socks5systemz | 0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88

General

Target

0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.exe
Size

7.5MB
MD5

ac5161f4d107deb3612c73efe6866dbc
SHA1

0b1cebc8af41f21736671c969d38e71aa77639a8
SHA256

0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88
SHA512

76168c03f71ccf2ece58f88227ebfdfb90bc223c0790ce241a1de8a1fd716deb6737bf064509f6e645a3fd0c4b501bc58ea10381186aa6c0a7a65475164562be
SSDEEP

196608:N6x4LEuDxgt/o20iIZ2HqVcZExA8QFVWdM:Qil9iA3sKVBATVMM

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/4616-93-0x00000000007A0000-0x0000000000842000-memory.dmp	family_socks5systemz
behavioral2/memory/4616-92-0x00000000007A0000-0x0000000000842000-memory.dmp	family_socks5systemz
behavioral2/memory/4616-104-0x00000000007A0000-0x0000000000842000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
1868	0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.tmp
3320	toolmaxpartitionwizardbootable.exe
4616	toolmaxpartitionwizardbootable.exe

Loads dropped DLL 3 IoCs

pid	Process
1868	0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.tmp
1868	0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.tmp
1868	0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1868	0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.tmp
1868	0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1868	0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 1868	4540	0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.exe	84
PID 4540 wrote to memory of 1868	4540	0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.exe	84
PID 4540 wrote to memory of 1868	4540	0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.exe	84
PID 1868 wrote to memory of 3320	1868	0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.tmp	85
PID 1868 wrote to memory of 3320	1868	0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.tmp	85
PID 1868 wrote to memory of 3320	1868	0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.tmp	85
PID 1868 wrote to memory of 4616	1868	0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.tmp	86
PID 1868 wrote to memory of 4616	1868	0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.tmp	86
PID 1868 wrote to memory of 4616	1868	0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.tmp	86

C:\Users\Admin\AppData\Local\Temp\0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.exe
"C:\Users\Admin\AppData\Local\Temp\0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Users\Admin\AppData\Local\Temp\is-U7T48.tmp\0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-U7T48.tmp\0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.tmp" /SL5="$70204,7593738,54272,C:\Users\Admin\AppData\Local\Temp\0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Users\Admin\AppData\Local\ToolMax Partition Wizard Bootable\toolmaxpartitionwizardbootable.exe
    "C:\Users\Admin\AppData\Local\ToolMax Partition Wizard Bootable\toolmaxpartitionwizardbootable.exe" -i
    3⤵
    - Executes dropped EXE
    PID:3320
- - C:\Users\Admin\AppData\Local\ToolMax Partition Wizard Bootable\toolmaxpartitionwizardbootable.exe
    "C:\Users\Admin\AppData\Local\ToolMax Partition Wizard Bootable\toolmaxpartitionwizardbootable.exe" -s
    3⤵
    - Executes dropped EXE
    PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-H1EPG.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H1EPG.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U7T48.tmp\0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.tmp

Filesize
689KB

MD5
a6e9b3e66de205b8584b6995113df037

SHA1
7bb7fa015dba40d290d3d36bc7d5a9716056e8a1

SHA256
ad3fbe29003e48f83dbe9c5086ff8082cebaebad7ab0beb9d2a9b31da861b29f

SHA512
5b8f9c83f09d266e331293fec3177385de6fe331fb665530b272fe11b76371bde53e973787d5d0f0bac024aed3ee402c9d5ff4b7bfff119b21b23e9e9af6c6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U7T48.tmp\0efc629789fddce39d1fbf32c1ce7fa769d8535b7c58cc493896dc2d34fcdb88.tmp

Filesize
130KB

MD5
e9ca4a74b614a95bdc8f1b662ef65326

SHA1
07a4ad93cfaabb83f326240397a47898704ff6b5

SHA256
af34d3488f3b7b176639a525cc8ca3df747bea6f58c9e3dc4a8309d24999ded6

SHA512
a85613d7b3c7e5c0d1b1c0cd9e533474f70a462170ec17017ef809be16c462a747587648165368fc454bf7bcc213d3ee6f5bf760573f5cc23204c86e8a2b68a8

Download Submit
C:\Users\Admin\AppData\Local\ToolMax Partition Wizard Bootable\toolmaxpartitionwizardbootable.exe

Filesize
1.9MB

MD5
c107a86d2bfa5fa12b215596efef6729

SHA1
e247db6c96917f0005cac7d9f9b7cfcdc7c3d3d9

SHA256
8ecef7fc028f2c518272379a20358e15d5a6b54c47b48bf0f5cacfdc247b9d59

SHA512
2f8d8054b7a48a347a48a1bc0abde70a55fd34ea3529e43f5a369ddeb174ec79bf0fbc7950da3501a3ddde7f1ffc93b34a31f324b5ccae3a59181cfccf5f67ee

Download Submit
C:\Users\Admin\AppData\Local\ToolMax Partition Wizard Bootable\toolmaxpartitionwizardbootable.exe

Filesize
1013KB

MD5
4edca1362c0743a4538b17e69a03a5db

SHA1
4ddf58be8337c61d4b696c58f2860579c8414400

SHA256
47a0042a0160faefff9262e47d7e63cd71e473d41c641384ecb6065b735a0914

SHA512
77d8499ddf642805eeacf7f40aaf1fc1b24e5369ce024c14b62fdc3bc866989af335aeb939269752275353df8c52c2f385186d961af8657c49f0b8f223ba4e28

Download Submit
C:\Users\Admin\AppData\Local\ToolMax Partition Wizard Bootable\toolmaxpartitionwizardbootable.exe

Filesize
526KB

MD5
4b19fd1eeb29141a32f10407821e94ff

SHA1
cdeae19921e0a134cbea2039c8e1b79a39c83096

SHA256
4cf93c3a3892010d474e3e985a6aaeca63c8f5c18cdd34921cac678be7c04bfd

SHA512
c9dc72b1edf184e2ae50a8dac81fb0a4c837cc8db47f0e84461b964a671f03d0c024a9b5764e92ee5859f4b00a11c09fa81dd235d1064fb52531f94f1e54be15

Download Submit
memory/1868-7-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1868-76-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1868-73-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3320-63-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/3320-64-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/3320-65-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/3320-68-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/4540-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4540-72-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4616-75-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/4616-92-0x00000000007A0000-0x0000000000842000-memory.dmp

Filesize
648KB

Download
memory/4616-78-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/4616-79-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/4616-82-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/4616-85-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/4616-88-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/4616-91-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/4616-93-0x00000000007A0000-0x0000000000842000-memory.dmp

Filesize
648KB

Download
memory/4616-71-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/4616-99-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/4616-102-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/4616-104-0x00000000007A0000-0x0000000000842000-memory.dmp

Filesize
648KB

Download
memory/4616-107-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/4616-109-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/4616-112-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/4616-115-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/4616-120-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/4616-122-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing