socks5systemz | 1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc

General

Target

1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe
Size

2.4MB
MD5

9476e7dd2ebed54259ab23bc453bbc24
SHA1

15ee73cbfbd9b69f3a7ef647c172f2af893ddffb
SHA256

1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc
SHA512

b769b193ad97283b7bdcc4ad19efa77d71f4fef6d222334bc9987227b7e43e77383646f0d860e3382385fc159d6116fbb08df6b29b2077262bda1089ff646f15
SSDEEP

49152:C9A/wjF337k2wJy0I0X/sO6LoJCvnpmUN9sNsWaG3pQ/UXjH58:MR53r0Jp93Anp/DsTaG3pQMT58

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

http://dicqnul.info/search/?q=67e28dd86c09f220490efa1c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ae8889b5e4fa9281ae978fe71ea771795af8e05c64bdb22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ef610c8ec9d933c

Signatures

Detect Socks5Systemz Payload 5 IoCs

resource	yara_rule
behavioral2/memory/4372-67-0x0000000000820000-0x00000000008C2000-memory.dmp	family_socks5systemz
behavioral2/memory/4372-77-0x0000000000820000-0x00000000008C2000-memory.dmp	family_socks5systemz
behavioral2/memory/4372-92-0x0000000000820000-0x00000000008C2000-memory.dmp	family_socks5systemz
behavioral2/memory/4372-93-0x0000000000820000-0x00000000008C2000-memory.dmp	family_socks5systemz
behavioral2/memory/4372-94-0x0000000000820000-0x00000000008C2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Detects executables packed with VMProtect. 19 IoCs

resource	yara_rule
behavioral2/memory/3336-38-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/3336-41-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/3336-42-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/4372-46-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/4372-49-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/4372-53-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/4372-54-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/4372-57-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/4372-60-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/4372-63-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/4372-66-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/4372-73-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/4372-76-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/4372-80-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/4372-83-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/4372-86-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/4372-89-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/4372-95-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/4372-99-0x0000000000400000-0x00000000006E3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect

Executes dropped EXE 3 IoCs

pid	Process
2400	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp
3336	cdshrink.exe
4372	cdshrink.exe

Loads dropped DLL 1 IoCs

pid	Process
2400	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2400	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp
2400	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2400	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 2400	4388	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe	89
PID 4388 wrote to memory of 2400	4388	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe	89
PID 4388 wrote to memory of 2400	4388	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe	89
PID 2400 wrote to memory of 3336	2400	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp	93
PID 2400 wrote to memory of 3336	2400	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp	93
PID 2400 wrote to memory of 3336	2400	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp	93
PID 2400 wrote to memory of 4372	2400	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp	94
PID 2400 wrote to memory of 4372	2400	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp	94
PID 2400 wrote to memory of 4372	2400	1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp	94

C:\Users\Admin\AppData\Local\Temp\1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe
"C:\Users\Admin\AppData\Local\Temp\1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Local\Temp\is-2AL9J.tmp\1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-2AL9J.tmp\1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp" /SL5="$50218,2117727,56832,C:\Users\Admin\AppData\Local\Temp\1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\CD Shrink\cdshrink.exe
    "C:\Users\Admin\AppData\Local\CD Shrink\cdshrink.exe" -i
    3⤵
    - Executes dropped EXE
    PID:3336
- - C:\Users\Admin\AppData\Local\CD Shrink\cdshrink.exe
    "C:\Users\Admin\AppData\Local\CD Shrink\cdshrink.exe" -s
    3⤵
    - Executes dropped EXE
    PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CD Shrink\cdshrink.exe

Filesize
2.7MB

MD5
b5eafeb18861c0981dc99bb3b9adc04d

SHA1
c9085b909c761be05582b0b728a33b1164021e34

SHA256
f8a082f461147baa5a54f7864230f51b94d11df134786b9b8abd9511c0c6e60d

SHA512
e6295b3e7f118c2d6164dcbd7adc9c0a3d4cea8e3ebe563d044f857f5f717f9799ec0f34a99ed5594a7922d02d0d2ea64474eff1484b3e0d94c56f52789082d7

Download Submit
C:\Users\Admin\AppData\Local\CD Shrink\cdshrink.exe

Filesize
2.9MB

MD5
7bea2ddd3f24be4bb73cba279faea5fe

SHA1
b863bbe6ab98a52da22883476437a50665ffc1ae

SHA256
a919c1611bcd173069105d9f13b6f9ebd08e8263d84a9a4399992cc545b61e83

SHA512
5cf50fd2b9f1d6531d0722c2b096e800f7b3dcf21a47bf99c4559fd1048ee94a900de35f60e26dcbcab0961773fd0cce37952aa0eeaf66f0f13e8eeb727d3122

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2AL9J.tmp\1f78ffc413e1efc75cd0f9b48888f8675ab026f704dd4eb72346e7c8ee471ebc.tmp

Filesize
690KB

MD5
90bbb991a13b4a5b200cd7ba72e8ef86

SHA1
f6a4f88999c8030c87582accbd1cf319a368e76a

SHA256
056f830169d55ed6c3b246dc08a1383ea8223c778c1c7c6de5f265e6b476a15e

SHA512
5ac51e0a71a82d61d9c6066fc50339708985a7cd991033ffb7c5fbb7f6a4663c380b107ad514eb2f637d24b8ce3d16b35121c9af320432ccb0580d87cbb0d0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U3HGJ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/2400-48-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2400-50-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2400-7-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3336-37-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/3336-38-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/3336-41-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/3336-42-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4372-54-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4372-89-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4372-99-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4372-44-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4372-49-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4372-95-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4372-53-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4372-94-0x0000000000820000-0x00000000008C2000-memory.dmp

Filesize
648KB

Download
memory/4372-57-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4372-60-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4372-63-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4372-66-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4372-67-0x0000000000820000-0x00000000008C2000-memory.dmp

Filesize
648KB

Download
memory/4372-73-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4372-76-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4372-77-0x0000000000820000-0x00000000008C2000-memory.dmp

Filesize
648KB

Download
memory/4372-80-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4372-83-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4372-86-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4372-46-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4372-92-0x0000000000820000-0x00000000008C2000-memory.dmp

Filesize
648KB

Download
memory/4372-93-0x0000000000820000-0x00000000008C2000-memory.dmp

Filesize
648KB

Download
memory/4388-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4388-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4388-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing