Analysis
-
max time kernel
147s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/03/2024, 16:56
Static task
static1
Behavioral task
behavioral1
Sample
63e8b616cf52885a6e08c0fa8035bba9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
63e8b616cf52885a6e08c0fa8035bba9.exe
Resource
win10v2004-20240226-en
General
-
Target
63e8b616cf52885a6e08c0fa8035bba9.exe
-
Size
2.2MB
-
MD5
63e8b616cf52885a6e08c0fa8035bba9
-
SHA1
d1c0d63e590a28cfc44abaa90f05e6d6e8677672
-
SHA256
fb222ebb6c799f2bd4150c93a45cac3fe803d63cdb21c5eed605de253b22f088
-
SHA512
3daaf2a5658956b8ee69f5a087b1d4bc289b07e633d662c7a739890bd13aa80ae6111d9541c71399f223795aff86036c45057d2b11025075fd981888934a2a48
-
SSDEEP
49152:32TsLSQNQWFvBNHiS0uO7a1n4XRApYm0hSUKvbko4tH:mQtKWF7Hr87NXRAOm02EtH
Malware Config
Extracted
socks5systemz
http://aabwgru.ru/search/?q=67e28dd83d5fa62d1358fa4d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978ff71ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a668cfe12c0ec9d
http://aabwgru.ru/search/?q=67e28dd83d5fa62d1358fa4d7c27d78406abdd88be4b12eab517aa5c96bd86e9918e4c875a8bbc896c58e713bc90c91836b5281fc235a925ed3e5cd6bd974a95129070b616e96cc92be20ea778c255bbe258b90d3b4eed3233d1626a8ff810c1ed94993bce67
Signatures
-
Detect Socks5Systemz Payload 4 IoCs
resource yara_rule behavioral1/memory/2460-77-0x00000000025D0000-0x0000000002672000-memory.dmp family_socks5systemz behavioral1/memory/2460-89-0x00000000025D0000-0x0000000002672000-memory.dmp family_socks5systemz behavioral1/memory/2460-102-0x00000000025D0000-0x0000000002672000-memory.dmp family_socks5systemz behavioral1/memory/2460-103-0x00000000025D0000-0x0000000002672000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
pid Process 2896 63e8b616cf52885a6e08c0fa8035bba9.tmp 2104 colorpicker.exe 2460 colorpicker.exe -
Loads dropped DLL 5 IoCs
pid Process 1808 63e8b616cf52885a6e08c0fa8035bba9.exe 2896 63e8b616cf52885a6e08c0fa8035bba9.tmp 2896 63e8b616cf52885a6e08c0fa8035bba9.tmp 2896 63e8b616cf52885a6e08c0fa8035bba9.tmp 2896 63e8b616cf52885a6e08c0fa8035bba9.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 45.155.250.90 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1808 wrote to memory of 2896 1808 63e8b616cf52885a6e08c0fa8035bba9.exe 28 PID 1808 wrote to memory of 2896 1808 63e8b616cf52885a6e08c0fa8035bba9.exe 28 PID 1808 wrote to memory of 2896 1808 63e8b616cf52885a6e08c0fa8035bba9.exe 28 PID 1808 wrote to memory of 2896 1808 63e8b616cf52885a6e08c0fa8035bba9.exe 28 PID 1808 wrote to memory of 2896 1808 63e8b616cf52885a6e08c0fa8035bba9.exe 28 PID 1808 wrote to memory of 2896 1808 63e8b616cf52885a6e08c0fa8035bba9.exe 28 PID 1808 wrote to memory of 2896 1808 63e8b616cf52885a6e08c0fa8035bba9.exe 28 PID 2896 wrote to memory of 2104 2896 63e8b616cf52885a6e08c0fa8035bba9.tmp 29 PID 2896 wrote to memory of 2104 2896 63e8b616cf52885a6e08c0fa8035bba9.tmp 29 PID 2896 wrote to memory of 2104 2896 63e8b616cf52885a6e08c0fa8035bba9.tmp 29 PID 2896 wrote to memory of 2104 2896 63e8b616cf52885a6e08c0fa8035bba9.tmp 29 PID 2896 wrote to memory of 2460 2896 63e8b616cf52885a6e08c0fa8035bba9.tmp 30 PID 2896 wrote to memory of 2460 2896 63e8b616cf52885a6e08c0fa8035bba9.tmp 30 PID 2896 wrote to memory of 2460 2896 63e8b616cf52885a6e08c0fa8035bba9.tmp 30 PID 2896 wrote to memory of 2460 2896 63e8b616cf52885a6e08c0fa8035bba9.tmp 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\63e8b616cf52885a6e08c0fa8035bba9.exe"C:\Users\Admin\AppData\Local\Temp\63e8b616cf52885a6e08c0fa8035bba9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\is-N92SP.tmp\63e8b616cf52885a6e08c0fa8035bba9.tmp"C:\Users\Admin\AppData\Local\Temp\is-N92SP.tmp\63e8b616cf52885a6e08c0fa8035bba9.tmp" /SL5="$8001C,1993719,54272,C:\Users\Admin\AppData\Local\Temp\63e8b616cf52885a6e08c0fa8035bba9.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -i3⤵
- Executes dropped EXE
PID:2104
-
-
C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -s3⤵
- Executes dropped EXE
PID:2460
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD584910af9948eeaa6afc33609c84c2b93
SHA12e392e955a333fc6dc70e4da1e533024483d5760
SHA2563c9d2d226a0907c1d3ec99819e65537628e8ed6f7b2986d590381269925a6626
SHA5120cf85cb85db91691a99fa4f71c2b9144796b5df9dcdf381320f36432b5092e268dc28b187f23dedf01dda64c46eb2b612c38fb62e176465f806c88865ea2567f
-
Filesize
2.2MB
MD58e349bff47839474545f2217a5bddcc5
SHA14ac10a9dbb090a56c5139c00c81bf35eb35bf359
SHA256ba225cea18c80260836604d13bcc8d9934741be009ee19fed27af92952c44c05
SHA5126cf7cc4abcb7b3f3b3d15676c408dac175a2f9192ef61c7a87786f5d129e17e7be75d9b256b8c95e05b4d606a4abfbf740ac05e298fc624754baee117573a453
-
Filesize
343KB
MD5b2c4f5de445b878b5b89b91d8f915b00
SHA131913b30b94614e4410170f1abb1c4a2afc89e3b
SHA25659de8231bb0540bac611eaddfa0c8713df56682d3925178b8c1b4e928ea67ea6
SHA512b5d2ca4d0f80fac5995f8dbb0a798980b14eaa5aedebfb9211ae8028e144c662ceacf9c63e29df5d350b40405c337b360e92c5d0870c49b3ac147cd185943b8e
-
Filesize
832KB
MD567fbf2e1645f6faafe358e2436341e37
SHA1411e00b2dd78d918c5a5baf7a8ccd8e7fbc4f79e
SHA2562e28788a018c0816b8849905bc800042347d761045be04d34a20b995032b7189
SHA5121fedf2a7afa555bf2ce13a892da0e2429094fd289b907d5938957d60566371bdebc5c666e2bd085721e06cefe64eb19f974a2707ec1fe155c482c339e71f8073
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
677KB
MD5d394fc26de69f06950dc1c71959b0261
SHA17c9448fc3582f19763eaa8e3c5383b7873aee017
SHA256405e474735b776fc09dc71d3a5b44c50b9e2c745cdf7e79eb89dc791866ffe2a
SHA51263ef7265aac27715f5b799b588955dd5df3f49ecd0042fba69d0effe7dfe24d6777079677a809e817e4e8243a2185ca9c3a8022c9247bb2a070c213f06d7bc10