Analysis
-
max time kernel
147s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/03/2024, 11:21
Static task
static1
Behavioral task
behavioral1
Sample
9357e67e1024655f3302a794adc9c8da.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9357e67e1024655f3302a794adc9c8da.exe
Resource
win10v2004-20240226-en
General
-
Target
9357e67e1024655f3302a794adc9c8da.exe
-
Size
2.2MB
-
MD5
9357e67e1024655f3302a794adc9c8da
-
SHA1
ed8eb9f4da01fd739d21e8684e95bd381e103402
-
SHA256
ee094b47e9e3bb7ba12d171bce953b0511b9fa3c8e5deb3d2662078bc72ad9c4
-
SHA512
c55f0e44cf043351a70dd7fa2338aefbb0f66cd243f0bd959cc38e076a7c0b6593b65fbdd89d0c17be0b84d5fc4fbe07fed90c9ce1bbcb19e2509551dbcd7b2e
-
SSDEEP
49152:32Q41RVpy6V66wEMgH09q+rPkhP9UsqcbKXQoWWoE587rYrNr6e7D:mQK8V6jk3Pkd9zzWZ8nYrNuc
Malware Config
Extracted
socks5systemz
http://bpbgodv.com/search/?q=67e28dd83d5fa62d1358fa4d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978ff71ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a668ff613c9ec9c
Signatures
-
Detect Socks5Systemz Payload 3 IoCs
resource yara_rule behavioral1/memory/2384-75-0x0000000002330000-0x00000000023D2000-memory.dmp family_socks5systemz behavioral1/memory/2384-76-0x0000000002330000-0x00000000023D2000-memory.dmp family_socks5systemz behavioral1/memory/2384-88-0x0000000002330000-0x00000000023D2000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
pid Process 2144 9357e67e1024655f3302a794adc9c8da.tmp 2588 colorpicker.exe 2384 colorpicker.exe -
Loads dropped DLL 5 IoCs
pid Process 2076 9357e67e1024655f3302a794adc9c8da.exe 2144 9357e67e1024655f3302a794adc9c8da.tmp 2144 9357e67e1024655f3302a794adc9c8da.tmp 2144 9357e67e1024655f3302a794adc9c8da.tmp 2144 9357e67e1024655f3302a794adc9c8da.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 91.211.247.248 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2144 2076 9357e67e1024655f3302a794adc9c8da.exe 28 PID 2076 wrote to memory of 2144 2076 9357e67e1024655f3302a794adc9c8da.exe 28 PID 2076 wrote to memory of 2144 2076 9357e67e1024655f3302a794adc9c8da.exe 28 PID 2076 wrote to memory of 2144 2076 9357e67e1024655f3302a794adc9c8da.exe 28 PID 2076 wrote to memory of 2144 2076 9357e67e1024655f3302a794adc9c8da.exe 28 PID 2076 wrote to memory of 2144 2076 9357e67e1024655f3302a794adc9c8da.exe 28 PID 2076 wrote to memory of 2144 2076 9357e67e1024655f3302a794adc9c8da.exe 28 PID 2144 wrote to memory of 2588 2144 9357e67e1024655f3302a794adc9c8da.tmp 29 PID 2144 wrote to memory of 2588 2144 9357e67e1024655f3302a794adc9c8da.tmp 29 PID 2144 wrote to memory of 2588 2144 9357e67e1024655f3302a794adc9c8da.tmp 29 PID 2144 wrote to memory of 2588 2144 9357e67e1024655f3302a794adc9c8da.tmp 29 PID 2144 wrote to memory of 2384 2144 9357e67e1024655f3302a794adc9c8da.tmp 30 PID 2144 wrote to memory of 2384 2144 9357e67e1024655f3302a794adc9c8da.tmp 30 PID 2144 wrote to memory of 2384 2144 9357e67e1024655f3302a794adc9c8da.tmp 30 PID 2144 wrote to memory of 2384 2144 9357e67e1024655f3302a794adc9c8da.tmp 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\9357e67e1024655f3302a794adc9c8da.exe"C:\Users\Admin\AppData\Local\Temp\9357e67e1024655f3302a794adc9c8da.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\is-3AGM2.tmp\9357e67e1024655f3302a794adc9c8da.tmp"C:\Users\Admin\AppData\Local\Temp\is-3AGM2.tmp\9357e67e1024655f3302a794adc9c8da.tmp" /SL5="$70124,1972866,54272,C:\Users\Admin\AppData\Local\Temp\9357e67e1024655f3302a794adc9c8da.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -i3⤵
- Executes dropped EXE
PID:2588
-
-
C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -s3⤵
- Executes dropped EXE
PID:2384
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD57aa80675f10086a5fdede041a40e3d0b
SHA1f558e5da55181c093c9b668ca26a7a1e6b56a77c
SHA256239762f512477540db1b1d0de8762d8f3b8225ad2e6e6472b1b1fc9c17e45f93
SHA512c476682b4f39688b1521e75c1ef5ad4cbb551c04534cfa0caebbfe03f39dfb1bf42186db94377ac623d25ab60d12b225b23e6511baee41572a09aaadf1d414c4
-
Filesize
2.2MB
MD5db2e42972e6f72f623ec6cadf8180747
SHA1be60e50f957eb7d9c88f52e234671701fc8fc7a0
SHA256d029b6e530502459f455078d89c15ec6183085550d839a1b7cb4fa274bded45d
SHA512ce8f3bc9f10f588472c936d8163427bc123a15c49d95533b0707faa146cec89f5f525be8ad7cd3a6b8459c4db4561fd8273908884e1420e1ef4251eaa9ec1dd8
-
Filesize
1.1MB
MD52c12ac7419daeb90f667500ef5e8ac66
SHA1e152968f83047b6d5c0427478d0544180de7e681
SHA2567f48632d31e501120b5bf8633b99764c198db3e7bb991d0ec07366ba755bc2a5
SHA512d8a6c10323c9dd0cdb04abc3c531a9815693f2b1dd67bd0b6f92632827e36c12e8ebe2cd7729d395835b643aad91c8b38ad022d8f95a9d434ffc4f178b3d3847
-
Filesize
1.2MB
MD5e59631bc39a3d6f444dc1f4498d6ced2
SHA1b2770b82e4050ac4f1136c3bd005e314f68a4613
SHA256f92574c68433cf45c4eab0808fcfaaace46e2b5955befe93dabbe94873ca2af5
SHA512dbb2eb0d50ffa14104b93c2384ddd1ee50062811e68e83f8d668a8bbd17c03d9662f8487cca5810c9092d080807409e95e5b669d46fd11b042c8574175e285bc
-
Filesize
677KB
MD592f7775908bb12183914bb0753782913
SHA18d1091da36832942d48f2fe9a1a216fdd556b9c4
SHA256a43c4e3916a92d299c22e2010383b2a8f85e14882a610de57bb2fef91f7984ed
SHA5127e39cafdc00a46f2353f6eeaa8fee0d7c94f489d1fd4581e125408bae63a2e6cd135f65807c3574c833f970b64106badb7dd0a2a6ee9859b3b60b3d1b6e19c39
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3