socks5systemz | 982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41

General

Target

982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.exe
Size

3.4MB
MD5

d7a57f96714c5ce194d396ba6267acbb
SHA1

7bd55b3ee4727c20d726789fd2a5de08a589d80a
SHA256

982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41
SHA512

0dc547b9c20b86875861da3b570b9258aae6194c73b383890dc4611e89540a3c9ac29cd23fbbb646e9ae7b4b94bc79c6dfd0724c23c4273638286d68b8192613
SSDEEP

49152:V2L8YwQEKyVkFlt3XsAwApxjhMbDIArorewT38nq5YYAexgUQht/yr9Bd9opIzKw:QHHyVAldsAjLjhi8hNTUsBI6hB2KSC9d

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

Attributes

rc4_key
i4hiea56#7b&dfw3

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/5060-88-0x00000000009A0000-0x0000000000A4D000-memory.dmp	family_socks5systemz
behavioral2/memory/5060-89-0x00000000009A0000-0x0000000000A4D000-memory.dmp	family_socks5systemz
behavioral2/memory/5060-98-0x00000000009A0000-0x0000000000A4D000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
4912	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
1152	VolumeUTIL.exe
5060	VolumeUTIL.exe

Loads dropped DLL 3 IoCs

pid	Process
4912	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
4912	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
4912	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.49.94.194
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-J80IB.tmp	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\UIText\is-6Q2P3.tmp	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-ISA6R.tmp	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-TSO0J.tmp	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-HA11D.tmp	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
File opened for modification	C:\Program Files (x86)\Common Files\VolumeUTIL\unins000.dat	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-QV5HN.tmp	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-GJCEB.tmp	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-9JDVV.tmp	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-74DSM.tmp	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\UIText\is-CE44N.tmp	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-4GG43.tmp	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\unins000.dat	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-VRSC9.tmp	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-474BB.tmp	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
File opened for modification	C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-I467M.tmp	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-J69T9.tmp	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-A6PE1.tmp	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp

Runs net.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 4912	2824	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.exe	73
PID 2824 wrote to memory of 4912	2824	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.exe	73
PID 2824 wrote to memory of 4912	2824	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.exe	73
PID 4912 wrote to memory of 4900	4912	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp	75
PID 4912 wrote to memory of 4900	4912	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp	75
PID 4912 wrote to memory of 4900	4912	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp	75
PID 4912 wrote to memory of 1152	4912	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp	76
PID 4912 wrote to memory of 1152	4912	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp	76
PID 4912 wrote to memory of 1152	4912	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp	76
PID 4912 wrote to memory of 1272	4912	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp	79
PID 4912 wrote to memory of 1272	4912	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp	79
PID 4912 wrote to memory of 1272	4912	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp	79
PID 4912 wrote to memory of 5060	4912	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp	78
PID 4912 wrote to memory of 5060	4912	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp	78
PID 4912 wrote to memory of 5060	4912	982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp	78
PID 1272 wrote to memory of 4356	1272	net.exe	80
PID 1272 wrote to memory of 4356	1272	net.exe	80
PID 1272 wrote to memory of 4356	1272	net.exe	80

C:\Users\Admin\AppData\Local\Temp\982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.exe
"C:\Users\Admin\AppData\Local\Temp\982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\is-LN4S4.tmp\982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-LN4S4.tmp\982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp" /SL5="$8002E,3275457,54272,C:\Users\Admin\AppData\Local\Temp\982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:4900
- - C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe
    "C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1152
- - C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe
    "C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe" -s
    3⤵
    - Executes dropped EXE
    PID:5060
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 29
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 29
      4⤵
      PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe

Filesize
787KB

MD5
ce8a1ab355cf5783dbca79b3e0b3a32e

SHA1
9bbc05ee62c45a9991c9356415610a89713ce49d

SHA256
c419d6551e99fb6857bafba7930e774349c41d48eb88a8de5aaaf90d18b649c2

SHA512
9c578309e184d061492b8c60177e729db9f73ca04170793f2cf12f68cc0db45f327b6682821245c148f66f72d637ae34ef76141904c5740d145ba023487d72d0

Download Submit
C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe

Filesize
479KB

MD5
93d6de97bd0c30665fafb4cb336b70ad

SHA1
3f4ee2742fb20ed013668f3f1a1a35114e05a0e7

SHA256
3698fc4048fc71e7aea6ef0378b625c88c69347ceb158eca520fca52f638afd5

SHA512
e22deec6635de45f5ea8ed55f8018b84632607f365ad8228839f89f00eddb7f34a559e3f29f4ed9b7708c974ed98f5766808c4d45afa9b07a6e0e3649227cb3f

Download Submit
C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe

Filesize
580KB

MD5
f2108076b21aa0219cbd6af9976929fe

SHA1
ed2774476a7fb491b31fa3315404ee745d3a377b

SHA256
d3e44ea5ddc0908b978f766691d393ceaec88ec84fcea7fa34bffaffe083d708

SHA512
29cfcf2d02799d8774fe9486589cfcd6d679d6099ebd5dcf4e9ab8707c3f9d937f20742d72aca02dfaf684f2c05d722e0d8218ec960898f92b499c6c5ed706a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LN4S4.tmp\982dc81b3bea79a2f5701e2746985e5598a849c805600edf2dc09edc1a8b5f41.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
\Users\Admin\AppData\Local\Temp\is-J7P3H.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-J7P3H.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
memory/1152-59-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/1152-60-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/1152-64-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/2824-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2824-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4912-71-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4912-6-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4912-69-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5060-78-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-97-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-74-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-75-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-67-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-81-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-84-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-88-0x00000000009A0000-0x0000000000A4D000-memory.dmp

Filesize
692KB

Download
memory/5060-87-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-89-0x00000000009A0000-0x0000000000A4D000-memory.dmp

Filesize
692KB

Download
memory/5060-94-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-70-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-98-0x00000000009A0000-0x0000000000A4D000-memory.dmp

Filesize
692KB

Download
memory/5060-101-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-104-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-107-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-110-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-113-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-117-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-120-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-123-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-126-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-129-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/5060-132-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing