socks5systemz | 269fa5b0efcabd3bc4b8718e35c0e95284a280d920c32b2d68cf7418fb11cef0

General

Target

bece745574b72ec240978be151175145.exe
Size

3.9MB
MD5

bece745574b72ec240978be151175145
SHA1

7ebfea86bd041b65462a42e0320df53776ad577a
SHA256

269fa5b0efcabd3bc4b8718e35c0e95284a280d920c32b2d68cf7418fb11cef0
SHA512

11becc700c7fbc31971c584364873890db1bee3ca3a87883f8270d17edbd2e19ec1761065f035b71b36f92d9f71d8a1edf6e3b5b09bf9a42ef86a88705519a4a
SSDEEP

98304:ustcHjbsKb/fiXAa4p/OWz48SqFuUQgr0oKN4nrZd358:hcDgK9DFurJ1NUZk

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/1440-168-0x0000000000920000-0x00000000009C2000-memory.dmp	family_socks5systemz
behavioral2/memory/1440-169-0x0000000000920000-0x00000000009C2000-memory.dmp	family_socks5systemz
behavioral2/memory/1440-181-0x0000000000920000-0x00000000009C2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
1560	bece745574b72ec240978be151175145.tmp
2708	xplaystdlib.exe
1440	xplaystdlib.exe

Loads dropped DLL 1 IoCs

pid	Process
1560	bece745574b72ec240978be151175145.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1560	bece745574b72ec240978be151175145.tmp
1560	bece745574b72ec240978be151175145.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1560	bece745574b72ec240978be151175145.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 1560	3256	bece745574b72ec240978be151175145.exe	89
PID 3256 wrote to memory of 1560	3256	bece745574b72ec240978be151175145.exe	89
PID 3256 wrote to memory of 1560	3256	bece745574b72ec240978be151175145.exe	89
PID 1560 wrote to memory of 3804	1560	bece745574b72ec240978be151175145.tmp	90
PID 1560 wrote to memory of 3804	1560	bece745574b72ec240978be151175145.tmp	90
PID 1560 wrote to memory of 3804	1560	bece745574b72ec240978be151175145.tmp	90
PID 1560 wrote to memory of 2708	1560	bece745574b72ec240978be151175145.tmp	91
PID 1560 wrote to memory of 2708	1560	bece745574b72ec240978be151175145.tmp	91
PID 1560 wrote to memory of 2708	1560	bece745574b72ec240978be151175145.tmp	91
PID 1560 wrote to memory of 1440	1560	bece745574b72ec240978be151175145.tmp	93
PID 1560 wrote to memory of 1440	1560	bece745574b72ec240978be151175145.tmp	93
PID 1560 wrote to memory of 1440	1560	bece745574b72ec240978be151175145.tmp	93

C:\Users\Admin\AppData\Local\Temp\bece745574b72ec240978be151175145.exe
"C:\Users\Admin\AppData\Local\Temp\bece745574b72ec240978be151175145.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Users\Admin\AppData\Local\Temp\is-EE96G.tmp\bece745574b72ec240978be151175145.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-EE96G.tmp\bece745574b72ec240978be151175145.tmp" /SL5="$90204,3820306,598528,C:\Users\Admin\AppData\Local\Temp\bece745574b72ec240978be151175145.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "XPSL1223"
    3⤵
    PID:3804
- - C:\Users\Admin\AppData\Local\XPlay Standard Library\xplaystdlib.exe
    "C:\Users\Admin\AppData\Local\XPlay Standard Library\xplaystdlib.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2708
- - C:\Users\Admin\AppData\Local\XPlay Standard Library\xplaystdlib.exe
    "C:\Users\Admin\AppData\Local\XPlay Standard Library\xplaystdlib.exe" -s
    3⤵
    - Executes dropped EXE
    PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-EE96G.tmp\bece745574b72ec240978be151175145.tmp

Filesize
692KB

MD5
7c43ceb376d70074196c1dbbac3db6bf

SHA1
8d707cba7b3aeac0e1082aba94d25b9c2d81456f

SHA256
86aa513180eb8e718ec3f1b5156fe5b58fb9120425ee660dc2e3b5ee21f1f1f2

SHA512
f1fdfc8855eacf0394b4688ae8d7a7aab1baabaa9552e2ba4bb879c8607ca0402449d1cda4beade89f6560b23767d35ee5d45f17cb454db19279405e9f65f329

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QLJI5.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\XPlay Standard Library\xplaystdlib.exe

Filesize
3.7MB

MD5
ccc880f22e458d58a47550f84f7df76c

SHA1
b026e24e34c0e1fe3734cfbe658bb721c1c5960a

SHA256
ceb4313ab44d3b67e1d99593f420b97993c692c1bf6d7a83752b233caccf8e4c

SHA512
9f98bd4e5f07a5c44d95bc997b320d0759873716ad44d0376a3281f20b8860e346cc2e158ab2c3a3458186f9d423311dab4de481718abf9bd2d23d18cc541eeb

Download Submit
memory/1440-175-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1440-183-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1440-159-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1440-157-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1440-196-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1440-192-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1440-144-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1440-146-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1440-188-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1440-185-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1440-149-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1440-179-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1440-154-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1440-155-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1440-199-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1440-181-0x0000000000920000-0x00000000009C2000-memory.dmp

Filesize
648KB

Download
memory/1440-162-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1440-164-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1440-167-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1440-168-0x0000000000920000-0x00000000009C2000-memory.dmp

Filesize
648KB

Download
memory/1440-169-0x0000000000920000-0x00000000009C2000-memory.dmp

Filesize
648KB

Download
memory/1560-148-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1560-152-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1560-6-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/2708-138-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/2708-142-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/2708-140-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/2708-139-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/3256-0-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/3256-147-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing