socks5systemz | 0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695

General

Target

0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.exe
Size

3.8MB
MD5

cf5c0193b6afdc73e972a8f893bbaeaa
SHA1

3ac40c72439641ab4cf7c1c410432701fcbf69db
SHA256

0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695
SHA512

5debeeed339364f113825e767c0d61547781e97ee715ac9ec5f027e9b3905f5086bdf789c1e1ac48f8c3adeeaee2496064e3bd1ea9a622af1990657a3bcd443a
SSDEEP

98304:I6CNyYeGCEnV84oSx8uC5grE9WmspLRAUZoCYm3:rSykCEqYmu0gI9WmHUZVx3

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

http://dtottuw.info/search/?q=67e28dd83f54f420440daf4e7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa48e8889b5e4fa9281ae978a471ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ef715c0eb909c3b

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/4368-82-0x0000000000A70000-0x0000000000B12000-memory.dmp	family_socks5systemz
behavioral2/memory/4368-83-0x0000000000A70000-0x0000000000B12000-memory.dmp	family_socks5systemz
behavioral2/memory/4368-93-0x0000000000A70000-0x0000000000B12000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2692	0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.tmp
4700	emonnettools.exe
4368	emonnettools.exe

Loads dropped DLL 1 IoCs

pid	Process
2692	0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2692	0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.tmp
2692	0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2692	0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2692	2272	0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.exe	73
PID 2272 wrote to memory of 2692	2272	0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.exe	73
PID 2272 wrote to memory of 2692	2272	0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.exe	73
PID 2692 wrote to memory of 4700	2692	0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.tmp	74
PID 2692 wrote to memory of 4700	2692	0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.tmp	74
PID 2692 wrote to memory of 4700	2692	0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.tmp	74
PID 2692 wrote to memory of 4368	2692	0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.tmp	75
PID 2692 wrote to memory of 4368	2692	0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.tmp	75
PID 2692 wrote to memory of 4368	2692	0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.tmp	75

C:\Users\Admin\AppData\Local\Temp\0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.exe
"C:\Users\Admin\AppData\Local\Temp\0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\is-OK949.tmp\0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-OK949.tmp\0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.tmp" /SL5="$40238,3743139,54272,C:\Users\Admin\AppData\Local\Temp\0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Local\EMON Net Tools\emonnettools.exe
    "C:\Users\Admin\AppData\Local\EMON Net Tools\emonnettools.exe" -i
    3⤵
    - Executes dropped EXE
    PID:4700
- - C:\Users\Admin\AppData\Local\EMON Net Tools\emonnettools.exe
    "C:\Users\Admin\AppData\Local\EMON Net Tools\emonnettools.exe" -s
    3⤵
    - Executes dropped EXE
    PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EMON Net Tools\emonnettools.exe

Filesize
1.2MB

MD5
21d9fb0e95b6fffea706d096aa54aab5

SHA1
5af7618f12d7cb9651d2a5e3ba367911e75177c9

SHA256
7b53c28b6d90ad2b9514150de37810fe8161fcf2464d78cda92567c4d5a9e6c0

SHA512
abbb3102af4901164e2da250015def0c6cd6822bf00d75a85cfcdc8a6cea6fc74a36e5f0580a50dda3cf85759ce1db02d14f3989269af62ac04da5fad744d6fe

Download Submit
C:\Users\Admin\AppData\Local\EMON Net Tools\emonnettools.exe

Filesize
128KB

MD5
d56b98d8e2aca0dfe74c0048ecfae51b

SHA1
f0e04ac75e67e1d98b5e0fc0ac5cb15427a65615

SHA256
7c60aeb363664c5fa1abfe68f7754c347ec9d3d20c973b92b3117cb2d5a7801b

SHA512
31354801b43d5bddf77b0015c1fddb60e69632fea9986a2460ccb574c29ddb9444a8716b44f878220ac3acf57995b0fe05a157fdd8bbd42339e8a84e5ffd17f6

Download Submit
C:\Users\Admin\AppData\Local\EMON Net Tools\emonnettools.exe

Filesize
3.9MB

MD5
ce279ab73acb11dbcea053e104083d99

SHA1
05fa158caba72daa545264bd40a64a56cf0d5fd4

SHA256
d26d894696c7b45469e04417221efd0b771b39b38374972a1070dc9b3e243ea4

SHA512
27e28170369256ccfd99c538ad4704caf2823c83114f77feb47e72f5497462aa3f857297311b66c24f302ee4a22180afe1e8c6f78a2c1ac2ca59be74b319b624

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OK949.tmp\0ecd9f7f2c7d6af777a24e848c8f3e25920160bfe125b86e9d2de8425baf8695.tmp

Filesize
689KB

MD5
c4196ff7ed85e03af20b6714e2161e26

SHA1
6735371e855c6599442560e22cfcb21db62db8c0

SHA256
21962235861891aec69522c70f21c9eaa73881e01787b7b1d37bdeec028bf8c2

SHA512
cbe0d806f6ca026b5079c88c873d86aecb749c8304e3ec192f8aae4b37be0daa7a8ece7076bd6547e908f6847df268de286dcd7bcf37f36acd88f5c6f9ee3811

Download Submit
\Users\Admin\AppData\Local\Temp\is-189UG.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/2272-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2272-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2272-62-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2692-7-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2692-65-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2692-63-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4368-93-0x0000000000A70000-0x0000000000B12000-memory.dmp

Filesize
648KB

Download
memory/4368-83-0x0000000000A70000-0x0000000000B12000-memory.dmp

Filesize
648KB

Download
memory/4368-129-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-124-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-64-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-121-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-68-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-69-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-72-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-75-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-78-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-81-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-82-0x0000000000A70000-0x0000000000B12000-memory.dmp

Filesize
648KB

Download
memory/4368-61-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-89-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-92-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-118-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-96-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-99-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-102-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-105-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-109-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-112-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4368-115-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4700-53-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4700-54-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4700-57-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4700-58-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing