socks5systemz | d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624

General

Target

d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.exe
Size

2.3MB
MD5

c865ce092c48c1a1d5fc2b3a27cd467c
SHA1

f026cf9e55b2b1e7b15ee751d389f9c6c7667aba
SHA256

d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624
SHA512

5b1da626bf4fadf06b61da48ecb8c9ff7497ceefb93137e728fea5782b247befeacc907bd3bf9b2f2e281cde3be9ab764fba44a8ef9a72f0ce7a7aaeb341623f
SSDEEP

49152:32EjJpNq39nyoyRTtBoR7wEhoryHJs9ZvheRS+UvJoUtAn:mE/NqNnOTtBoxwm9JiZvwRS+kJIn

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

http://aaddlif.ru/search/?q=67e28dd86f58a021415baa1e7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978a471ea771795af8e05c645db22f31dfe339426fa12a466c553adb719a9577e55b8603e983a608ffe15c7e79d9339

Signatures

Detect Socks5Systemz Payload 2 IoCs

resource	yara_rule
behavioral2/memory/1048-73-0x0000000000980000-0x0000000000A22000-memory.dmp	family_socks5systemz
behavioral2/memory/1048-83-0x0000000000980000-0x0000000000A22000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2472	d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.tmp
840	javascriptscollection.exe
1048	javascriptscollection.exe

Loads dropped DLL 3 IoCs

pid	Process
2472	d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.tmp
2472	d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.tmp
2472	d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 704 wrote to memory of 2472	704	d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.exe	78
PID 704 wrote to memory of 2472	704	d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.exe	78
PID 704 wrote to memory of 2472	704	d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.exe	78
PID 2472 wrote to memory of 840	2472	d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.tmp	81
PID 2472 wrote to memory of 840	2472	d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.tmp	81
PID 2472 wrote to memory of 840	2472	d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.tmp	81
PID 2472 wrote to memory of 1048	2472	d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.tmp	82
PID 2472 wrote to memory of 1048	2472	d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.tmp	82
PID 2472 wrote to memory of 1048	2472	d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.tmp	82

C:\Users\Admin\AppData\Local\Temp\d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.exe
"C:\Users\Admin\AppData\Local\Temp\d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:704
- C:\Users\Admin\AppData\Local\Temp\is-KF2QR.tmp\d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KF2QR.tmp\d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.tmp" /SL5="$60106,2033801,54272,C:\Users\Admin\AppData\Local\Temp\d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Local\Java Scripts Collection\javascriptscollection.exe
    "C:\Users\Admin\AppData\Local\Java Scripts Collection\javascriptscollection.exe" -i
    3⤵
    - Executes dropped EXE
    PID:840
- - C:\Users\Admin\AppData\Local\Java Scripts Collection\javascriptscollection.exe
    "C:\Users\Admin\AppData\Local\Java Scripts Collection\javascriptscollection.exe" -s
    3⤵
    - Executes dropped EXE
    PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Java Scripts Collection\javascriptscollection.exe

Filesize
1.2MB

MD5
8f9979eea32b7e87fbbbea7b2636163a

SHA1
136610dd9c6c858858a2ceb34a46024c12fe44aa

SHA256
98457be56da9a8f925b42ff48b0e45fe5ea60dd8f071db6e7db5206d3795a6d3

SHA512
45fb562fb995fb52ade30b0bbab721bc0f5ee7b28c8f655d7ca1888d50597a46cf2b550b383dc251580c8981d32de77217db415036f2e0b7624c1a76023250b3

Download Submit
C:\Users\Admin\AppData\Local\Java Scripts Collection\javascriptscollection.exe

Filesize
384KB

MD5
aabe8c387683fdbeb97da2a27c9ae7b5

SHA1
e78bb970da0bed88999850b88a1e9f16f87baf3d

SHA256
468878edf99c7dd35d87eab4c6b0213007cedce0bc50b62f563dd24609231504

SHA512
2bb0ac781772016d532ca15717e6c606064442da3ffd483338dbe539e74a996d603193685564a4eeb39d25c7ca911a2d37fb9d93b49d5ff229d8bb3af65ec25d

Download Submit
C:\Users\Admin\AppData\Local\Java Scripts Collection\javascriptscollection.exe

Filesize
2.6MB

MD5
18eeb30d24c95df0a563e5bf00757bf8

SHA1
415af3a03fcf810efcf7fbeabccc3442b7d772b3

SHA256
8e0ce3cc5cb99f23b1ea418b6836e73e9e263352caad7e28a044e040f2368ba0

SHA512
3cc20bf6c5f9ee88088cefcf397d67d4b45a8217f5a91aacba90a17abaf66df34392b94204b97ba57f3a3da09224542d89de4f91f11c8e5affd1ef68a308e501

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HI4QA.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HI4QA.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KF2QR.tmp\d2efb92247e29fec9efc4f53b458d2c4f0f611a91f832f0714c10c193acb8624.tmp

Filesize
677KB

MD5
799c75b0fc234cd80baa23da81935411

SHA1
7671acf2cb93a4f4d61cb64bc8976d4ca493c631

SHA256
b7f402c258f23147d01b561427d452dda6d7e6168db7e2d9fe865ef62d667112

SHA512
46860f4497e7c157234a24028d339c6155f700639545422b998f98e6814432d044e8374bb603c58e0fc31276c4ec769f6e768c87df32a75c3a0b62dddc5c4878

Download Submit
memory/704-53-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/704-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/840-44-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/840-45-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/840-48-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/840-49-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1048-79-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1048-73-0x0000000000980000-0x0000000000A22000-memory.dmp

Filesize
648KB

Download
memory/1048-102-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1048-55-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1048-99-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1048-59-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1048-60-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1048-63-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1048-66-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1048-69-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1048-72-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1048-52-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1048-95-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1048-82-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1048-83-0x0000000000980000-0x0000000000A22000-memory.dmp

Filesize
648KB

Download
memory/1048-86-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1048-89-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1048-92-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/2472-7-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/2472-57-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/2472-54-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing