Analysis
-
max time kernel
143s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23/03/2024, 09:56
Static task
static1
Behavioral task
behavioral1
Sample
c0936b0b60581abf999cb8db58c887d6.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c0936b0b60581abf999cb8db58c887d6.exe
Resource
win10v2004-20240226-en
General
-
Target
c0936b0b60581abf999cb8db58c887d6.exe
-
Size
2.0MB
-
MD5
c0936b0b60581abf999cb8db58c887d6
-
SHA1
b6817af3e994b051935cfa2bdb7de674c5f7f949
-
SHA256
b42c724af5c05849434bb0c34cabbd138201a7f6b6b56faadbc150885cfd0a2e
-
SHA512
117d8f65c863db9c6514d17fff354a65c1faaee582fe630fb7713ae7f9cbc969013f0c17fe01fc763f0f42b3f090021fdca16672cde26a17038ba1b36584e094
-
SSDEEP
49152:32mReh8xhZ4DirVux6pKP79FS+iZM95cALWatNiCtQUOK+oR98:mmQab4Dq84oR0+4MQGHcWQqHR6
Malware Config
Extracted
socks5systemz
http://aqidkkj.ru/search/?q=67e28dd8690cfb204406a51a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978fe71ea771795af8e05c642db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a668ff716c8ec95
http://aqidkkj.ru/search/?q=67e28dd8690cfb204406a51a7c27d78406abdd88be4b12eab517aa5c96bd86e993864d865a8bbc896c58e713bc90c91c36b5281fc235a925ed3e5dd6bd974a95129070b611e96cc92be20ea778c255bbe258b90d3b4eed3233d1626a8ff810c1ee9d9d33ce6f
Signatures
-
Detect Socks5Systemz Payload 5 IoCs
resource yara_rule behavioral1/memory/2684-77-0x0000000002650000-0x00000000026F2000-memory.dmp family_socks5systemz behavioral1/memory/2684-80-0x0000000002650000-0x00000000026F2000-memory.dmp family_socks5systemz behavioral1/memory/2684-89-0x0000000002650000-0x00000000026F2000-memory.dmp family_socks5systemz behavioral1/memory/2684-102-0x0000000002650000-0x00000000026F2000-memory.dmp family_socks5systemz behavioral1/memory/2684-103-0x0000000002650000-0x00000000026F2000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
pid Process 2796 c0936b0b60581abf999cb8db58c887d6.tmp 2476 markdownpad32.exe 2684 markdownpad32.exe -
Loads dropped DLL 6 IoCs
pid Process 2964 c0936b0b60581abf999cb8db58c887d6.exe 2796 c0936b0b60581abf999cb8db58c887d6.tmp 2796 c0936b0b60581abf999cb8db58c887d6.tmp 2796 c0936b0b60581abf999cb8db58c887d6.tmp 2796 c0936b0b60581abf999cb8db58c887d6.tmp 2796 c0936b0b60581abf999cb8db58c887d6.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 141.98.234.31 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2796 2964 c0936b0b60581abf999cb8db58c887d6.exe 28 PID 2964 wrote to memory of 2796 2964 c0936b0b60581abf999cb8db58c887d6.exe 28 PID 2964 wrote to memory of 2796 2964 c0936b0b60581abf999cb8db58c887d6.exe 28 PID 2964 wrote to memory of 2796 2964 c0936b0b60581abf999cb8db58c887d6.exe 28 PID 2964 wrote to memory of 2796 2964 c0936b0b60581abf999cb8db58c887d6.exe 28 PID 2964 wrote to memory of 2796 2964 c0936b0b60581abf999cb8db58c887d6.exe 28 PID 2964 wrote to memory of 2796 2964 c0936b0b60581abf999cb8db58c887d6.exe 28 PID 2796 wrote to memory of 2476 2796 c0936b0b60581abf999cb8db58c887d6.tmp 29 PID 2796 wrote to memory of 2476 2796 c0936b0b60581abf999cb8db58c887d6.tmp 29 PID 2796 wrote to memory of 2476 2796 c0936b0b60581abf999cb8db58c887d6.tmp 29 PID 2796 wrote to memory of 2476 2796 c0936b0b60581abf999cb8db58c887d6.tmp 29 PID 2796 wrote to memory of 2684 2796 c0936b0b60581abf999cb8db58c887d6.tmp 30 PID 2796 wrote to memory of 2684 2796 c0936b0b60581abf999cb8db58c887d6.tmp 30 PID 2796 wrote to memory of 2684 2796 c0936b0b60581abf999cb8db58c887d6.tmp 30 PID 2796 wrote to memory of 2684 2796 c0936b0b60581abf999cb8db58c887d6.tmp 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0936b0b60581abf999cb8db58c887d6.exe"C:\Users\Admin\AppData\Local\Temp\c0936b0b60581abf999cb8db58c887d6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\is-CIB3Q.tmp\c0936b0b60581abf999cb8db58c887d6.tmp"C:\Users\Admin\AppData\Local\Temp\is-CIB3Q.tmp\c0936b0b60581abf999cb8db58c887d6.tmp" /SL5="$400BE,1722205,54272,C:\Users\Admin\AppData\Local\Temp\c0936b0b60581abf999cb8db58c887d6.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\MarkDownPad\markdownpad32.exe"C:\Users\Admin\AppData\Local\MarkDownPad\markdownpad32.exe" -i3⤵
- Executes dropped EXE
PID:2476
-
-
C:\Users\Admin\AppData\Local\MarkDownPad\markdownpad32.exe"C:\Users\Admin\AppData\Local\MarkDownPad\markdownpad32.exe" -s3⤵
- Executes dropped EXE
PID:2684
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
738KB
MD5009b09c86f901fa1705276c49249d906
SHA1d8cfa8662955b8b7d8c81633bcd91404bf10a22f
SHA2562bed1aa25ec5f8604f48955a35b21f0bb3f8e127dca0cb97cb3f033fa908d082
SHA512e68079b54a8315c3facd772420623b53a02bca6d97088c42d09d6a17bf5d38f04adab495fbd4dd4cd0adc4c03324482b1737bdce64f305fe292c43bf392b0d85
-
Filesize
1015KB
MD5b82512e08af4e224f8070ef2375f6574
SHA116aec168ef2b1edbb1d7393286021b935c42d198
SHA256727d6d844ca425fdb757afa8981b2072cf33e54ce93dbae4b18e8aea32e32da6
SHA512cff0891732dd2293a3c51e0e99ddfc5acd41537b79d9976c161e05c0eb06b11c4c2bcb4fd53e0f990fe7d6d0caeaf5aad4ef1ee78c8404555babfb22d46258db
-
Filesize
871KB
MD577dbafe47b5472c295dc84a2e7a31dd8
SHA1d96ab39579dac8f3782c6cb9394fdd97ec75fea2
SHA256a823f9d3cd2f9a17c1eb8c2c6ee7b7f24eb1aa3838f848f89e3788aaa3eae8fb
SHA51210d8b7ddea89737ee9429bf2122ce74a7f4edf9d18c24b5c8fa812d10c304bef8bb720ec47aab9ee81aff60cde764ceac379404cfe6dfc247717654804265da4
-
Filesize
772KB
MD500e752670fddb2f064ffb63876390d79
SHA1d201f3a2635f81a66fe2b4db6edf718377bdcf0d
SHA2568d0fd38a2385687433b78da680fcdecba5a49a00b68328aecb04a18b28ffad58
SHA5121bd709568cb2e575f4574ebcf2ec40fc304a13ba0e6c33ef78daaf9dcfe35b218f1d873c7a2e6881aa142c42d7fc23d966b4a3c03e6b8d4df482214febee4d1d
-
Filesize
677KB
MD588d7ea648defbc2597fa38ef83112eda
SHA12bce9acfb1b5e08dc29c695eff12fc80949c6440
SHA2565a53b8bd78b1bbf24136b4d8d8191f503abcc24934626ed6f15bf9f6dee17b68
SHA512050ce971e1f7a4e92d272c9c3c9f96f1214286523b018a75084c76dbebb5f32a717afbd9af9c68b7ad71f738c0a331640a8fe765cb4def90678eae4769b2e66a
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
32KB
MD5b6f11a0ab7715f570f45900a1fe84732
SHA177b1201e535445af5ea94c1b03c0a1c34d67a77b
SHA256e47dd306a9854599f02bc1b07ca6dfbd5220f8a1352faa9616d1a327de0bbf67
SHA51278a757e67d21eb7cc95954df15e3eeff56113d6b40fb73f0c5f53304265cc52c79125d6f1b3655b64f9a411711b5b70f746080d708d7c222f4e65bad64b1b771
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3