Resubmissions
24/03/2024, 17:36
240324-v6mkpseb47 1024/03/2024, 17:25
240324-vzb6dsea48 1024/03/2024, 15:03
240324-sfgknagb51 1024/03/2024, 14:25
240324-rrgjcsdb88 10Analysis
-
max time kernel
160s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24/03/2024, 17:36
Static task
static1
Behavioral task
behavioral1
Sample
e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.exe
Resource
win10v2004-20240226-en
General
-
Target
e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.exe
-
Size
2.1MB
-
MD5
530e5b703869db00c3b0814025c199c0
-
SHA1
bacd94bd03b21e5f5ecae37acf070340f7f33222
-
SHA256
e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46
-
SHA512
8d5711efea6b95cb74f2b298dd193241f29941311009240787a7930ecbc625686b8f56a9807b711b351fbc2e964c3c817c253ccc75f9db1a5bdff2b9e9e550b8
-
SSDEEP
49152:32IonT/SO6ZebdP47Q2jsCKC3LAxIJ57SCD7T0S/48I:mIZDZkQ70b1xInxD/48I
Malware Config
Signatures
-
Detect Socks5Systemz Payload 3 IoCs
resource yara_rule behavioral2/memory/3040-67-0x0000000000900000-0x00000000009A2000-memory.dmp family_socks5systemz behavioral2/memory/3040-68-0x0000000000900000-0x00000000009A2000-memory.dmp family_socks5systemz behavioral2/memory/3040-78-0x0000000000900000-0x00000000009A2000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
pid Process 3768 e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.tmp 4452 sitefreeedition.exe 3040 sitefreeedition.exe -
Loads dropped DLL 1 IoCs
pid Process 3768 e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.tmp -
Unexpected DNS network traffic destination 55 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 152.89.198.214 Destination IP 81.31.197.38 Destination IP 152.89.198.214 Destination IP 81.31.197.38 Destination IP 45.155.250.90 Destination IP 81.31.197.38 Destination IP 141.98.234.31 Destination IP 141.98.234.31 Destination IP 91.211.247.248 Destination IP 141.98.234.31 Destination IP 91.211.247.248 Destination IP 45.155.250.90 Destination IP 91.211.247.248 Destination IP 141.98.234.31 Destination IP 81.31.197.38 Destination IP 141.98.234.31 Destination IP 152.89.198.214 Destination IP 152.89.198.214 Destination IP 81.31.197.38 Destination IP 91.211.247.248 Destination IP 45.155.250.90 Destination IP 152.89.198.214 Destination IP 81.31.197.38 Destination IP 81.31.197.38 Destination IP 141.98.234.31 Destination IP 91.211.247.248 Destination IP 45.155.250.90 Destination IP 152.89.198.214 Destination IP 152.89.198.214 Destination IP 91.211.247.248 Destination IP 45.155.250.90 Destination IP 45.155.250.90 Destination IP 141.98.234.31 Destination IP 152.89.198.214 Destination IP 141.98.234.31 Destination IP 45.155.250.90 Destination IP 91.211.247.248 Destination IP 152.89.198.214 Destination IP 91.211.247.248 Destination IP 141.98.234.31 Destination IP 141.98.234.31 Destination IP 45.155.250.90 Destination IP 45.155.250.90 Destination IP 81.31.197.38 Destination IP 141.98.234.31 Destination IP 141.98.234.31 Destination IP 152.89.198.214 Destination IP 141.98.234.31 Destination IP 45.155.250.90 Destination IP 81.31.197.38 Destination IP 45.155.250.90 Destination IP 91.211.247.248 Destination IP 81.31.197.38 Destination IP 91.211.247.248 Destination IP 91.211.247.248 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4208 wrote to memory of 3768 4208 e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.exe 86 PID 4208 wrote to memory of 3768 4208 e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.exe 86 PID 4208 wrote to memory of 3768 4208 e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.exe 86 PID 3768 wrote to memory of 4452 3768 e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.tmp 89 PID 3768 wrote to memory of 4452 3768 e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.tmp 89 PID 3768 wrote to memory of 4452 3768 e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.tmp 89 PID 3768 wrote to memory of 3040 3768 e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.tmp 91 PID 3768 wrote to memory of 3040 3768 e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.tmp 91 PID 3768 wrote to memory of 3040 3768 e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.tmp 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.exe"C:\Users\Admin\AppData\Local\Temp\e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\is-4ABG9.tmp\e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.tmp"C:\Users\Admin\AppData\Local\Temp\is-4ABG9.tmp\e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.tmp" /SL5="$80090,1887224,54272,C:\Users\Admin\AppData\Local\Temp\e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Site Free Edition\sitefreeedition.exe"C:\Users\Admin\AppData\Local\Site Free Edition\sitefreeedition.exe" -i3⤵
- Executes dropped EXE
PID:4452
-
-
C:\Users\Admin\AppData\Local\Site Free Edition\sitefreeedition.exe"C:\Users\Admin\AppData\Local\Site Free Edition\sitefreeedition.exe" -s3⤵
- Executes dropped EXE
PID:3040
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128B
MD50d6174e4525cfded5dd1c9440b9dc1e7
SHA1173ef30a035ce666278904625eadcfae09233a47
SHA256458677cdf0e1a4e87d32ab67d6a5eea9e67cb3545d79a21a0624e6bb5e1087e7
SHA51286da96385985a1ba3d67a8676a041ca563838f474df33d82b6ecd90c101703b30747121a6b7281e025a3c11ce28accedfc94db4e8d38e391199458056c2cd27a
-
Filesize
2.2MB
MD5f5accb44aea64489ee12bd31c9c3dbb7
SHA134341d42e3664cc7a1682af3a0c98e566fb96d26
SHA256c8055d97a9d2d52abfccbef80d16a3f38d7c2108c1524c1e5aee14002aab98fe
SHA5121edbe7b50dd0bb1170dd0da0eeb53c33e52401453c0d6bf9b7bf1dd5dad670180d026091d92d022cb43f17cc0aef9b80414b1ee2baa8d1f518d53ca2b195ade4
-
Filesize
1.9MB
MD5719b19efb6f13b1ce95d8adfb5087b5c
SHA192b74268a1fa1776be6941d6301bf764a3492641
SHA256717d0797a624ac261c1a97a84e229d9e315b78ff1e5cc533c42fe801cea5d11a
SHA512817521568e84a1269d4b9ec053f6f24badf8ebe2322d5addc4c6695db9fb870591660894cef514cb33e0c34ff2cc5ce0e5b985678c483011a6b6c8b4c07dd6c4
-
Filesize
448KB
MD51d617e74c442dc4b2b53ac6b86f1c474
SHA14dffcd1279678a3c72884c91701ef6d48d121875
SHA25668f4f8e1f6fc099ee05eac4466edf2e62dae0c52cc7c4fb19c67b6fad66e9370
SHA51206dfeb378319759e45073a2860fb36ac583185bec7268db2034948560f4755640f63e97f12d6377eca589de79c4b58589c245601586bb59bc7ca61d1d53931f0
-
C:\Users\Admin\AppData\Local\Temp\is-4ABG9.tmp\e44d878e1be2235927f48fa0d547e95a8b64e92e31a920a5a3439b9c79657b46.tmp
Filesize677KB
MD55a1e3d46cb5a24f8e50b2a59d2ba1cf3
SHA1fe86894c4757c144449bc744649b7fb9e03346f1
SHA256d3a2c2ce7d70b3b9c30faf3f72bf4ebcdea8f331d6b6cac5dae906327997985d
SHA512a27dc5c443abb31826b14e514aa717be5bf0f548b82170f79705f45ca28abaedc485c5b8738044735f61eca9e1f0ca659b519a3947551404085d07202ae709af
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63