Malware Analysis Report

2025-08-11 05:09

Sample ID 240323-nvq1esac8v
Target 5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962
SHA256 5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962
Tags
socks5systemz botnet discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962

Threat Level: Known bad

The file 5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962 was found to be: Known bad.

Malicious Activity Summary

socks5systemz botnet discovery

Detect Socks5Systemz Payload

Socks5Systemz

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-23 11:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-23 11:43

Reported

2024-03-23 11:45

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 152.89.198.214 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3752 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.exe C:\Users\Admin\AppData\Local\Temp\is-M3D4N.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp
PID 3752 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.exe C:\Users\Admin\AppData\Local\Temp\is-M3D4N.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp
PID 3752 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.exe C:\Users\Admin\AppData\Local\Temp\is-M3D4N.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp
PID 4720 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\is-M3D4N.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 4720 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\is-M3D4N.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 4720 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\is-M3D4N.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 4720 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\is-M3D4N.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 4720 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\is-M3D4N.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 4720 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\is-M3D4N.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.exe

"C:\Users\Admin\AppData\Local\Temp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.exe"

C:\Users\Admin\AppData\Local\Temp\is-M3D4N.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp

"C:\Users\Admin\AppData\Local\Temp\is-M3D4N.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp" /SL5="$70222,1779015,54272,C:\Users\Admin\AppData\Local\Temp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.exe"

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -i

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -s

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 152.89.198.214:53 bxgexro.com udp
US 8.8.8.8:53 214.198.89.152.in-addr.arpa udp
MD 45.142.214.240:80 bxgexro.com tcp
US 8.8.8.8:53 240.214.142.45.in-addr.arpa udp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp

Files

memory/3752-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3752-2-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-M3D4N.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp

MD5 92f7775908bb12183914bb0753782913
SHA1 8d1091da36832942d48f2fe9a1a216fdd556b9c4
SHA256 a43c4e3916a92d299c22e2010383b2a8f85e14882a610de57bb2fef91f7984ed
SHA512 7e39cafdc00a46f2353f6eeaa8fee0d7c94f489d1fd4581e125408bae63a2e6cd135f65807c3574c833f970b64106badb7dd0a2a6ee9859b3b60b3d1b6e19c39

memory/4720-7-0x00000000006A0000-0x00000000006A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-G8PJA.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

MD5 f19172139302f009a31215e02c62c5ed
SHA1 7ab781637f4d8a2f6ec17e1840fbb657c7b1f8bc
SHA256 56120b5d4f3ecd47348b05856dab31f64fc0bca1f7984cdf11cd9084d1750996
SHA512 29bf6fbaab2279032582a08ff3d31ef66db6705cdb944dbd6a20446f9b726e4736c24111fa1a1bf07d5c0d4149b6f3bc9e53c80af043ad1f178b420930eb5293

memory/1480-38-0x0000000000400000-0x000000000060C000-memory.dmp

memory/1480-39-0x0000000000400000-0x000000000060C000-memory.dmp

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

MD5 ab0cf9cde10c7b73cd333ae111442a3d
SHA1 3d6a434c7a8774068e7cdb87a8aa78b4997acec4
SHA256 6dd979b547d94af8d7ea8686ffdd82c8fc4be4ae018130a1da23a5bfbd9a1f99
SHA512 968b3db53d1476fed0a0b41021d3a318f35cd1e93375c66a58ee0579d044000e34fc5d83c88bb0240f397b14a4f0e9d95b8afc073992150ccbfe064ec49b24b8

memory/1480-42-0x0000000000400000-0x000000000060C000-memory.dmp

memory/1480-43-0x0000000000400000-0x000000000060C000-memory.dmp

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

MD5 7ecda79ed84fc9ed0ba20a5f8419351a
SHA1 3f183f02d20aea6b8a7228001949671f4bf5747a
SHA256 8ff78a12640ff4760bda155473bd317fafc40be1649c2f19d5a6e264ec93ecd5
SHA512 3d545b17aaada39ff2ff1fd3c7edbae4d163cce270e8cd233ec02f4aeff300d04fa6df83f8edb47dd00dc8f5e6856eb06b0ad7ab9115523ce4deb7fa010a68a7

memory/2228-46-0x0000000000400000-0x000000000060C000-memory.dmp

memory/3752-47-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4720-48-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/2228-49-0x0000000000400000-0x000000000060C000-memory.dmp

memory/4720-50-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/2228-53-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2228-54-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2228-57-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2228-60-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2228-63-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2228-66-0x0000000000740000-0x00000000007E2000-memory.dmp

memory/2228-68-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2228-69-0x0000000000740000-0x00000000007E2000-memory.dmp

memory/2228-74-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2228-77-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2228-78-0x0000000000740000-0x00000000007E2000-memory.dmp

memory/2228-81-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2228-84-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2228-87-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2228-90-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2228-94-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2228-97-0x0000000000400000-0x000000000060C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-23 11:43

Reported

2024-03-23 11:46

Platform

win11-20240221-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 152.89.198.214 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.exe C:\Users\Admin\AppData\Local\Temp\is-60DHB.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp
PID 2820 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.exe C:\Users\Admin\AppData\Local\Temp\is-60DHB.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp
PID 2820 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.exe C:\Users\Admin\AppData\Local\Temp\is-60DHB.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp
PID 2160 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\is-60DHB.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 2160 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\is-60DHB.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 2160 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\is-60DHB.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 2160 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\is-60DHB.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 2160 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\is-60DHB.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe
PID 2160 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\is-60DHB.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.exe

"C:\Users\Admin\AppData\Local\Temp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.exe"

C:\Users\Admin\AppData\Local\Temp\is-60DHB.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp

"C:\Users\Admin\AppData\Local\Temp\is-60DHB.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp" /SL5="$8020C,1779015,54272,C:\Users\Admin\AppData\Local\Temp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.exe"

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -i

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -s

Network

Country Destination Domain Proto
RU 152.89.198.214:53 bgguiqd.com udp
MD 45.142.214.240:80 bgguiqd.com tcp
US 8.8.8.8:53 240.214.142.45.in-addr.arpa udp

Files

memory/2820-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2820-2-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-60DHB.tmp\5006fc889256b4fb56361dccac441b764c6984725319b13b7f0d0010dd39b962.tmp

MD5 92f7775908bb12183914bb0753782913
SHA1 8d1091da36832942d48f2fe9a1a216fdd556b9c4
SHA256 a43c4e3916a92d299c22e2010383b2a8f85e14882a610de57bb2fef91f7984ed
SHA512 7e39cafdc00a46f2353f6eeaa8fee0d7c94f489d1fd4581e125408bae63a2e6cd135f65807c3574c833f970b64106badb7dd0a2a6ee9859b3b60b3d1b6e19c39

memory/2160-7-0x0000000002340000-0x0000000002341000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-05PVU.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

MD5 6e092cca85268674585fc06e0cd511d5
SHA1 7aa52661c7b959d894903ec48a588f73e8d61f09
SHA256 7238b0887df176bb06149e5008e66ca41dc2c831614dcf61491b98fc01ef97d5
SHA512 75ee017d8c307953f0d2cfbfc8a11a7d6501a3d9255b7f0d31f89280f9c6309f7a9a989e3a8249c42d5a2cb9a5a7b6098e32c0f38f0cbab66697a948ac54c9ad

memory/5036-39-0x0000000000400000-0x000000000060C000-memory.dmp

memory/5036-38-0x0000000000400000-0x000000000060C000-memory.dmp

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

MD5 9eccd14eee8998896b0419deb6cc7c38
SHA1 0e946c96cca6b5eb612a942dd1e457c378a025f4
SHA256 5d7186bee56ef3f5e00defadc7fe36599516de7f9adcc25cdae72d9d26cf2f7c
SHA512 70c9dfe38140736c133a54e4ebc763434c94e9629a646cece35a879770c799bd5376f512bd8e487c32b395f8477349af30245458cdc82e6bd6b395f94bf268e3

memory/5036-42-0x0000000000400000-0x000000000060C000-memory.dmp

memory/5036-43-0x0000000000400000-0x000000000060C000-memory.dmp

C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe

MD5 f19172139302f009a31215e02c62c5ed
SHA1 7ab781637f4d8a2f6ec17e1840fbb657c7b1f8bc
SHA256 56120b5d4f3ecd47348b05856dab31f64fc0bca1f7984cdf11cd9084d1750996
SHA512 29bf6fbaab2279032582a08ff3d31ef66db6705cdb944dbd6a20446f9b726e4736c24111fa1a1bf07d5c0d4149b6f3bc9e53c80af043ad1f178b420930eb5293

memory/780-45-0x0000000000400000-0x000000000060C000-memory.dmp

memory/780-47-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2820-48-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2160-49-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/780-50-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2160-51-0x0000000002340000-0x0000000002341000-memory.dmp

memory/780-54-0x0000000000400000-0x000000000060C000-memory.dmp

memory/780-55-0x0000000000400000-0x000000000060C000-memory.dmp

memory/780-58-0x0000000000400000-0x000000000060C000-memory.dmp

memory/780-61-0x0000000000400000-0x000000000060C000-memory.dmp

memory/780-64-0x0000000000400000-0x000000000060C000-memory.dmp

memory/780-67-0x0000000000400000-0x000000000060C000-memory.dmp

memory/780-68-0x0000000000A20000-0x0000000000AC2000-memory.dmp

memory/780-74-0x0000000000400000-0x000000000060C000-memory.dmp

memory/780-77-0x0000000000400000-0x000000000060C000-memory.dmp

memory/780-78-0x0000000000A20000-0x0000000000AC2000-memory.dmp

memory/780-81-0x0000000000400000-0x000000000060C000-memory.dmp

memory/780-84-0x0000000000400000-0x000000000060C000-memory.dmp

memory/780-87-0x0000000000400000-0x000000000060C000-memory.dmp

memory/780-90-0x0000000000400000-0x000000000060C000-memory.dmp

memory/780-94-0x0000000000400000-0x000000000060C000-memory.dmp

memory/780-97-0x0000000000400000-0x000000000060C000-memory.dmp