socks5systemz | 3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52

Analysis

max time kernel
298s
max time network
272s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
15/03/2024, 01:01 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.exe
Size

2.0MB
MD5

7b0450a8f0f55e1a4dd87d63c89391ec
SHA1

07791ca729fe8530516a30cf79537851087e838c
SHA256

3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52
SHA512

57c388a091fb1d381d6c5b6eb903100ef598e5abdd623508407305ac91a7809230d4733a354f61b0c79c8daa373f1094ec7a72471a423544d9d433776dd33466
SSDEEP

49152:32wgMX097PjZYMpO6qaO9emlnq22+Q6NzFWatjY0gKNB:mwVgrZYMG9emtq2rQ6F8atRJB

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

http://dixmtyi.info/search/?q=67e28dd83a5afb7a460aac4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f771ea771795af8e05c645db22f31df92d8838ed12a666d307eca743ec4c2b07b52966923a678af915c5e895

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/2556-66-0x0000000000810000-0x00000000008B4000-memory.dmp	family_socks5systemz
behavioral2/memory/2556-69-0x0000000000810000-0x00000000008B4000-memory.dmp	family_socks5systemz
behavioral2/memory/2556-78-0x0000000000810000-0x00000000008B4000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
4804	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp
4116	linkdetector32.exe
2556	linkdetector32.exe

Loads dropped DLL 1 IoCs

pid	Process
4804	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 4804	5040	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.exe	72
PID 5040 wrote to memory of 4804	5040	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.exe	72
PID 5040 wrote to memory of 4804	5040	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.exe	72
PID 4804 wrote to memory of 4116	4804	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp	73
PID 4804 wrote to memory of 4116	4804	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp	73
PID 4804 wrote to memory of 4116	4804	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp	73
PID 4804 wrote to memory of 2556	4804	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp	74
PID 4804 wrote to memory of 2556	4804	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp	74
PID 4804 wrote to memory of 2556	4804	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp	74

C:\Users\Admin\AppData\Local\Temp\3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.exe
"C:\Users\Admin\AppData\Local\Temp\3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\is-JKRSO.tmp\3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JKRSO.tmp\3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp" /SL5="$C01EA,1756554,54272,C:\Users\Admin\AppData\Local\Temp\3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Users\Admin\AppData\Local\Broken Link Detector\linkdetector32.exe
    "C:\Users\Admin\AppData\Local\Broken Link Detector\linkdetector32.exe" -i
    3⤵
    - Executes dropped EXE
    PID:4116
- - C:\Users\Admin\AppData\Local\Broken Link Detector\linkdetector32.exe
    "C:\Users\Admin\AppData\Local\Broken Link Detector\linkdetector32.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2556

Network

DNS

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa

Remote address:

8.8.8.8:53

Request

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa

IN PTR

Response
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
DNS

dixmtyi.info

linkdetector32.exe

Remote address:

141.98.234.31:53

Request

dixmtyi.info

IN A

Response

dixmtyi.info

IN A

195.16.74.230
DNS

2.5.7.4.4.5.e.f.c.5.b.a.5.f.f.b.e.6.0.5.3.6.3.4.f.1.a.e.2.6.d.8.ip6.arpa

Remote address:

8.8.8.8:53

Request

2.5.7.4.4.5.e.f.c.5.b.a.5.f.f.b.e.6.0.5.3.6.3.4.f.1.a.e.2.6.d.8.ip6.arpa

IN PTR

Response
GET

http://dixmtyi.info/search/?q=67e28dd83a5afb7a460aac4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f771ea771795af8e05c645db22f31df92d8838ed12a666d307eca743ec4c2b07b52966923a678af915c5e895

linkdetector32.exe

Remote address:

195.16.74.230:80

Request

GET /search/?q=67e28dd83a5afb7a460aac4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f771ea771795af8e05c645db22f31df92d8838ed12a666d307eca743ec4c2b07b52966923a678af915c5e895 HTTP/1.1
Host: dixmtyi.info
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Response

HTTP/1.1 200 OK

Server: nginx/1.20.1
Date: Fri, 15 Mar 2024 01:03:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.4.33
DNS

31.234.98.141.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.234.98.141.in-addr.arpa

IN PTR

Response

31.234.98.141.in-addr.arpa

IN PTR

cx21ip-ptrtech
DNS

31.234.98.141.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.234.98.141.in-addr.arpa

IN PTR

Response

31.234.98.141.in-addr.arpa

IN PTR

cx21ip-ptrtech
DNS

31.234.98.141.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.234.98.141.in-addr.arpa

IN PTR
DNS

230.74.16.195.in-addr.arpa

Remote address:

8.8.8.8:53

Request

230.74.16.195.in-addr.arpa

IN PTR

Response

230.74.16.195.in-addr.arpa

IN PTR

vm1871319stark-industries solutions
DNS

230.74.16.195.in-addr.arpa

Remote address:

8.8.8.8:53

Request

230.74.16.195.in-addr.arpa

IN PTR
GET

http://dixmtyi.info/search/?q=67e28dd83a5afb7a460aac4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f771ea771795af8e05c645db22f31df92d8838ed12a666d307eca743ec4c2b07b52966923a678af915c5e895

linkdetector32.exe

Remote address:

195.16.74.230:80

Request

GET /search/?q=67e28dd83a5afb7a460aac4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f771ea771795af8e05c645db22f31df92d8838ed12a666d307eca743ec4c2b07b52966923a678af915c5e895 HTTP/1.1
Host: dixmtyi.info
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Response

HTTP/1.1 200 OK

Server: nginx/1.20.1
Date: Fri, 15 Mar 2024 01:04:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.4.33
GET

http://dixmtyi.info/search/?q=67e28dd83a5afb7a460aac4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f771ea771795af8e05c645db22f31df92d8838ed12a666d307eca743ec4c2b07b52966923a678af915c5e895

linkdetector32.exe

Remote address:

195.16.74.230:80

Request

GET /search/?q=67e28dd83a5afb7a460aac4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f771ea771795af8e05c645db22f31df92d8838ed12a666d307eca743ec4c2b07b52966923a678af915c5e895 HTTP/1.1
Host: dixmtyi.info
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Response

HTTP/1.1 200 OK

Server: nginx/1.20.1
Date: Fri, 15 Mar 2024 01:05:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.4.33

195.16.74.230:80

http://dixmtyi.info/search/?q=67e28dd83a5afb7a460aac4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f771ea771795af8e05c645db22f31df92d8838ed12a666d307eca743ec4c2b07b52966923a678af915c5e895

http

linkdetector32.exe

591 B
392 B
6
4

HTTP Request

GET http://dixmtyi.info/search/?q=67e28dd83a5afb7a460aac4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f771ea771795af8e05c645db22f31df92d8838ed12a666d307eca743ec4c2b07b52966923a678af915c5e895

HTTP Response

200
195.16.74.230:80

http://dixmtyi.info/search/?q=67e28dd83a5afb7a460aac4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f771ea771795af8e05c645db22f31df92d8838ed12a666d307eca743ec4c2b07b52966923a678af915c5e895

http

linkdetector32.exe

591 B
392 B
6
4

HTTP Request

GET http://dixmtyi.info/search/?q=67e28dd83a5afb7a460aac4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f771ea771795af8e05c645db22f31df92d8838ed12a666d307eca743ec4c2b07b52966923a678af915c5e895

HTTP Response

200
195.16.74.230:80

http://dixmtyi.info/search/?q=67e28dd83a5afb7a460aac4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f771ea771795af8e05c645db22f31df92d8838ed12a666d307eca743ec4c2b07b52966923a678af915c5e895

http

linkdetector32.exe

499 B
312 B
4
2

HTTP Request

GET http://dixmtyi.info/search/?q=67e28dd83a5afb7a460aac4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f771ea771795af8e05c645db22f31df92d8838ed12a666d307eca743ec4c2b07b52966923a678af915c5e895

HTTP Response

200

8.8.8.8:53

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa

dns

118 B
182 B
1
1

DNS Request

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa
141.98.234.31:53

dixmtyi.info

dns

linkdetector32.exe

58 B
86 B
1
1

DNS Request

dixmtyi.info

DNS Response

195.16.74.230
8.8.8.8:53

2.5.7.4.4.5.e.f.c.5.b.a.5.f.f.b.e.6.0.5.3.6.3.4.f.1.a.e.2.6.d.8.ip6.arpa

dns

118 B
182 B
1
1

DNS Request

2.5.7.4.4.5.e.f.c.5.b.a.5.f.f.b.e.6.0.5.3.6.3.4.f.1.a.e.2.6.d.8.ip6.arpa
8.8.8.8:53

31.234.98.141.in-addr.arpa

dns

216 B
204 B
3
2

DNS Request

31.234.98.141.in-addr.arpa

DNS Request

31.234.98.141.in-addr.arpa

DNS Request

31.234.98.141.in-addr.arpa
8.8.8.8:53

230.74.16.195.in-addr.arpa

dns

144 B
122 B
2
1

DNS Request

230.74.16.195.in-addr.arpa

DNS Request

230.74.16.195.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Broken Link Detector\linkdetector32.exe

Filesize
2.2MB

MD5
85dbd43caf8696d8239699d2f4d53d8e

SHA1
01b659ae393802dec350fb28120f06e475f945d0

SHA256
72dba373548318898b3e4f318f79ca31439bb339e7a6b57c96e5c33c869c7175

SHA512
a0c9f0cf2615154424be26087eb786b9219760f2f0c26e91059a7504c2ddfbe2bafaefb0f1f6d9f5ec2eae1a73a1bc849c6a728930e63a69b4ea37cfb818d88b

Download Submit
C:\Users\Admin\AppData\Local\Broken Link Detector\linkdetector32.exe

Filesize
2.2MB

MD5
2d14701f6a640ef8fb926bc5db750e15

SHA1
0a92603deddb33b11cacbc2cba6df8c8109e12bb

SHA256
4d1bca90085a373546baa7b26dfe49f1bd04a4861878db05d7acdb315cafd352

SHA512
8892cd199623030721fe26aa3a0508322ce95e5260bac4433694c3cb8d3f420bb1546c24ec0c48cda450a21a5d3e5ae00d43bb35ec4c82030500cb3c7a4564eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JKRSO.tmp\3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp

Filesize
677KB

MD5
33da9dc521f467c0405d3ef5377ce04b

SHA1
5249d7ce5dfabe5ee6d2fc7d3f3eba1e866b7d1f

SHA256
dbab8a7b2b45fc7001d5e34d3d45ccbe93a7591f12910281acf2c32f8c4e631c

SHA512
a3093637e1d731eab58080e10706db1afbf6e79fbac6593733b61033f97875ecbe230311e9741d349625ec3a66a6435318846d35290db8cd00af76d692699a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JKRSO.tmp\3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp

Filesize
665KB

MD5
7704c175cd61c18b088fdb7bf77c118c

SHA1
80396d0bb3d6f5debd3b078f2568e650fca655d7

SHA256
0e1e69d4c5d301adee4b1635a0cf3ff0dd67c88a441b3af28acd71134e9af158

SHA512
5e7df72d7a499f3aa81a096e25f0e1928c9e1d0979961f2b6d7686a0e6ea7fe3f27cbbb176ea585bc92a84bc6f64421e87941e3d7440456fa1a199eb95622bfe

Download Submit
\Users\Admin\AppData\Local\Temp\is-T0GF5.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/2556-78-0x0000000000810000-0x00000000008B4000-memory.dmp

Filesize
656KB

Download
memory/2556-87-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-114-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-109-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-106-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-103-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-100-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-46-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-97-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-94-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-49-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-90-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-53-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-54-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-57-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-60-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-63-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-66-0x0000000000810000-0x00000000008B4000-memory.dmp

Filesize
656KB

Download
memory/2556-67-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-69-0x0000000000810000-0x00000000008B4000-memory.dmp

Filesize
656KB

Download
memory/2556-74-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-77-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-84-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-81-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/4116-43-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/4116-42-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/4116-40-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/4116-39-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/4804-7-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/4804-50-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/4804-48-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5040-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5040-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5040-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.