Analysis
-
max time kernel
143s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
23/03/2024, 12:36
Static task
static1
Behavioral task
behavioral1
Sample
603489e0ce3e4c942d3cb6badafb76f7.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
603489e0ce3e4c942d3cb6badafb76f7.exe
Resource
win10v2004-20240226-en
General
-
Target
603489e0ce3e4c942d3cb6badafb76f7.exe
-
Size
2.0MB
-
MD5
603489e0ce3e4c942d3cb6badafb76f7
-
SHA1
c1eb47d815760f03c49d892f7ffcd048ee7b24ac
-
SHA256
1ba1766362edbe760510aba2daa552624058f0dbd7f4e426c8801bd876b915d6
-
SHA512
dbeb9f836b0b39b48e7cdc1551477bac601907f7c3cd61736dd90b2ba68b5345078bc6223c01998aeccc8087bd2fd9c259e87d353d9391766707e3e4e3c81288
-
SSDEEP
49152:32pF1TdGP/ATkjneFyIzQFzMGCjTHTjowMRmPCb8OKxRe7D:mpXT2YUpIzAMowGhbrKxRc
Malware Config
Extracted
socks5systemz
http://eboeqdu.ua/search/?q=67e28dd86554fa2a495aa4197c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a071ea771795af8e05c642db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a668ff616c4ed9c
Signatures
-
Detect Socks5Systemz Payload 3 IoCs
resource yara_rule behavioral1/memory/2428-74-0x0000000002630000-0x00000000026D2000-memory.dmp family_socks5systemz behavioral1/memory/2428-77-0x0000000002630000-0x00000000026D2000-memory.dmp family_socks5systemz behavioral1/memory/2428-86-0x0000000002630000-0x00000000026D2000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
pid Process 3004 603489e0ce3e4c942d3cb6badafb76f7.tmp 2512 colorpicker.exe 2428 colorpicker.exe -
Loads dropped DLL 5 IoCs
pid Process 2836 603489e0ce3e4c942d3cb6badafb76f7.exe 3004 603489e0ce3e4c942d3cb6badafb76f7.tmp 3004 603489e0ce3e4c942d3cb6badafb76f7.tmp 3004 603489e0ce3e4c942d3cb6badafb76f7.tmp 3004 603489e0ce3e4c942d3cb6badafb76f7.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 45.155.250.90 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2836 wrote to memory of 3004 2836 603489e0ce3e4c942d3cb6badafb76f7.exe 28 PID 2836 wrote to memory of 3004 2836 603489e0ce3e4c942d3cb6badafb76f7.exe 28 PID 2836 wrote to memory of 3004 2836 603489e0ce3e4c942d3cb6badafb76f7.exe 28 PID 2836 wrote to memory of 3004 2836 603489e0ce3e4c942d3cb6badafb76f7.exe 28 PID 2836 wrote to memory of 3004 2836 603489e0ce3e4c942d3cb6badafb76f7.exe 28 PID 2836 wrote to memory of 3004 2836 603489e0ce3e4c942d3cb6badafb76f7.exe 28 PID 2836 wrote to memory of 3004 2836 603489e0ce3e4c942d3cb6badafb76f7.exe 28 PID 3004 wrote to memory of 2512 3004 603489e0ce3e4c942d3cb6badafb76f7.tmp 29 PID 3004 wrote to memory of 2512 3004 603489e0ce3e4c942d3cb6badafb76f7.tmp 29 PID 3004 wrote to memory of 2512 3004 603489e0ce3e4c942d3cb6badafb76f7.tmp 29 PID 3004 wrote to memory of 2512 3004 603489e0ce3e4c942d3cb6badafb76f7.tmp 29 PID 3004 wrote to memory of 2428 3004 603489e0ce3e4c942d3cb6badafb76f7.tmp 30 PID 3004 wrote to memory of 2428 3004 603489e0ce3e4c942d3cb6badafb76f7.tmp 30 PID 3004 wrote to memory of 2428 3004 603489e0ce3e4c942d3cb6badafb76f7.tmp 30 PID 3004 wrote to memory of 2428 3004 603489e0ce3e4c942d3cb6badafb76f7.tmp 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\603489e0ce3e4c942d3cb6badafb76f7.exe"C:\Users\Admin\AppData\Local\Temp\603489e0ce3e4c942d3cb6badafb76f7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\is-E587E.tmp\603489e0ce3e4c942d3cb6badafb76f7.tmp"C:\Users\Admin\AppData\Local\Temp\is-E587E.tmp\603489e0ce3e4c942d3cb6badafb76f7.tmp" /SL5="$400F8,1773528,54272,C:\Users\Admin\AppData\Local\Temp\603489e0ce3e4c942d3cb6badafb76f7.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -i3⤵
- Executes dropped EXE
PID:2512
-
-
C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -s3⤵
- Executes dropped EXE
PID:2428
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5775ff74617f7c75a4e47a6188ee51976
SHA175918b3b5e180108a5d2f2a76352b1174ae87dc5
SHA256754492c2b43aea93f1705213e5719a30f7656bc0d65ddf72604703a7184b82fc
SHA512898345d242591cfbdd2ca98bd1c99caf3633ed97fb21edcb5c424a1443e2783f8ea29990bc19a04f491550f5b8f5e778d01a715d7ab78359179733298a1fa269
-
Filesize
128KB
MD55ce49878104e1a35529927d4e5da0dcf
SHA10051814458e92cb618fcb9e2ab501e02b56e0554
SHA256c456b0ebe27c6d94bbce0d37351efe7ca59c5d9ff004c307aa42ca83f1971a82
SHA512882cf7cfccc2903fb4cecf6969614900204eb64ab94d77dcbb52ec3520df8a9175768eb75b78c3b77018c91e4078799866d51bf6c1d96f361f06d7a498b8e25b
-
Filesize
2.0MB
MD5ecd25bbe932879f7b1104322f0338e11
SHA103e574a7f06a85bc0cbbabfb86e1cfb621031056
SHA25631a2a7a5b20873a11d02be605f1d4be60e099ff33d82fcc6b4e2092769d3d811
SHA512e1a5c06abf4507cccdbb83f4b02853b6f9f82f64f04e51b382929b13a2dec475951748498b9a5843a658f0b712ba3d8110fd072b5960168e20a2a1e6eb217232
-
Filesize
677KB
MD592f7775908bb12183914bb0753782913
SHA18d1091da36832942d48f2fe9a1a216fdd556b9c4
SHA256a43c4e3916a92d299c22e2010383b2a8f85e14882a610de57bb2fef91f7984ed
SHA5127e39cafdc00a46f2353f6eeaa8fee0d7c94f489d1fd4581e125408bae63a2e6cd135f65807c3574c833f970b64106badb7dd0a2a6ee9859b3b60b3d1b6e19c39
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3