-164-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1492-139-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1492-142-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1492-143-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1492-144-0x0000000000C60000-0x0000000000E56000-memory.dmp

Filesize
2.0MB

Download
memory/1492-145-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1492-148-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1492-151-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1492-154-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1492-158-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1492-159-0x0000000002A70000-0x0000000002B12000-memory.dmp

Filesize
648KB

Download
memory/1756-124-0x0000000000AD0000-0x0000000000CC6000-memory.dmp

Filesize
2.0MB

Download
memory/1756-127-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1756-128-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1756-125-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1756-123-0x0000000000AD0000-0x0000000000CC6000-memory.dmp

Filesize
2.0MB

Download
memory/1756-122-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1868-137-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1868-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3008-138-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3008-118-0x0000000003480000-0x0000000003676000-memory.dmp

Filesize
2.0MB

Download