Analysis

  • max time kernel
    143s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2024, 02:08

General

  • Target

    3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.exe

  • Size

    2.0MB

  • MD5

    6ae8b64b038154e44fc14f9db35cf23b

  • SHA1

    ae8ea54fec185b96a65bece3f0a3030ffdd1d7a6

  • SHA256

    3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89

  • SHA512

    1cda1a7d9b7e6ec0eb59bcd5313c7f82a31f8a89dc7f9128631ac41d1f0b6d8da9e355cf15e5bcb2d1f9f954e7a59a7cd1e12765b63746f537a8ef991a32fda8

  • SSDEEP

    49152:326F3YAI83Njb41dNKGD1a12gVy4Z8xJr/sWO6mbwLd8M:m6F3YAI6bgKc1a8eZ8PjsLrb+d8M

Malware Config

Extracted

Family

socks5systemz

C2

http://bwuukea.com/search/?q=67e28dd83f0bf1291606a9177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978f171ea771795af8e05c642db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a668dfc13c5e797

Signatures

  • Detect Socks5Systemz Payload 3 IoCs
  • Socks5Systemz

    Socks5Systemz is a botnet written in C++.

  • Detects executables packed with VMProtect. 19 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.exe
    "C:\Users\Admin\AppData\Local\Temp\3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Users\Admin\AppData\Local\Temp\is-CIOPQ.tmp\3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-CIOPQ.tmp\3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp" /SL5="$400F4,1753998,54272,C:\Users\Admin\AppData\Local\Temp\3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
        "C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe" -i
        3⤵
        • Executes dropped EXE
        PID:2576
      • C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
        "C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe" -s
        3⤵
        • Executes dropped EXE
        PID:2808

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

          Filesize

          900KB

          MD5

          487824c36f717412616b98c1453cb7e4

          SHA1

          5dae602baf5197866d18d66f654c998faf04f511

          SHA256

          6383d62701d17bec5c68f76e8af2819a546cbc898d9e5b59d604cc8af2fdf465

          SHA512

          519785da041163cffe0bd1b6aeb0745bac77b5ba8ac19c287646c6e682537d6b303c4b326d6b7cb4c1573ea1e16f6430db80790ab5315194f5ec45bbd070bf78

        • C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

          Filesize

          89KB

          MD5

          2f61a31728c9b0bd92d06d99160cb80b

          SHA1

          1d555b2af7cdf3501bce41169aed4e26be50e644

          SHA256

          01ea20935b8f1fa6637b97c817e3ba6ae66a1e4c08dc2d369493d35a9e866bf6

          SHA512

          e9764dbebc95bcb7fe21db1544f1523fe542a29d5f51d49971c4dbcf41d7d7462786245be6bb058e4eea7aaad610f956185d682ff333e4bca0af355b074a2d0b

        • C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

          Filesize

          112KB

          MD5

          b16cd3dfb83d24adc04282004d254cdb

          SHA1

          cde61d1cb643cfe6037725d836affa0f5e1030db

          SHA256

          de258d97542b6b7349bc264496cf1358dba4d8c8c66aa885086ace240ffa5402

          SHA512

          e470cf9119c5341f57a6ccfebc7211e3f4f4dd3fc8ad8e1c932aa6107f18c87e89f953fa5891c33229822ee3a28b31dec84d3a0fde52b66d956e0c07697a9d1f

        • C:\Users\Admin\AppData\Local\Temp\is-CIOPQ.tmp\3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp

          Filesize

          677KB

          MD5

          bb16a1aed23a42be299fa83942dc45cc

          SHA1

          eef3b71f03f3ea6148a08bf4ba6d3bc2239a56ba

          SHA256

          2fbf5d1a94ff7aa773d0abe9e2216f0347f47083bf66632e516b9e59ede819df

          SHA512

          bd1c5cf999c8824946906a6242309b41e6bcc926733107e87787ecb70c4e4d78ae395fcc9033606a72f08fee98103957063b3a47cd74e9e395d77c75287fd0b4

        • \Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

          Filesize

          1.0MB

          MD5

          e8fa9ef47bb5faa2e36ff8192e75d170

          SHA1

          1cb6f1e5785659c259f87db33c2ac428da7fc96a

          SHA256

          427a2001c058bf7675be775090c3d963343cffa43011ccf7c27b228bd3ca9967

          SHA512

          7326bc33a5fa3be7ff269606a6066dcd469cf82fab3522e01542dc868d095eddcb76bdfe27a8dff7acf053a6f0d38cef0b1e8a9ffff386fc6c4ed6289375b5b0

        • \Users\Admin\AppData\Local\Temp\is-AR0PD.tmp\_isetup\_iscrypt.dll

          Filesize

          2KB

          MD5

          a69559718ab506675e907fe49deb71e9

          SHA1

          bc8f404ffdb1960b50c12ff9413c893b56f2e36f

          SHA256

          2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

          SHA512

          e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

        • \Users\Admin\AppData\Local\Temp\is-AR0PD.tmp\_isetup\_shfoldr.dll

          Filesize

          22KB

          MD5

          92dc6ef532fbb4a5c3201469a5b5eb63

          SHA1

          3e89ff837147c16b4e41c30d6c796374e0b8e62c

          SHA256

          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

          SHA512

          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

        • \Users\Admin\AppData\Local\Temp\is-CIOPQ.tmp\3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp

          Filesize

          294KB

          MD5

          e69148d3a7893a21e560cdabd80460ab

          SHA1

          72815fbcbabe1f42bdb81ebe18eacbffaeb0bb8a

          SHA256

          251d3b62c1f426db72e898914493ad3408ba4036a4d87489edf303a08d6a36e1

          SHA512

          6e8a4c48e4ff3d0a843acbf7cb18a1514e56965bc636b21fb9267fdba2179cfdb5c659795fa51671d9bfb2ddd5251406c3e4f391a1fb5ecf79fd3bd075260501

        • memory/2212-9-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

        • memory/2212-58-0x00000000036F0000-0x0000000003900000-memory.dmp

          Filesize

          2.1MB

        • memory/2212-57-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

        • memory/2212-43-0x00000000036F0000-0x0000000003900000-memory.dmp

          Filesize

          2.1MB

        • memory/2212-55-0x0000000000400000-0x00000000004B8000-memory.dmp

          Filesize

          736KB

        • memory/2404-1-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

        • memory/2404-54-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

        • memory/2576-44-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2576-49-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2576-48-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2576-45-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2808-71-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2808-76-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2808-51-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2808-61-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2808-62-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2808-65-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2808-68-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2808-53-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2808-74-0x00000000026B0000-0x0000000002752000-memory.dmp

          Filesize

          648KB

        • memory/2808-56-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2808-77-0x00000000026B0000-0x0000000002752000-memory.dmp

          Filesize

          648KB

        • memory/2808-82-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2808-85-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2808-86-0x00000000026B0000-0x0000000002752000-memory.dmp

          Filesize

          648KB

        • memory/2808-89-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2808-92-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2808-95-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2808-98-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2808-102-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB

        • memory/2808-105-0x0000000000400000-0x0000000000610000-memory.dmp

          Filesize

          2.1MB