Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23/03/2024, 12:36
Static task
static1
Behavioral task
behavioral1
Sample
603489e0ce3e4c942d3cb6badafb76f7.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
603489e0ce3e4c942d3cb6badafb76f7.exe
Resource
win10v2004-20240226-en
General
-
Target
603489e0ce3e4c942d3cb6badafb76f7.exe
-
Size
2.0MB
-
MD5
603489e0ce3e4c942d3cb6badafb76f7
-
SHA1
c1eb47d815760f03c49d892f7ffcd048ee7b24ac
-
SHA256
1ba1766362edbe760510aba2daa552624058f0dbd7f4e426c8801bd876b915d6
-
SHA512
dbeb9f836b0b39b48e7cdc1551477bac601907f7c3cd61736dd90b2ba68b5345078bc6223c01998aeccc8087bd2fd9c259e87d353d9391766707e3e4e3c81288
-
SSDEEP
49152:32pF1TdGP/ATkjneFyIzQFzMGCjTHTjowMRmPCb8OKxRe7D:mpXT2YUpIzAMowGhbrKxRc
Malware Config
Extracted
socks5systemz
http://bfqwijl.com/search/?q=67e28dd83a5da32a155afd1b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a271ea771795af8e05c642db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffe10c9e8919e39
Signatures
-
Detect Socks5Systemz Payload 3 IoCs
resource yara_rule behavioral2/memory/4228-69-0x00000000009D0000-0x0000000000A72000-memory.dmp family_socks5systemz behavioral2/memory/4228-70-0x00000000009D0000-0x0000000000A72000-memory.dmp family_socks5systemz behavioral2/memory/4228-81-0x00000000009D0000-0x0000000000A72000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
pid Process 2400 603489e0ce3e4c942d3cb6badafb76f7.tmp 4924 colorpicker.exe 4228 colorpicker.exe -
Loads dropped DLL 1 IoCs
pid Process 2400 603489e0ce3e4c942d3cb6badafb76f7.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 45.155.250.90 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3132 wrote to memory of 2400 3132 603489e0ce3e4c942d3cb6badafb76f7.exe 96 PID 3132 wrote to memory of 2400 3132 603489e0ce3e4c942d3cb6badafb76f7.exe 96 PID 3132 wrote to memory of 2400 3132 603489e0ce3e4c942d3cb6badafb76f7.exe 96 PID 2400 wrote to memory of 4924 2400 603489e0ce3e4c942d3cb6badafb76f7.tmp 101 PID 2400 wrote to memory of 4924 2400 603489e0ce3e4c942d3cb6badafb76f7.tmp 101 PID 2400 wrote to memory of 4924 2400 603489e0ce3e4c942d3cb6badafb76f7.tmp 101 PID 2400 wrote to memory of 4228 2400 603489e0ce3e4c942d3cb6badafb76f7.tmp 102 PID 2400 wrote to memory of 4228 2400 603489e0ce3e4c942d3cb6badafb76f7.tmp 102 PID 2400 wrote to memory of 4228 2400 603489e0ce3e4c942d3cb6badafb76f7.tmp 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\603489e0ce3e4c942d3cb6badafb76f7.exe"C:\Users\Admin\AppData\Local\Temp\603489e0ce3e4c942d3cb6badafb76f7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\is-C38O7.tmp\603489e0ce3e4c942d3cb6badafb76f7.tmp"C:\Users\Admin\AppData\Local\Temp\is-C38O7.tmp\603489e0ce3e4c942d3cb6badafb76f7.tmp" /SL5="$801DC,1773528,54272,C:\Users\Admin\AppData\Local\Temp\603489e0ce3e4c942d3cb6badafb76f7.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -i3⤵
- Executes dropped EXE
PID:4924
-
-
C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -s3⤵
- Executes dropped EXE
PID:4228
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:3568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD578afe351bb4784051f113dddfe94724e
SHA1fa1e56eddc251e912a3be6c78c1114224cad300a
SHA256d04b162788c0e48fb9ff5dca9490b954eb09a3ae9573b12a117fadaf7c107c08
SHA51219dcca46ab2fa1f784117a4b332a7e0920eb88c4912726c05959c63d434898602b60f2fcf4296e6b786080e78f45ee0690aa55a2249334875be97674b85c7c50
-
Filesize
2.0MB
MD5ecd25bbe932879f7b1104322f0338e11
SHA103e574a7f06a85bc0cbbabfb86e1cfb621031056
SHA25631a2a7a5b20873a11d02be605f1d4be60e099ff33d82fcc6b4e2092769d3d811
SHA512e1a5c06abf4507cccdbb83f4b02853b6f9f82f64f04e51b382929b13a2dec475951748498b9a5843a658f0b712ba3d8110fd072b5960168e20a2a1e6eb217232
-
Filesize
677KB
MD592f7775908bb12183914bb0753782913
SHA18d1091da36832942d48f2fe9a1a216fdd556b9c4
SHA256a43c4e3916a92d299c22e2010383b2a8f85e14882a610de57bb2fef91f7984ed
SHA5127e39cafdc00a46f2353f6eeaa8fee0d7c94f489d1fd4581e125408bae63a2e6cd135f65807c3574c833f970b64106badb7dd0a2a6ee9859b3b60b3d1b6e19c39
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63