Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23/03/2024, 17:16
Static task
static1
Behavioral task
behavioral1
Sample
2f2b5ff3c33c62109f96e65c1d7601b0.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2f2b5ff3c33c62109f96e65c1d7601b0.exe
Resource
win10v2004-20240226-en
General
-
Target
2f2b5ff3c33c62109f96e65c1d7601b0.exe
-
Size
2.0MB
-
MD5
2f2b5ff3c33c62109f96e65c1d7601b0
-
SHA1
aa8cfcbacc165b941199a9d56045933af952f995
-
SHA256
37e9181fda347881a9648496c62b1a970ce2055245db4d936cc8ddf1a20eef81
-
SHA512
ce770de242104f4f2fe702724f684ee59973cea11e257d997c18eb9f04487b0a6be9843c7b53070243cc2f1dee2a0e540cf1e379b6548cf40cab74a6fbc967ea
-
SSDEEP
49152:32m/hFz6e3Bw45KMgwkYfyZYOgzynV0NWp6V/VtqkOVH:mobVwpooYQKcpGahH
Malware Config
Extracted
socks5systemz
http://dixabom.info/search/?q=67e28dd83a5da32a155afd1b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a271ea771795af8e05c642db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffe13c1eb979f39
Signatures
-
Detect Socks5Systemz Payload 3 IoCs
resource yara_rule behavioral2/memory/5004-67-0x0000000000940000-0x00000000009E2000-memory.dmp family_socks5systemz behavioral2/memory/5004-69-0x0000000000940000-0x00000000009E2000-memory.dmp family_socks5systemz behavioral2/memory/5004-80-0x0000000000940000-0x00000000009E2000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
pid Process 2788 2f2b5ff3c33c62109f96e65c1d7601b0.tmp 4508 colorpicker.exe 5004 colorpicker.exe -
Loads dropped DLL 1 IoCs
pid Process 2788 2f2b5ff3c33c62109f96e65c1d7601b0.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 45.155.250.90 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 408 wrote to memory of 2788 408 2f2b5ff3c33c62109f96e65c1d7601b0.exe 99 PID 408 wrote to memory of 2788 408 2f2b5ff3c33c62109f96e65c1d7601b0.exe 99 PID 408 wrote to memory of 2788 408 2f2b5ff3c33c62109f96e65c1d7601b0.exe 99 PID 2788 wrote to memory of 4508 2788 2f2b5ff3c33c62109f96e65c1d7601b0.tmp 103 PID 2788 wrote to memory of 4508 2788 2f2b5ff3c33c62109f96e65c1d7601b0.tmp 103 PID 2788 wrote to memory of 4508 2788 2f2b5ff3c33c62109f96e65c1d7601b0.tmp 103 PID 2788 wrote to memory of 5004 2788 2f2b5ff3c33c62109f96e65c1d7601b0.tmp 104 PID 2788 wrote to memory of 5004 2788 2f2b5ff3c33c62109f96e65c1d7601b0.tmp 104 PID 2788 wrote to memory of 5004 2788 2f2b5ff3c33c62109f96e65c1d7601b0.tmp 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f2b5ff3c33c62109f96e65c1d7601b0.exe"C:\Users\Admin\AppData\Local\Temp\2f2b5ff3c33c62109f96e65c1d7601b0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Users\Admin\AppData\Local\Temp\is-EMEM3.tmp\2f2b5ff3c33c62109f96e65c1d7601b0.tmp"C:\Users\Admin\AppData\Local\Temp\is-EMEM3.tmp\2f2b5ff3c33c62109f96e65c1d7601b0.tmp" /SL5="$60222,1752368,54272,C:\Users\Admin\AppData\Local\Temp\2f2b5ff3c33c62109f96e65c1d7601b0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -i3⤵
- Executes dropped EXE
PID:4508
-
-
C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -s3⤵
- Executes dropped EXE
PID:5004
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:81⤵PID:1224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5c963718dcfbf0c912a40a46bafcbe6f1
SHA18633310a8cc797a59a63d8fd54456893402296f8
SHA2569cc03473e79df79135bfad64f51cc2ab03eeba069494045a91ddf0d2745345f6
SHA512f9191caf21877ed861ad09019abf50c591ad5bcb2a478e4518e3e7aa64af73373d46c81e8829e80ac8be78be47d4ea83ff1e420e59297d1cff1718c37ca35c65
-
Filesize
384KB
MD5ba991ea5f80af70db4b3da2557465a22
SHA1e4e66ecef3abd5783f23d9fc9ef5ee07f21eb2c0
SHA25640712b93522563c3c0db91b9d4fc1366588f298e6f64b1e2050ae568f54e1e1c
SHA512b21a39e753cf871eb0cfb7bd68b5887c5635261035ced2049c37224fb9d1063f2d40f5a67ce12149441300135de58c78d479448a882eaaef74a22236e0e3d681
-
Filesize
192KB
MD5115eab531930265a00fb23e55fc31990
SHA12de77c75b43892aa0d7511e3a99b8f9848827786
SHA256744418eaaf23c708479a42a57e1c17d792dd6714b4478d8e856f07b65b8dacf9
SHA51238c86b40e56251aa4dace68bb98ec6b49b9d5eedd2aa7686323fc32ccd6302740038aa573ab27af425a62870a87d0facaacaa01864956354efdb22b154bbc58b
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63