Resubmissions

24/03/2024, 17:36

240324-v6mkpseb47 10

24/03/2024, 17:25

240324-vzb6dsea48 10

24/03/2024, 15:03

240324-sfgknagb51 10

24/03/2024, 14:25

240324-rrgjcsdb88 10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/03/2024, 15:03

General

  • Target

    e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.exe

  • Size

    2.1MB

  • MD5

    530e5b703869db00c3b0814025c199c0

  • SHA1

    bacd94bd03b21e5f5ecae37acf070340f7f33222

  • SHA256

    e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46

  • SHA512

    8d5711efea6b95cb74f2b298dd193241f29941311009240787a7930ecbc625686b8f56a9807b711b351fbc2e964c3c817c253ccc75f9db1a5bdff2b9e9e550b8

  • SSDEEP

    49152:32IonT/SO6ZebdP47Q2jsCKC3LAxIJ57SCD7T0S/48I:mIZDZkQ70b1xInxD/48I

Malware Config

Extracted

Family

socks5systemz

C2

http://ebdmudv.ua/search/?q=67e28dd83d5fa62d1358fa4d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978ff71ea771795af8e05c644db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a668cf613c7ed97

http://joihuyr.info/search/?q=67e28dd83d5fa62d1358fa4d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978ff71ea771795af8e05c644db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a668cf613c7ed97

Signatures

  • Detect Socks5Systemz Payload 2 IoCs
  • Socks5Systemz

    Socks5Systemz is a botnet written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.exe
    "C:\Users\Admin\AppData\Local\Temp\e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Users\Admin\AppData\Local\Temp\is-2DV6N.tmp\e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2DV6N.tmp\e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.tmp" /SL5="$8011E,1887224,54272,C:\Users\Admin\AppData\Local\Temp\e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Users\Admin\AppData\Local\Site Free Edition\sitefreeedition.exe
        "C:\Users\Admin\AppData\Local\Site Free Edition\sitefreeedition.exe" -i
        3⤵
        • Executes dropped EXE
        PID:2444
      • C:\Users\Admin\AppData\Local\Site Free Edition\sitefreeedition.exe
        "C:\Users\Admin\AppData\Local\Site Free Edition\sitefreeedition.exe" -s
        3⤵
        • Executes dropped EXE
        PID:2520

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Site Free Edition\sitefreeedition.exe

          Filesize

          706KB

          MD5

          93eff6c6f686590e2f39a4c06c1600ab

          SHA1

          83e94b644ba60b4c2a269278600da63202a3f2a5

          SHA256

          db594ac12bea8ba7ce70bf79834e040071cbecb8b9e7ee8d42e436630e2539cd

          SHA512

          d45a4107dfc02d864fd4813ed5c68ef5f77e0f84152aee8caa6496df2981bf702801f00c002ef8692042a5fb2561608224dd9ea379ad099e0e01073e1eb1b758

        • C:\Users\Admin\AppData\Local\Site Free Edition\sitefreeedition.exe

          Filesize

          1.7MB

          MD5

          1133be928770f4c5d7c3911dc06d7c16

          SHA1

          d0a57857f2eec3b87b1d669c14ff62c9ec900221

          SHA256

          01172d9c1b1a0b03fd316e76aa16b32851827470ad9c173ed2cc11f41b7892ad

          SHA512

          24d93ed7417d913b453c9092c395a2a8cfbd72af225057fd6789affa3ee835cdb395921566aa23dde44cd37599d6a3ba49657fde2a8a38b75fe3fb2b211f8192

        • C:\Users\Admin\AppData\Local\Site Free Edition\sitefreeedition.exe

          Filesize

          924KB

          MD5

          da75dead20fccb33e4dfa4b8134178fa

          SHA1

          0d7e01606121725d8c48877313f01c5f0630a48c

          SHA256

          edd6aecf37d0a5df9bebc63af42a934d96f8ca4d75e16e8f454c37aa22d4dfd4

          SHA512

          0f300d1541adeb6d3403011c0eb130a475de213a7cfd22a7f877c704ed3b0129134b275e0798a5629e5055e1458ab377f4a0f207348007e38ea061b72430218c

        • \Users\Admin\AppData\Local\Site Free Edition\sitefreeedition.exe

          Filesize

          1.5MB

          MD5

          1b0121eb8e80bfc306cf16eebc58ae87

          SHA1

          ec528bdc0691f480ff36f405d5e9a3804bfa8e9c

          SHA256

          95273652b680dd75b168ae203436fa62d56a4a3b369e9b139dd08c293b4d30d1

          SHA512

          0a03d8c7de79a5062fafa4e0982e452cb83f9f1deae78d36a2467277c346f396ee3db82f4df2295702c1cf79ac19ee7f3a5f7288327a8a879b64c1b6116a9012

        • \Users\Admin\AppData\Local\Temp\is-2DV6N.tmp\e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.tmp

          Filesize

          677KB

          MD5

          5a1e3d46cb5a24f8e50b2a59d2ba1cf3

          SHA1

          fe86894c4757c144449bc744649b7fb9e03346f1

          SHA256

          d3a2c2ce7d70b3b9c30faf3f72bf4ebcdea8f331d6b6cac5dae906327997985d

          SHA512

          a27dc5c443abb31826b14e514aa717be5bf0f548b82170f79705f45ca28abaedc485c5b8738044735f61eca9e1f0ca659b519a3947551404085d07202ae709af

        • \Users\Admin\AppData\Local\Temp\is-TJFTI.tmp\_isetup\_iscrypt.dll

          Filesize

          2KB

          MD5

          a69559718ab506675e907fe49deb71e9

          SHA1

          bc8f404ffdb1960b50c12ff9413c893b56f2e36f

          SHA256

          2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

          SHA512

          e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

        • \Users\Admin\AppData\Local\Temp\is-TJFTI.tmp\_isetup\_shfoldr.dll

          Filesize

          22KB

          MD5

          92dc6ef532fbb4a5c3201469a5b5eb63

          SHA1

          3e89ff837147c16b4e41c30d6c796374e0b8e62c

          SHA256

          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

          SHA512

          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

        • memory/2444-49-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2444-44-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2444-45-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2444-46-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2520-56-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2520-87-0x00000000022E0000-0x0000000002382000-memory.dmp

          Filesize

          648KB

        • memory/2520-103-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2520-51-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2520-53-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2520-100-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2520-97-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2520-94-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2520-91-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2520-88-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2520-61-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2520-64-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2520-65-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2520-68-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2520-71-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2520-74-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2520-75-0x00000000022E0000-0x0000000002382000-memory.dmp

          Filesize

          648KB

        • memory/2520-81-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/2520-84-0x0000000000400000-0x000000000062F000-memory.dmp

          Filesize

          2.2MB

        • memory/3008-1-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

        • memory/3008-54-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

        • memory/3036-43-0x00000000034E0000-0x000000000370F000-memory.dmp

          Filesize

          2.2MB

        • memory/3036-58-0x00000000034E0000-0x000000000370F000-memory.dmp

          Filesize

          2.2MB

        • memory/3036-57-0x00000000001E0000-0x00000000001E1000-memory.dmp

          Filesize

          4KB

        • memory/3036-55-0x0000000000400000-0x00000000004B8000-memory.dmp

          Filesize

          736KB

        • memory/3036-12-0x00000000001E0000-0x00000000001E1000-memory.dmp

          Filesize

          4KB