Analysis
-
max time kernel
143s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
25/03/2024, 02:08
Static task
static1
Behavioral task
behavioral1
Sample
3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.exe
Resource
win10v2004-20231215-en
General
-
Target
3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.exe
-
Size
2.0MB
-
MD5
6ae8b64b038154e44fc14f9db35cf23b
-
SHA1
ae8ea54fec185b96a65bece3f0a3030ffdd1d7a6
-
SHA256
3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89
-
SHA512
1cda1a7d9b7e6ec0eb59bcd5313c7f82a31f8a89dc7f9128631ac41d1f0b6d8da9e355cf15e5bcb2d1f9f954e7a59a7cd1e12765b63746f537a8ef991a32fda8
-
SSDEEP
49152:326F3YAI83Njb41dNKGD1a12gVy4Z8xJr/sWO6mbwLd8M:m6F3YAI6bgKc1a8eZ8PjsLrb+d8M
Malware Config
Extracted
socks5systemz
http://bwuukea.com/search/?q=67e28dd83f0bf1291606a9177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978f171ea771795af8e05c642db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a668dfc13c5e797
Signatures
-
Detect Socks5Systemz Payload 3 IoCs
resource yara_rule behavioral1/memory/2808-74-0x00000000026B0000-0x0000000002752000-memory.dmp family_socks5systemz behavioral1/memory/2808-77-0x00000000026B0000-0x0000000002752000-memory.dmp family_socks5systemz behavioral1/memory/2808-86-0x00000000026B0000-0x0000000002752000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Detects executables packed with VMProtect. 19 IoCs
resource yara_rule behavioral1/memory/2576-45-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2576-49-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2576-48-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2808-53-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2808-56-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2808-61-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2808-62-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2808-65-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2808-68-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2808-71-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2808-76-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2808-82-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2808-85-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2808-89-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2808-92-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2808-95-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2808-98-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2808-102-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2808-105-0x0000000000400000-0x0000000000610000-memory.dmp INDICATOR_EXE_Packed_VMProtect -
Executes dropped EXE 3 IoCs
pid Process 2212 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp 2576 colorpicker32.exe 2808 colorpicker32.exe -
Loads dropped DLL 5 IoCs
pid Process 2404 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.exe 2212 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp 2212 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp 2212 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp 2212 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 45.155.250.90 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2404 wrote to memory of 2212 2404 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.exe 28 PID 2404 wrote to memory of 2212 2404 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.exe 28 PID 2404 wrote to memory of 2212 2404 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.exe 28 PID 2404 wrote to memory of 2212 2404 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.exe 28 PID 2404 wrote to memory of 2212 2404 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.exe 28 PID 2404 wrote to memory of 2212 2404 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.exe 28 PID 2404 wrote to memory of 2212 2404 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.exe 28 PID 2212 wrote to memory of 2576 2212 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp 29 PID 2212 wrote to memory of 2576 2212 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp 29 PID 2212 wrote to memory of 2576 2212 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp 29 PID 2212 wrote to memory of 2576 2212 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp 29 PID 2212 wrote to memory of 2808 2212 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp 30 PID 2212 wrote to memory of 2808 2212 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp 30 PID 2212 wrote to memory of 2808 2212 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp 30 PID 2212 wrote to memory of 2808 2212 3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.exe"C:\Users\Admin\AppData\Local\Temp\3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\is-CIOPQ.tmp\3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp"C:\Users\Admin\AppData\Local\Temp\is-CIOPQ.tmp\3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp" /SL5="$400F4,1753998,54272,C:\Users\Admin\AppData\Local\Temp\3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe"C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe" -i3⤵
- Executes dropped EXE
PID:2576
-
-
C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe"C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe" -s3⤵
- Executes dropped EXE
PID:2808
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
900KB
MD5487824c36f717412616b98c1453cb7e4
SHA15dae602baf5197866d18d66f654c998faf04f511
SHA2566383d62701d17bec5c68f76e8af2819a546cbc898d9e5b59d604cc8af2fdf465
SHA512519785da041163cffe0bd1b6aeb0745bac77b5ba8ac19c287646c6e682537d6b303c4b326d6b7cb4c1573ea1e16f6430db80790ab5315194f5ec45bbd070bf78
-
Filesize
89KB
MD52f61a31728c9b0bd92d06d99160cb80b
SHA11d555b2af7cdf3501bce41169aed4e26be50e644
SHA25601ea20935b8f1fa6637b97c817e3ba6ae66a1e4c08dc2d369493d35a9e866bf6
SHA512e9764dbebc95bcb7fe21db1544f1523fe542a29d5f51d49971c4dbcf41d7d7462786245be6bb058e4eea7aaad610f956185d682ff333e4bca0af355b074a2d0b
-
Filesize
112KB
MD5b16cd3dfb83d24adc04282004d254cdb
SHA1cde61d1cb643cfe6037725d836affa0f5e1030db
SHA256de258d97542b6b7349bc264496cf1358dba4d8c8c66aa885086ace240ffa5402
SHA512e470cf9119c5341f57a6ccfebc7211e3f4f4dd3fc8ad8e1c932aa6107f18c87e89f953fa5891c33229822ee3a28b31dec84d3a0fde52b66d956e0c07697a9d1f
-
C:\Users\Admin\AppData\Local\Temp\is-CIOPQ.tmp\3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp
Filesize677KB
MD5bb16a1aed23a42be299fa83942dc45cc
SHA1eef3b71f03f3ea6148a08bf4ba6d3bc2239a56ba
SHA2562fbf5d1a94ff7aa773d0abe9e2216f0347f47083bf66632e516b9e59ede819df
SHA512bd1c5cf999c8824946906a6242309b41e6bcc926733107e87787ecb70c4e4d78ae395fcc9033606a72f08fee98103957063b3a47cd74e9e395d77c75287fd0b4
-
Filesize
1.0MB
MD5e8fa9ef47bb5faa2e36ff8192e75d170
SHA11cb6f1e5785659c259f87db33c2ac428da7fc96a
SHA256427a2001c058bf7675be775090c3d963343cffa43011ccf7c27b228bd3ca9967
SHA5127326bc33a5fa3be7ff269606a6066dcd469cf82fab3522e01542dc868d095eddcb76bdfe27a8dff7acf053a6f0d38cef0b1e8a9ffff386fc6c4ed6289375b5b0
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-CIOPQ.tmp\3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89.tmp
Filesize294KB
MD5e69148d3a7893a21e560cdabd80460ab
SHA172815fbcbabe1f42bdb81ebe18eacbffaeb0bb8a
SHA256251d3b62c1f426db72e898914493ad3408ba4036a4d87489edf303a08d6a36e1
SHA5126e8a4c48e4ff3d0a843acbf7cb18a1514e56965bc636b21fb9267fdba2179cfdb5c659795fa51671d9bfb2ddd5251406c3e4f391a1fb5ecf79fd3bd075260501