Analysis
-
max time kernel
148s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/03/2024, 14:41
Static task
static1
Behavioral task
behavioral1
Sample
7447d5db9ccf93f6a8ecf22ae9fec082.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7447d5db9ccf93f6a8ecf22ae9fec082.exe
Resource
win10v2004-20240226-en
General
-
Target
7447d5db9ccf93f6a8ecf22ae9fec082.exe
-
Size
2.2MB
-
MD5
7447d5db9ccf93f6a8ecf22ae9fec082
-
SHA1
0c3a044c669e1cce8e6d9ec103a9d3e587fa1acb
-
SHA256
92d1895c792c289e89a3ef19f00a1061e6928fed385b71358f0c407066939269
-
SHA512
a8761937c73267aeeefb6093903c74c8e8119e65632e1130cb77617f4cf53c8a4a8f177cd464fe849b455bf430f28599d6433f2350fb5b348afa10f5070d0461
-
SSDEEP
49152:32DbrhTeTjpdvbXKGJ1X2nIIT6yXaHs4NgJH:mDbrMjpdjJTX2n+VM4NgJH
Malware Config
Extracted
socks5systemz
http://airzuwu.ru/search/?q=67e28dd83d5fa62d1358fa4d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978ff71ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a668cff15c9ec9c
Signatures
-
Detect Socks5Systemz Payload 3 IoCs
resource yara_rule behavioral1/memory/2428-73-0x0000000002670000-0x0000000002712000-memory.dmp family_socks5systemz behavioral1/memory/2428-74-0x0000000002670000-0x0000000002712000-memory.dmp family_socks5systemz behavioral1/memory/2428-86-0x0000000002670000-0x0000000002712000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
pid Process 2560 7447d5db9ccf93f6a8ecf22ae9fec082.tmp 2700 colorpicker.exe 2428 colorpicker.exe -
Loads dropped DLL 5 IoCs
pid Process 2456 7447d5db9ccf93f6a8ecf22ae9fec082.exe 2560 7447d5db9ccf93f6a8ecf22ae9fec082.tmp 2560 7447d5db9ccf93f6a8ecf22ae9fec082.tmp 2560 7447d5db9ccf93f6a8ecf22ae9fec082.tmp 2560 7447d5db9ccf93f6a8ecf22ae9fec082.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 91.211.247.248 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2456 wrote to memory of 2560 2456 7447d5db9ccf93f6a8ecf22ae9fec082.exe 28 PID 2456 wrote to memory of 2560 2456 7447d5db9ccf93f6a8ecf22ae9fec082.exe 28 PID 2456 wrote to memory of 2560 2456 7447d5db9ccf93f6a8ecf22ae9fec082.exe 28 PID 2456 wrote to memory of 2560 2456 7447d5db9ccf93f6a8ecf22ae9fec082.exe 28 PID 2456 wrote to memory of 2560 2456 7447d5db9ccf93f6a8ecf22ae9fec082.exe 28 PID 2456 wrote to memory of 2560 2456 7447d5db9ccf93f6a8ecf22ae9fec082.exe 28 PID 2456 wrote to memory of 2560 2456 7447d5db9ccf93f6a8ecf22ae9fec082.exe 28 PID 2560 wrote to memory of 2700 2560 7447d5db9ccf93f6a8ecf22ae9fec082.tmp 29 PID 2560 wrote to memory of 2700 2560 7447d5db9ccf93f6a8ecf22ae9fec082.tmp 29 PID 2560 wrote to memory of 2700 2560 7447d5db9ccf93f6a8ecf22ae9fec082.tmp 29 PID 2560 wrote to memory of 2700 2560 7447d5db9ccf93f6a8ecf22ae9fec082.tmp 29 PID 2560 wrote to memory of 2428 2560 7447d5db9ccf93f6a8ecf22ae9fec082.tmp 30 PID 2560 wrote to memory of 2428 2560 7447d5db9ccf93f6a8ecf22ae9fec082.tmp 30 PID 2560 wrote to memory of 2428 2560 7447d5db9ccf93f6a8ecf22ae9fec082.tmp 30 PID 2560 wrote to memory of 2428 2560 7447d5db9ccf93f6a8ecf22ae9fec082.tmp 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\7447d5db9ccf93f6a8ecf22ae9fec082.exe"C:\Users\Admin\AppData\Local\Temp\7447d5db9ccf93f6a8ecf22ae9fec082.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\is-LL28S.tmp\7447d5db9ccf93f6a8ecf22ae9fec082.tmp"C:\Users\Admin\AppData\Local\Temp\is-LL28S.tmp\7447d5db9ccf93f6a8ecf22ae9fec082.tmp" /SL5="$70120,1943765,54272,C:\Users\Admin\AppData\Local\Temp\7447d5db9ccf93f6a8ecf22ae9fec082.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -i3⤵
- Executes dropped EXE
PID:2700
-
-
C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -s3⤵
- Executes dropped EXE
PID:2428
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5b6b2a72b1573d42c24fe5487bffe5cc3
SHA140fc96591c9f6432e45dc42b6c1ffe579b692caf
SHA25662e816ecaa0b48be90017cf1c26c2049545a518bce7ae68b3f8546761d69ec83
SHA51211b674ec0e9cf91b953f125b2348a88a7e1d765820001131bd2165ad1fea2fd4fda96bf2d97f428163f05319f1b79f1b81c58abcd7d4d8538a2549d12bc19f0d
-
Filesize
2.2MB
MD54fb7c9f8330a5f6e5c1fd0b95f4bcebe
SHA1e634bf322484061ef0bc5e32714c3f239b1142d5
SHA2569e88759b12e04e21199bb9c536f5a0f56ca9e291fad87270573e94de1d79eb9d
SHA5129eecf2791448a3020292fe7a90fb0966a21433f03ff9b4bf57ff5ed8f71b6cfdae985978a7547e3fd336ae9fa51f788841f9308bb264fcd0256121fb4b9ee46e
-
Filesize
1.9MB
MD5eb006ab6bc3b384b8ae562fbc7ac1a88
SHA192cc438402777f486a0c3b67fb33880907dde137
SHA256aa6e16bb2544457023bb50b30c8362c925db062a7131093cafb9f6ab85c6c9e7
SHA512a5a957c58352b9b7808f1050feb9c153de2b3501d0d0237e57797be65bf64f1457047d1738037ffc5e8d4eeab5c36209e5fc8f588a84c9820f22318c31b4ec4c
-
Filesize
677KB
MD5d394fc26de69f06950dc1c71959b0261
SHA17c9448fc3582f19763eaa8e3c5383b7873aee017
SHA256405e474735b776fc09dc71d3a5b44c50b9e2c745cdf7e79eb89dc791866ffe2a
SHA51263ef7265aac27715f5b799b588955dd5df3f49ecd0042fba69d0effe7dfe24d6777079677a809e817e4e8243a2185ca9c3a8022c9247bb2a070c213f06d7bc10
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3