socks5systemz | 1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc

General

Target

1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe
Size

2.4MB
MD5

9476e7dd2ebed54259ab23bc453bbc24
SHA1

15ee73cbfbd9b69f3a7ef647c172f2af893ddffb
SHA256

1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc
SHA512

b769b193ad97283b7bdcc4ad19efa77d71f4fef6d222334bc9987227b7e43e77383646f0d860e3382385fc159d6116fbb08df6b29b2077262bda1089ff646f15
SSDEEP

49152:C9A/wjF337k2wJy0I0X/sO6LoJCvnpmUN9sNsWaG3pQ/UXjH58:MR53r0Jp93Anp/DsTaG3pQMT58

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

http://bvhhvae.com/search/?q=67e28dd86d0ef17b460ef9177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa45e8889b5e4fa9281ae978f671ea771795af8e05c64bdb22f31df92d8b38e316a667d307eca743ec4c2b07b52966923b6e8ff712c9e996

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2992-77-0x0000000002710000-0x00000000027B2000-memory.dmp	family_socks5systemz
behavioral1/memory/2992-78-0x0000000002710000-0x00000000027B2000-memory.dmp	family_socks5systemz
behavioral1/memory/2992-88-0x0000000002710000-0x00000000027B2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Detects executables packed with VMProtect. 17 IoCs

resource	yara_rule
behavioral1/memory/2996-45-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2996-47-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2996-50-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2992-56-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2992-59-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2992-63-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2992-64-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2992-67-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2992-69-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2992-73-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2992-76-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2992-83-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2992-87-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2992-91-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2992-94-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2992-96-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2992-100-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect

Executes dropped EXE 3 IoCs

pid	Process
2296	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp
2996	cdshrink.exe
2992	cdshrink.exe

Loads dropped DLL 5 IoCs

pid	Process
3056	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe
2296	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp
2296	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp
2296	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp
2296	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2296	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp
2296	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2296	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2296	3056	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe	30
PID 3056 wrote to memory of 2296	3056	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe	30
PID 3056 wrote to memory of 2296	3056	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe	30
PID 3056 wrote to memory of 2296	3056	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe	30
PID 3056 wrote to memory of 2296	3056	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe	30
PID 3056 wrote to memory of 2296	3056	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe	30
PID 3056 wrote to memory of 2296	3056	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe	30
PID 2296 wrote to memory of 2996	2296	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp	31
PID 2296 wrote to memory of 2996	2296	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp	31
PID 2296 wrote to memory of 2996	2296	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp	31
PID 2296 wrote to memory of 2996	2296	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp	31
PID 2296 wrote to memory of 2992	2296	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp	32
PID 2296 wrote to memory of 2992	2296	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp	32
PID 2296 wrote to memory of 2992	2296	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp	32
PID 2296 wrote to memory of 2992	2296	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp	32

C:\Users\Admin\AppData\Local\Temp\1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe
"C:\Users\Admin\AppData\Local\Temp\1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\is-9HGRE.tmp\1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9HGRE.tmp\1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp" /SL5="$400F4,2117727,56832,C:\Users\Admin\AppData\Local\Temp\1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Local\CD Shrink\cdshrink.exe
    "C:\Users\Admin\AppData\Local\CD Shrink\cdshrink.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2996
- - C:\Users\Admin\AppData\Local\CD Shrink\cdshrink.exe
    "C:\Users\Admin\AppData\Local\CD Shrink\cdshrink.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CD Shrink\cdshrink.exe

Filesize
2.8MB

MD5
8eaa4dad1f5cb557cf15e1180f4c4002

SHA1
b4eb8ec0f2ee1dcb43c0c61422ea3ef378217c0f

SHA256
6aeddfeaf491255228c6861c1e8a80fca6922c971d90cb743ad6798c529e3bb4

SHA512
e4125a2950eda1e4cce67b1da28f2cbb9ce528537ae8cacbe28ebbb51d06d09874d4be77de91887093148c44c0071decd063ea1d91596ab7f2d27a3d684b1d1d

Download Submit
C:\Users\Admin\AppData\Local\CD Shrink\cdshrink.exe

Filesize
2.9MB

MD5
7bea2ddd3f24be4bb73cba279faea5fe

SHA1
b863bbe6ab98a52da22883476437a50665ffc1ae

SHA256
a919c1611bcd173069105d9f13b6f9ebd08e8263d84a9a4399992cc545b61e83

SHA512
5cf50fd2b9f1d6531d0722c2b096e800f7b3dcf21a47bf99c4559fd1048ee94a900de35f60e26dcbcab0961773fd0cce37952aa0eeaf66f0f13e8eeb727d3122

Download Submit
\Users\Admin\AppData\Local\CD Shrink\cdshrink.exe

Filesize
2.4MB

MD5
af3b179dae328232e6ff2b1bc84eef9c

SHA1
3a17d238c4a10123bc1fc90dcaecf89229ecdb23

SHA256
26d7bddea2896fe44a1359563627d89a5ed6877e2d7d62453dc1b63dd4ddead5

SHA512
08b6d7d6f04b8a634c2a279bf96585060c6cb3c8bbba4884fd791175047d47ced4584c80671a684e0836be7c1c759cfb6f29c79bdfbba3c55a1c57faba396ccc

Download Submit
\Users\Admin\AppData\Local\Temp\is-9HGRE.tmp\1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp

Filesize
690KB

MD5
90bbb991a13b4a5b200cd7ba72e8ef86

SHA1
f6a4f88999c8030c87582accbd1cf319a368e76a

SHA256
056f830169d55ed6c3b246dc08a1383ea8223c778c1c7c6de5f265e6b476a15e

SHA512
5ac51e0a71a82d61d9c6066fc50339708985a7cd991033ffb7c5fbb7f6a4663c380b107ad514eb2f637d24b8ce3d16b35121c9af320432ccb0580d87cbb0d0f5

Download Submit
\Users\Admin\AppData\Local\Temp\is-9J1RJ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-9J1RJ.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2296-46-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2296-7-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2296-60-0x0000000003290000-0x0000000003573000-memory.dmp

Filesize
2.9MB

Download
memory/2296-36-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2296-43-0x0000000003290000-0x0000000003573000-memory.dmp

Filesize
2.9MB

Download
memory/2296-55-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2992-56-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2992-78-0x0000000002710000-0x00000000027B2000-memory.dmp

Filesize
648KB

Download
memory/2992-100-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2992-96-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2992-53-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2992-94-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2992-91-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2992-59-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2992-88-0x0000000002710000-0x00000000027B2000-memory.dmp

Filesize
648KB

Download
memory/2992-63-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2992-64-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2992-67-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2992-69-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2992-73-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2992-76-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2992-77-0x0000000002710000-0x00000000027B2000-memory.dmp

Filesize
648KB

Download
memory/2992-87-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2992-83-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2996-47-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2996-44-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2996-50-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2996-45-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/3056-35-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3056-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing