Malware Analysis Report

2025-08-11 05:09

Sample ID 240323-nb9y7aff23
Target 5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3
SHA256 5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3
Tags
socks5systemz botnet discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3

Threat Level: Known bad

The file 5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3 was found to be: Known bad.

Malicious Activity Summary

socks5systemz botnet discovery

Socks5Systemz

Detect Socks5Systemz Payload

Loads dropped DLL

Unexpected DNS network traffic destination

Executes dropped EXE

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-23 11:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-23 11:14

Reported

2024-03-23 11:17

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 152.89.198.214 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1292 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.exe C:\Users\Admin\AppData\Local\Temp\is-V18UM.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp
PID 1292 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.exe C:\Users\Admin\AppData\Local\Temp\is-V18UM.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp
PID 1292 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.exe C:\Users\Admin\AppData\Local\Temp\is-V18UM.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp
PID 3960 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\is-V18UM.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 3960 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\is-V18UM.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 3960 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\is-V18UM.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 3960 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\is-V18UM.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 3960 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\is-V18UM.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 3960 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\is-V18UM.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.exe

"C:\Users\Admin\AppData\Local\Temp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.exe"

C:\Users\Admin\AppData\Local\Temp\is-V18UM.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-V18UM.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp" /SL5="$B0050,1756523,54272,C:\Users\Admin\AppData\Local\Temp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.exe"

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -i

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -s

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 152.89.198.214:53 aicxjai.ru udp
US 8.8.8.8:53 214.198.89.152.in-addr.arpa udp
MD 45.142.214.240:80 aicxjai.ru tcp
US 8.8.8.8:53 240.214.142.45.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/1292-0-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-V18UM.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp

MD5 92f7775908bb12183914bb0753782913
SHA1 8d1091da36832942d48f2fe9a1a216fdd556b9c4
SHA256 a43c4e3916a92d299c22e2010383b2a8f85e14882a610de57bb2fef91f7984ed
SHA512 7e39cafdc00a46f2353f6eeaa8fee0d7c94f489d1fd4581e125408bae63a2e6cd135f65807c3574c833f970b64106badb7dd0a2a6ee9859b3b60b3d1b6e19c39

memory/3960-6-0x00000000007A0000-0x00000000007A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-MN9KM.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

MD5 77c8e87124cd5534656bf23a7bc21509
SHA1 1531df44ea2092e5e0f89a12a3e77a19400d9451
SHA256 c12f75445e83c4dbe480cc92afc4bdd584f6489811b78f7041fb6fd06488a7aa
SHA512 7389ddaa558867edf903b3e81bc432833dc055324a52f3e56638ac6fee1834b557a5e2b96266c9ed7f969dd7f51a6b6dc820b5b1f58b88a0972f7192647224e7

memory/4720-37-0x0000000000400000-0x0000000000611000-memory.dmp

memory/4720-38-0x0000000000400000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

MD5 10b61d3f396d0db3112f701ff1eeef0e
SHA1 1c0d6cd7b50df2699641a62cce8133b8e372177f
SHA256 7b9f88ce378d3481a7a437570f4e73f6e18ab4a7f9b1289a528978a953c52584
SHA512 8395bb347cc2ed412576026fa5c8934369de1cfc5d510fd71476956e08c807d9475968423126cdb2a1214ac4989293d8dce2d678eee7f8c6c97d679734b6bbb8

memory/4720-42-0x0000000000400000-0x0000000000611000-memory.dmp

memory/4720-41-0x0000000000400000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

MD5 125bcf326a556a09d26b4cb30f33a41f
SHA1 570ef4eacf435ef527a1a3b732b3117d4fed668b
SHA256 1b71d871aa5801f13c2f88f122276c6a6a3133bed0ebaf20ae754c47a7e0a799
SHA512 b8473e5f7511695a4f0342b4b88ab41e0cd42416fd9f5ab50b0cea98d1e1611e445fae9593dca658d63d126648ec2e3dc87251b7cb04b2465df3b3ace87e9b06

memory/2292-45-0x0000000000400000-0x0000000000611000-memory.dmp

memory/1292-46-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3960-47-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/2292-48-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3960-49-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/2292-52-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2292-53-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2292-56-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2292-59-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2292-62-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2292-65-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2292-67-0x00000000007F0000-0x0000000000892000-memory.dmp

memory/2292-66-0x00000000007F0000-0x0000000000892000-memory.dmp

memory/2292-73-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2292-76-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2292-77-0x00000000007F0000-0x0000000000892000-memory.dmp

memory/2292-80-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2292-83-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2292-86-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2292-89-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2292-93-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2292-96-0x0000000000400000-0x0000000000611000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-23 11:14

Reported

2024-03-23 11:17

Platform

win11-20240319-en

Max time kernel

144s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 91.211.247.248 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3484 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.exe C:\Users\Admin\AppData\Local\Temp\is-J4UCT.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp
PID 3484 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.exe C:\Users\Admin\AppData\Local\Temp\is-J4UCT.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp
PID 3484 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.exe C:\Users\Admin\AppData\Local\Temp\is-J4UCT.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp
PID 4576 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\is-J4UCT.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 4576 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\is-J4UCT.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 4576 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\is-J4UCT.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 4576 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\is-J4UCT.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 4576 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\is-J4UCT.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 4576 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\is-J4UCT.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.exe

"C:\Users\Admin\AppData\Local\Temp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.exe"

C:\Users\Admin\AppData\Local\Temp\is-J4UCT.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-J4UCT.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp" /SL5="$40242,1756523,54272,C:\Users\Admin\AppData\Local\Temp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.exe"

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -i

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -s

Network

Country Destination Domain Proto
LT 91.211.247.248:53 ejjvzpz.ua udp
TR 195.16.74.230:80 ejjvzpz.ua tcp
US 8.8.8.8:53 230.74.16.195.in-addr.arpa udp

Files

memory/3484-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3484-2-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-J4UCT.tmp\5efbaefdce3a26480ee245f904a49ea2b7a1edc0a48934bd94dd8a74d3b724c3.tmp

MD5 92f7775908bb12183914bb0753782913
SHA1 8d1091da36832942d48f2fe9a1a216fdd556b9c4
SHA256 a43c4e3916a92d299c22e2010383b2a8f85e14882a610de57bb2fef91f7984ed
SHA512 7e39cafdc00a46f2353f6eeaa8fee0d7c94f489d1fd4581e125408bae63a2e6cd135f65807c3574c833f970b64106badb7dd0a2a6ee9859b3b60b3d1b6e19c39

memory/4576-7-0x0000000002340000-0x0000000002341000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-CIN3A.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

MD5 548d16f6d9364b551f3982034c053eb3
SHA1 1bcff76cc01a29550bf5ba196cca79501da5e5b5
SHA256 6c7b61d3fa42304d74a68a62fc4afe29b30225e6cdd3b5391cb8060c9de235c2
SHA512 12bd999e3d5921dd98b813317baefe8a0a14504e3f61e6e08600f67dd9fde176bc2c16756229bb4804914a28f03425a372b3a407da448a24addc19fddd5bea80

memory/4672-38-0x0000000000400000-0x0000000000611000-memory.dmp

memory/4672-39-0x0000000000400000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

MD5 f29d05321759609efa001b53af993bf6
SHA1 35e2dba02060a00f795c1c8848439c2ed1ab5b12
SHA256 88663bb84e61233419ae2bda03f04e082ddc65f1f8a1b9be5be9502f687f3858
SHA512 95c00fac3d3534b0037a713c895e543b2ef358ca02843bf6ebab8cbacff9ac9169ef1e870a4cd19f70b350c4115ab6bef577ddc8847457c97a9f791d996844aa

memory/4672-42-0x0000000000400000-0x0000000000611000-memory.dmp

memory/4672-43-0x0000000000400000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

MD5 d2f9905e704936d346bf56aa46a1b8b7
SHA1 63f29f6350cae7c76625195994b06c1480488de7
SHA256 57f0444592f3b5768050fa5cfcf61c662bca0d532d549bd063eadcce9f35cfe1
SHA512 9540ea6522b3b33c228af137e16bd887a146ebca8765fb1b119260d6f5b4edf8082d1b41d8c0fa8245c549c804ffe1194678f0cfdb7be3d02d16fcb4fe6bf256

memory/1860-46-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3484-47-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4576-48-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1860-49-0x0000000000400000-0x0000000000611000-memory.dmp

memory/4576-50-0x0000000002340000-0x0000000002341000-memory.dmp

memory/1860-53-0x0000000000400000-0x0000000000611000-memory.dmp

memory/1860-54-0x0000000000400000-0x0000000000611000-memory.dmp

memory/1860-57-0x0000000000400000-0x0000000000611000-memory.dmp

memory/1860-60-0x0000000000400000-0x0000000000611000-memory.dmp

memory/1860-63-0x0000000000400000-0x0000000000611000-memory.dmp

memory/1860-67-0x0000000000900000-0x00000000009A2000-memory.dmp

memory/1860-66-0x0000000000400000-0x0000000000611000-memory.dmp

memory/1860-73-0x0000000000400000-0x0000000000611000-memory.dmp

memory/1860-76-0x0000000000400000-0x0000000000611000-memory.dmp

memory/1860-77-0x0000000000900000-0x00000000009A2000-memory.dmp

memory/1860-80-0x0000000000400000-0x0000000000611000-memory.dmp

memory/1860-83-0x0000000000400000-0x0000000000611000-memory.dmp

memory/1860-86-0x0000000000400000-0x0000000000611000-memory.dmp

memory/1860-89-0x0000000000400000-0x0000000000611000-memory.dmp

memory/1860-93-0x0000000000400000-0x0000000000611000-memory.dmp

memory/1860-96-0x0000000000400000-0x0000000000611000-memory.dmp