socks5systemz | 3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399

General

Target

3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.exe
Size

3.4MB
MD5

cecde978f0dcdc5b3f713282e6f2c2f8
SHA1

4d9cf78b1ad338bfd367cf4cb22555c44599d411
SHA256

3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399
SHA512

c3057c6a1f0c8d188f2e89ab1c14caff85acb91eb6a7e7231615141d241414dd6b4d7688889acae368721bf5613613ef7ffc875b95de25fbc8d40d5a4fe8aca2
SSDEEP

49152:a2r5FA7K1OopyYq0JunYOfFy0PzqIZG9p6zM7ikvPURaH3XE4hX86tGoWrrKUTdq:7r52zY40My0bAHvsAH//Wrf/kDd

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

Attributes

rc4_key
i4hiea56#7b&dfw3

Signatures

Detect Socks5Systemz Payload 5 IoCs

resource	yara_rule
behavioral2/memory/4820-86-0x00000000008E0000-0x000000000098D000-memory.dmp	family_socks5systemz
behavioral2/memory/4820-92-0x00000000008E0000-0x000000000098D000-memory.dmp	family_socks5systemz
behavioral2/memory/4820-99-0x00000000008E0000-0x000000000098D000-memory.dmp	family_socks5systemz
behavioral2/memory/4820-131-0x00000000008E0000-0x000000000098D000-memory.dmp	family_socks5systemz
behavioral2/memory/4820-132-0x00000000008E0000-0x000000000098D000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
4824	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
1944	VolumeUTIL.exe
4820	VolumeUTIL.exe

Loads dropped DLL 3 IoCs

pid	Process
4824	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
4824	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
4824	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-2QUT0.tmp	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-FU7MF.tmp	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-41SK0.tmp	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-QUUIG.tmp	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-7LQEE.tmp	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\UIText\is-4CFUD.tmp	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\UIText\is-TO5CP.tmp	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\unins000.dat	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
File opened for modification	C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-R7U75.tmp	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-V6GAE.tmp	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-GQPV0.tmp	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-PRQ5J.tmp	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
File opened for modification	C:\Program Files (x86)\Common Files\VolumeUTIL\unins000.dat	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-PNSA5.tmp	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-Q32FG.tmp	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-GB56F.tmp	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-J63FR.tmp	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-B9Q7I.tmp	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp

Runs net.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 4824	3860	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.exe	74
PID 3860 wrote to memory of 4824	3860	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.exe	74
PID 3860 wrote to memory of 4824	3860	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.exe	74
PID 4824 wrote to memory of 708	4824	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp	75
PID 4824 wrote to memory of 708	4824	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp	75
PID 4824 wrote to memory of 708	4824	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp	75
PID 4824 wrote to memory of 1944	4824	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp	76
PID 4824 wrote to memory of 1944	4824	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp	76
PID 4824 wrote to memory of 1944	4824	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp	76
PID 4824 wrote to memory of 2444	4824	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp	80
PID 4824 wrote to memory of 2444	4824	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp	80
PID 4824 wrote to memory of 2444	4824	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp	80
PID 4824 wrote to memory of 4820	4824	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp	79
PID 4824 wrote to memory of 4820	4824	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp	79
PID 4824 wrote to memory of 4820	4824	3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp	79
PID 2444 wrote to memory of 2884	2444	net.exe	81
PID 2444 wrote to memory of 2884	2444	net.exe	81
PID 2444 wrote to memory of 2884	2444	net.exe	81

C:\Users\Admin\AppData\Local\Temp\3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.exe
"C:\Users\Admin\AppData\Local\Temp\3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Users\Admin\AppData\Local\Temp\is-GBURO.tmp\3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GBURO.tmp\3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp" /SL5="$5021E,3304892,54272,C:\Users\Admin\AppData\Local\Temp\3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:708
- - C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe
    "C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1944
- - C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe
    "C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe" -s
    3⤵
    - Executes dropped EXE
    PID:4820
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 29
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 29
      4⤵
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe

Filesize
824KB

MD5
3daecadcae5eaa4cca8c3a41b6395d1d

SHA1
7d43722b492b573fe0f2485ad812c0ed101e0ced

SHA256
a97e7b048ebb45be9e6e6d44e72a13777fa9360374ba72a70e88f2ed7f5aac13

SHA512
a4235d9058c33ab05702cbca16714c36a7ae323c0066f5b4e0ddf9ae48dd4b320c88985e18fd01c4963e37034a7d41f173d529bee294da66cb2e9b4f22c94406

Download Submit
C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe

Filesize
504KB

MD5
31216b60deb5799b8088d539ed874370

SHA1
6f7d40e0c26a6f3b7f05acf1bdd25b2d1c8124dc

SHA256
c38b75f60ebf554e82dce4398e0214c7bfcadabd4bf7604a0ef7c3bd607f2792

SHA512
3fcc8ff4cad0fecb203194857d5833ceb6d6da965d628f04f2127ab1a3c856c484f391375412e65adb77082d2e53fb3f7f219989c65f32aeef7536778bc9b55f

Download Submit
C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe

Filesize
618KB

MD5
6f646a6c17db7f97edd968c51fc583f8

SHA1
f29af3dbee48c0f89c0fb2b4d6f7e0d51380a9b1

SHA256
b883808ef1bf2c4811467cb6b2bf3aba57161b6b6eec0cba159367f9f678cdf6

SHA512
b7825025e4648c1169c485e62a5456c9379022963d8ce696371734ece752d4dc1b08f13b2040717aad996fbf66b2615eec4cdf20d6549ed8685d95683c8cf64b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GBURO.tmp\3a6de4dba9cf77206041fcac9b530dda05586318599fcca28e621e0bc1855399.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
\Users\Admin\AppData\Local\Temp\is-EOF3C.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-EOF3C.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
memory/1944-60-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/1944-63-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/1944-64-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/1944-59-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/3860-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3860-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4820-79-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-118-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-67-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-132-0x00000000008E0000-0x000000000098D000-memory.dmp

Filesize
692KB

Download
memory/4820-71-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-131-0x00000000008E0000-0x000000000098D000-memory.dmp

Filesize
692KB

Download
memory/4820-73-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-76-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-130-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-82-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-85-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-86-0x00000000008E0000-0x000000000098D000-memory.dmp

Filesize
692KB

Download
memory/4820-89-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-92-0x00000000008E0000-0x000000000098D000-memory.dmp

Filesize
692KB

Download
memory/4820-95-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-98-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-99-0x00000000008E0000-0x000000000098D000-memory.dmp

Filesize
692KB

Download
memory/4820-102-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-105-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-108-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-112-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-115-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-68-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-121-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-124-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4820-127-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4824-11-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4824-72-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4824-70-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing