Analysis
-
max time kernel
147s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/03/2024, 23:34
Static task
static1
Behavioral task
behavioral1
Sample
af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.exe
Resource
win10v2004-20240319-en
General
-
Target
af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.exe
-
Size
2.0MB
-
MD5
81a85f3125aefa6f06649cbf53136988
-
SHA1
ee72a132008d3d1394bb8c00c534014748edf94a
-
SHA256
af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636
-
SHA512
e35e322759210c09797a2f0079c2e35c498a278d3a9eaf4e5dcccd8c834828e0d0fb1b2cc3630b76b4b373f3b3e5be252fe0fba65254fd2b9e68f73cb8ae4bf4
-
SSDEEP
49152:32JBpBDCRjWetUW7NUN3/qLr2CQzB2qaQoe7D:mzpBD2aetUcUN3/ACzpKc
Malware Config
Extracted
socks5systemz
http://bfwedpv.com/search/?q=67e28dd83d5fa62d1358fa4d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978ff71ea771795af8e05c642db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a668dfd12c3ec94
Signatures
-
Detect Socks5Systemz Payload 2 IoCs
resource yara_rule behavioral1/memory/2520-76-0x0000000002160000-0x0000000002202000-memory.dmp family_socks5systemz behavioral1/memory/2520-88-0x0000000002160000-0x0000000002202000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Detects executables packed with VMProtect. 20 IoCs
resource yara_rule behavioral1/memory/2156-45-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2156-46-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2156-49-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2520-53-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2520-56-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2520-61-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2520-62-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2520-65-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2520-66-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2520-69-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2520-72-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2520-75-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2520-82-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2520-85-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2520-89-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2520-92-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2520-95-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2520-98-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2520-102-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2520-105-0x0000000000400000-0x000000000060A000-memory.dmp INDICATOR_EXE_Packed_VMProtect -
Executes dropped EXE 3 IoCs
pid Process 1880 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.tmp 2156 colorpicker.exe 2520 colorpicker.exe -
Loads dropped DLL 5 IoCs
pid Process 2184 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.exe 1880 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.tmp 1880 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.tmp 1880 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.tmp 1880 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 91.211.247.248 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2184 wrote to memory of 1880 2184 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.exe 28 PID 2184 wrote to memory of 1880 2184 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.exe 28 PID 2184 wrote to memory of 1880 2184 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.exe 28 PID 2184 wrote to memory of 1880 2184 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.exe 28 PID 2184 wrote to memory of 1880 2184 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.exe 28 PID 2184 wrote to memory of 1880 2184 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.exe 28 PID 2184 wrote to memory of 1880 2184 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.exe 28 PID 1880 wrote to memory of 2156 1880 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.tmp 29 PID 1880 wrote to memory of 2156 1880 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.tmp 29 PID 1880 wrote to memory of 2156 1880 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.tmp 29 PID 1880 wrote to memory of 2156 1880 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.tmp 29 PID 1880 wrote to memory of 2520 1880 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.tmp 30 PID 1880 wrote to memory of 2520 1880 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.tmp 30 PID 1880 wrote to memory of 2520 1880 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.tmp 30 PID 1880 wrote to memory of 2520 1880 af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.tmp 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.exe"C:\Users\Admin\AppData\Local\Temp\af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\is-RD9V5.tmp\af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.tmp"C:\Users\Admin\AppData\Local\Temp\is-RD9V5.tmp\af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.tmp" /SL5="$3014E,1784413,54272,C:\Users\Admin\AppData\Local\Temp\af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -i3⤵
- Executes dropped EXE
PID:2156
-
-
C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe"C:\Users\Admin\AppData\Local\Color Picker\colorpicker.exe" -s3⤵
- Executes dropped EXE
PID:2520
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD57eadfb0e93445c8f77db5683c816ab25
SHA1c05037c540fb7abf7856ae268364558ba82651af
SHA2563e32f3f179994e8804a5d707f9704e7bf8b80cedf2490da04dbbcdd250c3c249
SHA5126e5fd2c7fbbe5568fab64ad5cc90a76efd842b9f49ad5283c4831a6b372a7affb44fa7db6b530f97c610db60a26c14a8cf89056c2129c8aa10a19fab9dc3b51b
-
Filesize
2.0MB
MD5e0be643656cf2b26337e1c880860a0ff
SHA14b142324fce15d65ac607d14b3cc736ad06ec4db
SHA25685f81ec4027dfa1ecadc0cd91ba941563a034abd95f198bae8ed4c1921546483
SHA512e7bf1495f8aae0fcbe4c84c79e852687fc7206d296f4bc1c69a64e94f3db1495ece04a8a39fb0d9db193c1accce42e340f7db427b73dcb06ec76ce57877b3ab1
-
Filesize
1.5MB
MD5aa7c13bebf94608c2ed25bda14f34aee
SHA1b578fd45a2519fef8e3096bfaf4fed37b4e3179f
SHA2567d5157e1b8ba031543ce87a0a02550042425587d66095500f6ec241a4994f631
SHA5125fcd2042d8fa8e9653334d79f10dd88cb456f587db453ede80e36a9686602bd5717c34c8e518a06e71114c3895549d92587508270e4ad92ee915468786e44d31
-
\Users\Admin\AppData\Local\Temp\is-RD9V5.tmp\af460f770a41c228adf3b601c6577d2f9a94b3b2bb0363257713400f9f9e9636.tmp
Filesize677KB
MD592f7775908bb12183914bb0753782913
SHA18d1091da36832942d48f2fe9a1a216fdd556b9c4
SHA256a43c4e3916a92d299c22e2010383b2a8f85e14882a610de57bb2fef91f7984ed
SHA5127e39cafdc00a46f2353f6eeaa8fee0d7c94f489d1fd4581e125408bae63a2e6cd135f65807c3574c833f970b64106badb7dd0a2a6ee9859b3b60b3d1b6e19c39
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3