socks5systemz | 499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d

Analysis

max time kernel
294s
max time network
247s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.exe
Size

3.4MB
MD5

592a701bc4892547ef1a96a6336548de
SHA1

b9cf102da3627d412154736f09f8ecfac42a59fd
SHA256

499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d
SHA512

c1a9ab4c6fb2b55ce0f4dd215539203952ceb52370acbe969f846eb58c7fe44305d454cda7008e1f793ffc3af074ed009a4adaef3ef547b1b3b6e25ba9d86bd4
SSDEEP

98304:cjBf676DpowCfpV48epyfqhhYW/8ZEflpvEvCYjxlE:6fA6FowCfrMpyMR8ZEflaqYjxu

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

Attributes

rc4_key
i4hiea56#7b&dfw3

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2496-94-0x0000000002850000-0x00000000028FD000-memory.dmp	family_socks5systemz
behavioral1/memory/2496-95-0x0000000002850000-0x00000000028FD000-memory.dmp	family_socks5systemz
behavioral1/memory/2496-104-0x0000000002850000-0x00000000028FD000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
2716	TVLand.exe
2496	TVLand.exe

Loads dropped DLL 6 IoCs

pid	Process
2904	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.exe
2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	185.237.206.223

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\TVLand\is-K7GBQ.tmp	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
File opened for modification	C:\Program Files (x86)\Common Files\TVLand\unins000.dat	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
File opened for modification	C:\Program Files (x86)\Common Files\TVLand\TVLand.exe	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
File created	C:\Program Files (x86)\Common Files\TVLand\is-FFSFK.tmp	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
File created	C:\Program Files (x86)\Common Files\TVLand\is-A9MNC.tmp	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
File created	C:\Program Files (x86)\Common Files\TVLand\UIText\is-2ST02.tmp	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
File created	C:\Program Files (x86)\Common Files\TVLand\is-H23P1.tmp	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
File created	C:\Program Files (x86)\Common Files\TVLand\is-C8V6I.tmp	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
File created	C:\Program Files (x86)\Common Files\TVLand\is-N74SP.tmp	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
File created	C:\Program Files (x86)\Common Files\TVLand\unins000.dat	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
File created	C:\Program Files (x86)\Common Files\TVLand\is-1EEJH.tmp	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
File created	C:\Program Files (x86)\Common Files\TVLand\is-USD8T.tmp	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
File created	C:\Program Files (x86)\Common Files\TVLand\is-UPET9.tmp	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
File created	C:\Program Files (x86)\Common Files\TVLand\is-T7K8H.tmp	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
File created	C:\Program Files (x86)\Common Files\TVLand\UIText\is-I6JPN.tmp	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
File created	C:\Program Files (x86)\Common Files\TVLand\is-2P589.tmp	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
File created	C:\Program Files (x86)\Common Files\TVLand\is-TBE3R.tmp	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
File created	C:\Program Files (x86)\Common Files\TVLand\is-9SAT4.tmp	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
File created	C:\Program Files (x86)\Common Files\TVLand\is-IPJ2F.tmp	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2356	2904	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.exe	16
PID 2904 wrote to memory of 2356	2904	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.exe	16
PID 2904 wrote to memory of 2356	2904	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.exe	16
PID 2904 wrote to memory of 2356	2904	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.exe	16
PID 2904 wrote to memory of 2356	2904	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.exe	16
PID 2904 wrote to memory of 2356	2904	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.exe	16
PID 2904 wrote to memory of 2356	2904	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.exe	16
PID 2356 wrote to memory of 2836	2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp	18
PID 2356 wrote to memory of 2836	2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp	18
PID 2356 wrote to memory of 2836	2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp	18
PID 2356 wrote to memory of 2836	2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp	18
PID 2356 wrote to memory of 2716	2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp	19
PID 2356 wrote to memory of 2716	2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp	19
PID 2356 wrote to memory of 2716	2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp	19
PID 2356 wrote to memory of 2716	2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp	19
PID 2356 wrote to memory of 2472	2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp	35
PID 2356 wrote to memory of 2472	2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp	35
PID 2356 wrote to memory of 2472	2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp	35
PID 2356 wrote to memory of 2472	2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp	35
PID 2356 wrote to memory of 2496	2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp	34
PID 2356 wrote to memory of 2496	2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp	34
PID 2356 wrote to memory of 2496	2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp	34
PID 2356 wrote to memory of 2496	2356	499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp	34
PID 2472 wrote to memory of 2512	2472	net.exe	33
PID 2472 wrote to memory of 2512	2472	net.exe	33
PID 2472 wrote to memory of 2512	2472	net.exe	33
PID 2472 wrote to memory of 2512	2472	net.exe	33

C:\Users\Admin\AppData\Local\Temp\is-V891D.tmp\499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V891D.tmp\499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp" /SL5="$5014C,3336069,76288,C:\Users\Admin\AppData\Local\Temp\499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /Query
  2⤵
  PID:2836
- C:\Program Files (x86)\Common Files\TVLand\TVLand.exe
  "C:\Program Files (x86)\Common Files\TVLand\TVLand.exe" -i
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Program Files (x86)\Common Files\TVLand\TVLand.exe
  "C:\Program Files (x86)\Common Files\TVLand\TVLand.exe" -s
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\system32\net.exe" helpmsg 27
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2472

C:\Users\Admin\AppData\Local\Temp\499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.exe
"C:\Users\Admin\AppData\Local\Temp\499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 27
1⤵
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\TVLand\TVLand.exe

Filesize
180KB

MD5
a9d7e7d60e75c8b9f3c61a1ca034b6b1

SHA1
1b4876d4e9861c13881a69a22001ad15c0f7dcce

SHA256
c44a29b5cd05164447f2f6ec7196351e479c824a3bc04f68135eab9cf66481a1

SHA512
8a07260b82a8df7a704d57e4419970eed3ff35414e06c22f62d0aa1b3221a9599db654964c510145e7ea44240e5dba340a65d1dda75748f2a76072ef2d8db240

Download Submit
C:\Program Files (x86)\Common Files\TVLand\TVLand.exe

Filesize
114KB

MD5
c05c293d6d1550e2ad37eddea69917ce

SHA1
114cb20550d56967794d23a734529d8f76d066f9

SHA256
efffdf40a3d83f4fa3f62df46a2bc9f4b82959917be88ba1359ef6e3024cf54c

SHA512
0127b0b3a2e0fefd4f956ee74bd518ce5d79f536aab613df86e3dc0a96c24ff4b7133deae0ce9be4b2e3b3e5cd987c351e5d5a8b672986206672d81e6d12a937

Download Submit
C:\Program Files (x86)\Common Files\TVLand\TVLand.exe

Filesize
130KB

MD5
5908b764785ad0070cdfe3bf095d82a6

SHA1
f987891871f164104d04a792a822530135e56a35

SHA256
c2eaa24b1b941531ecf3defd2611224448efa83245ce544d4e9a718d208d5cf4

SHA512
99a69e9c96ea29f57981905097960ce40ebd696429d6dc870bbe1a1aebe2f2499e2ddbfebc4c2290d311709e38f889d66ce201b56b62f9892000b55a4326296d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V891D.tmp\499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp

Filesize
307KB

MD5
462e2feb4f5844abf85932b44959fd31

SHA1
f59257998f129028f2294913b5ef282dc1e4b076

SHA256
4d87b554bb053d52aba74173e90e96e5831a73d02b4cebb5045333a6a382ced6

SHA512
7c59895453032852a1ea413261e9c814662e35b3a208027912c4c61cff0f01eddec9ace2110f23dc40445932335365d34b676708d704bf8c3955ab0147ed8987

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V891D.tmp\499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp

Filesize
324KB

MD5
0b0988e0256e32f98d933013bd70221d

SHA1
883d24cd3e5e5755fbca9ac285a3ce262622a2b7

SHA256
1687ace424682e327ae03f2f5ee1f1f5e434cf5ea9a741adad05e4caa535b319

SHA512
436d45b6d983ca61ff8bd7c09f4d93ea45c868963f8f34a53fce0538bf31c25bc94124af8b5ba16b8f96b07c02cf7e832e00335911253bcaae5971877caac168

Download Submit
\Program Files (x86)\Common Files\TVLand\TVLand.exe

Filesize
198KB

MD5
6f891e00b6d73606d4197560ce649c63

SHA1
7f81de5388c70e78941d81b38c02e303807c5f4d

SHA256
8f058ea578bb326c0f818324242969625dc132be8c409a165109ac92d9c99f62

SHA512
92d2a09641a004cf1beacf730dd1f46fd0bd96d2a9ffdada1813905ae210c7a573f66808e8bce90f4e865990e6fe99bc95d677e6257461991dfcc1ed274c02e9

Download Submit
\Users\Admin\AppData\Local\Temp\is-0GTPN.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-0GTPN.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b6f11a0ab7715f570f45900a1fe84732

SHA1
77b1201e535445af5ea94c1b03c0a1c34d67a77b

SHA256
e47dd306a9854599f02bc1b07ca6dfbd5220f8a1352faa9616d1a327de0bbf67

SHA512
78a757e67d21eb7cc95954df15e3eeff56113d6b40fb73f0c5f53304265cc52c79125d6f1b3655b64f9a411711b5b70f746080d708d7c222f4e65bad64b1b771

Download Submit
\Users\Admin\AppData\Local\Temp\is-0GTPN.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-V891D.tmp\499ffbd3b9de920c56d02a330be136c49203e6b9f226398a006be470eda8ce0d.tmp

Filesize
249KB

MD5
84c5101e5dc2273bc721e01b005884c6

SHA1
9d56402b848c67ec3a9a8ef349026cc17d2b4066

SHA256
7bcd337e35978c1dccf9e2bcf446f402a7b4acf78c085f69470ec72e99961eea

SHA512
b4a732111a5277160ba763870e0d6b150abf2ed8665df41f92333a9bb7ac338ecc51f26b0d9898a413b0652a1ea56d57ca026a280b69686995932dea5001c228

Download Submit
memory/2356-79-0x0000000004040000-0x0000000004428000-memory.dmp

Filesize
3.9MB

Download
memory/2356-62-0x0000000004040000-0x0000000004428000-memory.dmp

Filesize
3.9MB

Download
memory/2356-76-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2356-12-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2356-74-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2496-75-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-110-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-70-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-140-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-72-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-135-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-132-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-129-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-126-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-123-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-80-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-81-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-84-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-87-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-90-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-93-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-94-0x0000000002850000-0x00000000028FD000-memory.dmp

Filesize
692KB

Download
memory/2496-95-0x0000000002850000-0x00000000028FD000-memory.dmp

Filesize
692KB

Download
memory/2496-100-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-103-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-104-0x0000000002850000-0x00000000028FD000-memory.dmp

Filesize
692KB

Download
memory/2496-107-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-120-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-113-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2496-116-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2716-67-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2716-63-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2716-68-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2716-64-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2904-2-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2904-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2904-73-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download