socks5systemz | 53cec1cb9e1e36cb8842d8e2a0a8eaf95f371adf94de813e9814ffe7453e9b4c

General

Target

836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe
Size

3.9MB
MD5

eb7073f79738bc3871d8fdcdda2f6d07
SHA1

660b50ca01cb57643dabc899305bb56272874070
SHA256

836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e
SHA512

5b271b1d56ff77f62dccde03c94c7767b4133cc1467f6f85ffec08cdcec8efcb91c8657d2c308db9af576a54abaeb5738b837edce123d05c655968573c9da4ac
SSDEEP

98304:Ci5y4bUjbSiDmlFQh0GSRxSe5hbFSXQrUCngi+5PpkE:n5boj5D+yh0GSrSUbIALngrF

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/1280-141-0x00000000008F0000-0x0000000000992000-memory.dmp	family_socks5systemz
behavioral2/memory/1280-146-0x00000000008F0000-0x0000000000992000-memory.dmp	family_socks5systemz
behavioral2/memory/1280-153-0x00000000008F0000-0x0000000000992000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
4496	is-1K01V.tmp
3996	pcidevicechecker.exe
1280	pcidevicechecker.exe

Loads dropped DLL 1 IoCs

pid	Process
4496	is-1K01V.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 4496	1360	836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe	90
PID 1360 wrote to memory of 4496	1360	836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe	90
PID 1360 wrote to memory of 4496	1360	836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe	90
PID 4496 wrote to memory of 3028	4496	is-1K01V.tmp	92
PID 4496 wrote to memory of 3028	4496	is-1K01V.tmp	92
PID 4496 wrote to memory of 3028	4496	is-1K01V.tmp	92
PID 4496 wrote to memory of 3996	4496	is-1K01V.tmp	94
PID 4496 wrote to memory of 3996	4496	is-1K01V.tmp	94
PID 4496 wrote to memory of 3996	4496	is-1K01V.tmp	94
PID 3028 wrote to memory of 3684	3028	net.exe	95
PID 3028 wrote to memory of 3684	3028	net.exe	95
PID 3028 wrote to memory of 3684	3028	net.exe	95
PID 4496 wrote to memory of 1280	4496	is-1K01V.tmp	96
PID 4496 wrote to memory of 1280	4496	is-1K01V.tmp	96
PID 4496 wrote to memory of 1280	4496	is-1K01V.tmp	96

C:\Users\Admin\AppData\Local\Temp\836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe
"C:\Users\Admin\AppData\Local\Temp\836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Temp\is-26QPB.tmp\is-1K01V.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-26QPB.tmp\is-1K01V.tmp" /SL4 $11006E "C:\Users\Admin\AppData\Local\Temp\836702e8e9b5cc72d071836f7aece14f2f55103db492110feb3d1df399cb5a7e.exe" 3871317 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 1113
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 1113
      4⤵
      PID:3684
- - C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe
    "C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe" -i
    3⤵
    - Executes dropped EXE
    PID:3996
- - C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe
    "C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe" -s
    3⤵
    - Executes dropped EXE
    PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe

Filesize
701KB

MD5
f6381681b5922eb5b5e883a6d42b0319

SHA1
a7052d36312d2c61d3de4244e57364eb6b11e502

SHA256
d509c21be825113e3634122b55652968fe0189a26d5527517e560026c7b5fbfc

SHA512
e996358926229a9c228c8c0c24ee26ca57bceec4a1171ec0704ec5325083ce6e446d273adeb8bbc180e9a2707e46e0573cdca488975aa598609375024f4167ce

Download Submit
C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe

Filesize
220KB

MD5
6e85c9be2da3f4e9e5a5f3429b513ce1

SHA1
eea8a446c23311911335e92822de26135a0e1134

SHA256
3ae143f7e0a1d42954a923338a53f359946b78c0888c5bcfdb6d08f908caa354

SHA512
21368bf244601783d9ce339c622136f6f83d9746d92941892637d8ca6f990b694c12f6922efe1d94ea38191feb79ae1aa9c86ac8952efe0202cfa8f501aa443c

Download Submit
C:\Users\Admin\AppData\Local\PCI Device Checker\pcidevicechecker.exe

Filesize
171KB

MD5
fc9a36e60475f621203ed46bbd5b59a5

SHA1
9ed6b61f3f438cfdb6fe1b6f8eeb968cdcd6c31b

SHA256
eab2e726b25a8556de83f9d3d7405226a896705eff77a412adfd5f422af6f58d

SHA512
38811fdb9652037918880d88431dc153054a7dd8cdd9442b6f334fac26dd8456af40289bb1c72ecb02c1b640c7ec49b2644b61fc034be1407e893e5b0db80c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-26QPB.tmp\is-1K01V.tmp

Filesize
642KB

MD5
856bce6609a05646759555e24a534467

SHA1
800c78d9d82bc1d0d631bdd11a9b766b6b964d2d

SHA256
2e7e5e01fa3d18a2a76e33dd139dbf251f1dd2ab77aba843b7ef09e51cd86c1a

SHA512
5bbfca64610ed8c148a8e182de5e5568af34465698bf6cdd3f5ccc6857bb4b3d90cfc9e6f0f780464a2fe5c776e6ee69291877bb14b5f64b4e9d8791807af47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPJ4P.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1280-122-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1280-156-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1280-169-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1280-152-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1280-162-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1280-172-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1280-121-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1280-153-0x00000000008F0000-0x0000000000992000-memory.dmp

Filesize
648KB

Download
memory/1280-149-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1280-159-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1280-125-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1280-166-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1280-129-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1280-130-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1280-133-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1280-136-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1280-139-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1280-141-0x00000000008F0000-0x0000000000992000-memory.dmp

Filesize
648KB

Download
memory/1280-145-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/1280-146-0x00000000008F0000-0x0000000000992000-memory.dmp

Filesize
648KB

Download
memory/1360-123-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1360-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3996-118-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3996-117-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3996-114-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3996-113-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/4496-126-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/4496-124-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4496-6-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing