socks5systemz | 3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52

General

Target

3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.exe
Size

2.0MB
MD5

7b0450a8f0f55e1a4dd87d63c89391ec
SHA1

07791ca729fe8530516a30cf79537851087e838c
SHA256

3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52
SHA512

57c388a091fb1d381d6c5b6eb903100ef598e5abdd623508407305ac91a7809230d4733a354f61b0c79c8daa373f1094ec7a72471a423544d9d433776dd33466
SSDEEP

49152:32wgMX097PjZYMpO6qaO9emlnq22+Q6NzFWatjY0gKNB:mwVgrZYMG9emtq2rQ6F8atRJB

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

http://dixmtyi.info/search/?q=67e28dd83a5afb7a460aac4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f771ea771795af8e05c645db22f31df92d8838ed12a666d307eca743ec4c2b07b52966923a678af915c5e895

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/2556-66-0x0000000000810000-0x00000000008B4000-memory.dmp	family_socks5systemz
behavioral2/memory/2556-69-0x0000000000810000-0x00000000008B4000-memory.dmp	family_socks5systemz
behavioral2/memory/2556-78-0x0000000000810000-0x00000000008B4000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
4804	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp
4116	linkdetector32.exe
2556	linkdetector32.exe

Loads dropped DLL 1 IoCs

pid	Process
4804	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 4804	5040	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.exe	72
PID 5040 wrote to memory of 4804	5040	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.exe	72
PID 5040 wrote to memory of 4804	5040	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.exe	72
PID 4804 wrote to memory of 4116	4804	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp	73
PID 4804 wrote to memory of 4116	4804	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp	73
PID 4804 wrote to memory of 4116	4804	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp	73
PID 4804 wrote to memory of 2556	4804	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp	74
PID 4804 wrote to memory of 2556	4804	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp	74
PID 4804 wrote to memory of 2556	4804	3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp	74

C:\Users\Admin\AppData\Local\Temp\3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.exe
"C:\Users\Admin\AppData\Local\Temp\3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\is-JKRSO.tmp\3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JKRSO.tmp\3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp" /SL5="$C01EA,1756554,54272,C:\Users\Admin\AppData\Local\Temp\3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Users\Admin\AppData\Local\Broken Link Detector\linkdetector32.exe
    "C:\Users\Admin\AppData\Local\Broken Link Detector\linkdetector32.exe" -i
    3⤵
    - Executes dropped EXE
    PID:4116
- - C:\Users\Admin\AppData\Local\Broken Link Detector\linkdetector32.exe
    "C:\Users\Admin\AppData\Local\Broken Link Detector\linkdetector32.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Broken Link Detector\linkdetector32.exe

Filesize
2.2MB

MD5
85dbd43caf8696d8239699d2f4d53d8e

SHA1
01b659ae393802dec350fb28120f06e475f945d0

SHA256
72dba373548318898b3e4f318f79ca31439bb339e7a6b57c96e5c33c869c7175

SHA512
a0c9f0cf2615154424be26087eb786b9219760f2f0c26e91059a7504c2ddfbe2bafaefb0f1f6d9f5ec2eae1a73a1bc849c6a728930e63a69b4ea37cfb818d88b

Download Submit
C:\Users\Admin\AppData\Local\Broken Link Detector\linkdetector32.exe

Filesize
2.2MB

MD5
2d14701f6a640ef8fb926bc5db750e15

SHA1
0a92603deddb33b11cacbc2cba6df8c8109e12bb

SHA256
4d1bca90085a373546baa7b26dfe49f1bd04a4861878db05d7acdb315cafd352

SHA512
8892cd199623030721fe26aa3a0508322ce95e5260bac4433694c3cb8d3f420bb1546c24ec0c48cda450a21a5d3e5ae00d43bb35ec4c82030500cb3c7a4564eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JKRSO.tmp\3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp

Filesize
677KB

MD5
33da9dc521f467c0405d3ef5377ce04b

SHA1
5249d7ce5dfabe5ee6d2fc7d3f3eba1e866b7d1f

SHA256
dbab8a7b2b45fc7001d5e34d3d45ccbe93a7591f12910281acf2c32f8c4e631c

SHA512
a3093637e1d731eab58080e10706db1afbf6e79fbac6593733b61033f97875ecbe230311e9741d349625ec3a66a6435318846d35290db8cd00af76d692699a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JKRSO.tmp\3c0e672bce0dad4ed808fc11657433c09a949dde5cb92cb6e3e9ca3b70d1ee52.tmp

Filesize
665KB

MD5
7704c175cd61c18b088fdb7bf77c118c

SHA1
80396d0bb3d6f5debd3b078f2568e650fca655d7

SHA256
0e1e69d4c5d301adee4b1635a0cf3ff0dd67c88a441b3af28acd71134e9af158

SHA512
5e7df72d7a499f3aa81a096e25f0e1928c9e1d0979961f2b6d7686a0e6ea7fe3f27cbbb176ea585bc92a84bc6f64421e87941e3d7440456fa1a199eb95622bfe

Download Submit
\Users\Admin\AppData\Local\Temp\is-T0GF5.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/2556-78-0x0000000000810000-0x00000000008B4000-memory.dmp

Filesize
656KB

Download
memory/2556-87-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-114-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-109-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-106-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-103-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-100-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-46-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-97-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-94-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-49-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-90-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-53-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-54-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-57-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-60-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-63-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-66-0x0000000000810000-0x00000000008B4000-memory.dmp

Filesize
656KB

Download
memory/2556-67-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-69-0x0000000000810000-0x00000000008B4000-memory.dmp

Filesize
656KB

Download
memory/2556-74-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-77-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-84-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2556-81-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/4116-43-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/4116-42-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/4116-40-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/4116-39-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/4804-7-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/4804-50-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/4804-48-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5040-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5040-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5040-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing