Malware Analysis Report

2025-08-11 05:09

Sample ID 240323-njt8psac3x
Target d85357190e6be1331036f8cf9225d5c2.exe
SHA256 d53e734f9a4bad2b0d36b7484cb445bd377192a77ddb0d753d5aa1d14e9db078
Tags
socks5systemz botnet discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d53e734f9a4bad2b0d36b7484cb445bd377192a77ddb0d753d5aa1d14e9db078

Threat Level: Known bad

The file d85357190e6be1331036f8cf9225d5c2.exe was found to be: Known bad.

Malicious Activity Summary

socks5systemz botnet discovery

Detect Socks5Systemz Payload

Socks5Systemz

Loads dropped DLL

Unexpected DNS network traffic destination

Executes dropped EXE

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-23 11:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-23 11:26

Reported

2024-03-23 11:28

Platform

win7-20240221-en

Max time kernel

146s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d85357190e6be1331036f8cf9225d5c2.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 91.211.247.248 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\d85357190e6be1331036f8cf9225d5c2.exe C:\Users\Admin\AppData\Local\Temp\is-CR46R.tmp\d85357190e6be1331036f8cf9225d5c2.tmp
PID 1948 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\d85357190e6be1331036f8cf9225d5c2.exe C:\Users\Admin\AppData\Local\Temp\is-CR46R.tmp\d85357190e6be1331036f8cf9225d5c2.tmp
PID 1948 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\d85357190e6be1331036f8cf9225d5c2.exe C:\Users\Admin\AppData\Local\Temp\is-CR46R.tmp\d85357190e6be1331036f8cf9225d5c2.tmp
PID 1948 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\d85357190e6be1331036f8cf9225d5c2.exe C:\Users\Admin\AppData\Local\Temp\is-CR46R.tmp\d85357190e6be1331036f8cf9225d5c2.tmp
PID 1948 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\d85357190e6be1331036f8cf9225d5c2.exe C:\Users\Admin\AppData\Local\Temp\is-CR46R.tmp\d85357190e6be1331036f8cf9225d5c2.tmp
PID 1948 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\d85357190e6be1331036f8cf9225d5c2.exe C:\Users\Admin\AppData\Local\Temp\is-CR46R.tmp\d85357190e6be1331036f8cf9225d5c2.tmp
PID 1948 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\d85357190e6be1331036f8cf9225d5c2.exe C:\Users\Admin\AppData\Local\Temp\is-CR46R.tmp\d85357190e6be1331036f8cf9225d5c2.tmp
PID 2204 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\is-CR46R.tmp\d85357190e6be1331036f8cf9225d5c2.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 2204 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\is-CR46R.tmp\d85357190e6be1331036f8cf9225d5c2.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 2204 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\is-CR46R.tmp\d85357190e6be1331036f8cf9225d5c2.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 2204 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\is-CR46R.tmp\d85357190e6be1331036f8cf9225d5c2.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 2204 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\is-CR46R.tmp\d85357190e6be1331036f8cf9225d5c2.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 2204 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\is-CR46R.tmp\d85357190e6be1331036f8cf9225d5c2.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 2204 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\is-CR46R.tmp\d85357190e6be1331036f8cf9225d5c2.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 2204 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\is-CR46R.tmp\d85357190e6be1331036f8cf9225d5c2.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d85357190e6be1331036f8cf9225d5c2.exe

"C:\Users\Admin\AppData\Local\Temp\d85357190e6be1331036f8cf9225d5c2.exe"

C:\Users\Admin\AppData\Local\Temp\is-CR46R.tmp\d85357190e6be1331036f8cf9225d5c2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CR46R.tmp\d85357190e6be1331036f8cf9225d5c2.tmp" /SL5="$5014E,1779906,54272,C:\Users\Admin\AppData\Local\Temp\d85357190e6be1331036f8cf9225d5c2.exe"

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -i

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -s

Network

Country Destination Domain Proto
LT 91.211.247.248:53 bvctbsd.com udp
TR 195.16.74.230:80 bvctbsd.com tcp

Files

memory/1948-0-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-CR46R.tmp\d85357190e6be1331036f8cf9225d5c2.tmp

MD5 92f7775908bb12183914bb0753782913
SHA1 8d1091da36832942d48f2fe9a1a216fdd556b9c4
SHA256 a43c4e3916a92d299c22e2010383b2a8f85e14882a610de57bb2fef91f7984ed
SHA512 7e39cafdc00a46f2353f6eeaa8fee0d7c94f489d1fd4581e125408bae63a2e6cd135f65807c3574c833f970b64106badb7dd0a2a6ee9859b3b60b3d1b6e19c39

memory/2204-7-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-RQPIK.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-RQPIK.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

MD5 7d196988eb734b40f3cdeb7fcfca2ac7
SHA1 936ec9251680709686e08afee2b21947fba3d078
SHA256 d1c4a6fdab2ee9d3e29cff002c76f83ece20f08806a11d44432313ae43d061f0
SHA512 c91705865a852d3e3a0a4dec16d075705b78c9e5547b9e169896400c6080d4c28b2c58183ac837ab1f858b06ecd5f68d5495a6534dd145ef3c0f15c381d1e91e

memory/2204-41-0x00000000034E0000-0x00000000036F9000-memory.dmp

memory/1232-43-0x0000000000400000-0x0000000000619000-memory.dmp

memory/1232-44-0x0000000000400000-0x0000000000619000-memory.dmp

memory/1232-45-0x0000000000400000-0x0000000000619000-memory.dmp

memory/1232-48-0x0000000000400000-0x0000000000619000-memory.dmp

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

MD5 6f1ede11b4b791ed96269a359b21916b
SHA1 8f2c964a832299c3b3b72dc67e68c4218f825f6c
SHA256 82def92c2309d93c2730df89b5528f57b260519c63acbc8ba7bcecca5fbd70e2
SHA512 c09ada433ada0f31cfd92951a7cf290ab24797a96097becc18a102e40d8f7a8a68e6e531e1d47bb368604961857d754dd7c3dc658b338c0d88dd2142642cde36

memory/2592-50-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2592-52-0x0000000000400000-0x0000000000619000-memory.dmp

memory/1948-53-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2204-54-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/2592-55-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2204-56-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2204-57-0x00000000034E0000-0x00000000036F9000-memory.dmp

memory/2592-60-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2592-63-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2592-64-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2592-67-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2592-70-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2592-73-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2592-75-0x00000000022B0000-0x0000000002352000-memory.dmp

memory/2592-81-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2592-84-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2592-87-0x00000000022B0000-0x0000000002352000-memory.dmp

memory/2592-88-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2592-91-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2592-94-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2592-97-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2592-101-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2592-104-0x0000000000400000-0x0000000000619000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-23 11:26

Reported

2024-03-23 11:28

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d85357190e6be1331036f8cf9225d5c2.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3OJLP.tmp\d85357190e6be1331036f8cf9225d5c2.tmp N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 91.211.247.248 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1464 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\d85357190e6be1331036f8cf9225d5c2.exe C:\Users\Admin\AppData\Local\Temp\is-3OJLP.tmp\d85357190e6be1331036f8cf9225d5c2.tmp
PID 1464 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\d85357190e6be1331036f8cf9225d5c2.exe C:\Users\Admin\AppData\Local\Temp\is-3OJLP.tmp\d85357190e6be1331036f8cf9225d5c2.tmp
PID 1464 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\d85357190e6be1331036f8cf9225d5c2.exe C:\Users\Admin\AppData\Local\Temp\is-3OJLP.tmp\d85357190e6be1331036f8cf9225d5c2.tmp
PID 548 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\is-3OJLP.tmp\d85357190e6be1331036f8cf9225d5c2.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 548 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\is-3OJLP.tmp\d85357190e6be1331036f8cf9225d5c2.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 548 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\is-3OJLP.tmp\d85357190e6be1331036f8cf9225d5c2.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 548 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\is-3OJLP.tmp\d85357190e6be1331036f8cf9225d5c2.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 548 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\is-3OJLP.tmp\d85357190e6be1331036f8cf9225d5c2.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 548 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\is-3OJLP.tmp\d85357190e6be1331036f8cf9225d5c2.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d85357190e6be1331036f8cf9225d5c2.exe

"C:\Users\Admin\AppData\Local\Temp\d85357190e6be1331036f8cf9225d5c2.exe"

C:\Users\Admin\AppData\Local\Temp\is-3OJLP.tmp\d85357190e6be1331036f8cf9225d5c2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3OJLP.tmp\d85357190e6be1331036f8cf9225d5c2.tmp" /SL5="$D0052,1779906,54272,C:\Users\Admin\AppData\Local\Temp\d85357190e6be1331036f8cf9225d5c2.exe"

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -i

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -s

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
LT 91.211.247.248:53 bobvamm.com udp
US 8.8.8.8:53 248.247.211.91.in-addr.arpa udp
TR 195.16.74.230:80 bobvamm.com tcp
US 8.8.8.8:53 230.74.16.195.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/1464-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1464-2-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3OJLP.tmp\d85357190e6be1331036f8cf9225d5c2.tmp

MD5 92f7775908bb12183914bb0753782913
SHA1 8d1091da36832942d48f2fe9a1a216fdd556b9c4
SHA256 a43c4e3916a92d299c22e2010383b2a8f85e14882a610de57bb2fef91f7984ed
SHA512 7e39cafdc00a46f2353f6eeaa8fee0d7c94f489d1fd4581e125408bae63a2e6cd135f65807c3574c833f970b64106badb7dd0a2a6ee9859b3b60b3d1b6e19c39

memory/548-7-0x0000000002340000-0x0000000002341000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UI34Q.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

MD5 7d196988eb734b40f3cdeb7fcfca2ac7
SHA1 936ec9251680709686e08afee2b21947fba3d078
SHA256 d1c4a6fdab2ee9d3e29cff002c76f83ece20f08806a11d44432313ae43d061f0
SHA512 c91705865a852d3e3a0a4dec16d075705b78c9e5547b9e169896400c6080d4c28b2c58183ac837ab1f858b06ecd5f68d5495a6534dd145ef3c0f15c381d1e91e

memory/2592-38-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2592-39-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2592-40-0x0000000000400000-0x0000000000619000-memory.dmp

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

MD5 5c19aa654c7eb6615248d85fd146613f
SHA1 83f5ecf7acf78497d720616107d80424060cbaa2
SHA256 103368c032198f3ed267ee8d3cb512fe540a20790514a3a9d2de38aedbf9f215
SHA512 b62700deac947af213090e4f33ce6c13438af7105624da11972c925f8e96b9dbd463babea3c035ad8ef5097d3f1b70f8c2d89b4df22b442a8afd7e653a363d59

memory/2592-43-0x0000000000400000-0x0000000000619000-memory.dmp

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

MD5 0fa3089df4d717485d2b8033e93e5a7f
SHA1 4437273ba6db118d1b3bdbe8e083403853503974
SHA256 cffbaf01dd866fc8afd7a8420578fe4d4bd3995d9b39b434d225ec39ab5e2589
SHA512 fe5c3f601d6195c171e3772ce59a97fc1a0c54a9729deb2926fccfb7fb53a4365c09c9e8e51fd3a608c6b4c937b5eacebb79183fad1d7075eb1224c8a2f3b85c

memory/3340-46-0x0000000000400000-0x0000000000619000-memory.dmp

memory/1464-47-0x0000000000400000-0x0000000000414000-memory.dmp

memory/548-48-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/3340-50-0x0000000000400000-0x0000000000619000-memory.dmp

memory/548-51-0x0000000002340000-0x0000000002341000-memory.dmp

memory/3340-54-0x0000000000400000-0x0000000000619000-memory.dmp

memory/3340-55-0x0000000000400000-0x0000000000619000-memory.dmp

memory/3340-57-0x0000000000400000-0x0000000000619000-memory.dmp

memory/3340-60-0x0000000000400000-0x0000000000619000-memory.dmp

memory/3340-63-0x0000000000400000-0x0000000000619000-memory.dmp

memory/3340-66-0x0000000000400000-0x0000000000619000-memory.dmp

memory/3340-67-0x0000000000760000-0x0000000000802000-memory.dmp

memory/3340-73-0x0000000000400000-0x0000000000619000-memory.dmp

memory/3340-76-0x0000000000400000-0x0000000000619000-memory.dmp

memory/3340-78-0x0000000000760000-0x0000000000802000-memory.dmp

memory/3340-81-0x0000000000400000-0x0000000000619000-memory.dmp

memory/3340-83-0x0000000000400000-0x0000000000619000-memory.dmp

memory/3340-86-0x0000000000400000-0x0000000000619000-memory.dmp

memory/3340-89-0x0000000000400000-0x0000000000619000-memory.dmp

memory/3340-93-0x0000000000400000-0x0000000000619000-memory.dmp

memory/3340-96-0x0000000000400000-0x0000000000619000-memory.dmp