socks5systemz | ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a

General

Target

ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.exe
Size

2.0MB
MD5

84afe61b642dd4b0c7f0a2676ee7f4fb
SHA1

557485e9ece9074daad56191860e9f9a017ea19a
SHA256

ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a
SHA512

48ed822f765aa6e3ab43dea09b71e599824c484ec96614d28dd5748463c24029420fa3dbc0247d40274add25f5ddcebc4646c1f7661485eb726c2e54c000c346
SSDEEP

49152:32ITvG0tewnTLd5/O3yqNVW6lZOxH2QeZ3sud/YO7VO:mQvG0XTJBO3vNA6PbQSsqRO

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

http://ckrxmcy.net/search/?q=67e28dd83f08f2204807f9497c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4be8889b5e4fa9281ae978ff71ea771795af8e05c645db22f31dfe339426fa12a466c553adb719a9577e55b8603e983a608ffe16c0ef929339

http://ckrxmcy.net/search/?q=67e28dd83f08f2204807f9497c27d78406abdd88be4b12eab517aa5c96bd86eb96864a835a8bbc896c58e713bc90c91e36b5281fc235a925ed3e5cd6bd974a95129070b616e96cc92be510b866db51b9e34eed4c2b14a82966836f23d7f210c7ee949d3bcd689f14

Signatures

Detect Socks5Systemz Payload 4 IoCs

resource	yara_rule
behavioral2/memory/1384-72-0x00000000007D0000-0x0000000000872000-memory.dmp	family_socks5systemz
behavioral2/memory/1384-82-0x00000000007D0000-0x0000000000872000-memory.dmp	family_socks5systemz
behavioral2/memory/1384-95-0x00000000007D0000-0x0000000000872000-memory.dmp	family_socks5systemz
behavioral2/memory/1384-96-0x00000000007D0000-0x0000000000872000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2192	ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.tmp
1772	metatoggermusiccollection.exe
1384	metatoggermusiccollection.exe

Loads dropped DLL 3 IoCs

pid	Process
2192	ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.tmp
2192	ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.tmp
2192	ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 2192	5052	ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.exe	77
PID 5052 wrote to memory of 2192	5052	ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.exe	77
PID 5052 wrote to memory of 2192	5052	ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.exe	77
PID 2192 wrote to memory of 1772	2192	ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.tmp	78
PID 2192 wrote to memory of 1772	2192	ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.tmp	78
PID 2192 wrote to memory of 1772	2192	ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.tmp	78
PID 2192 wrote to memory of 1384	2192	ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.tmp	79
PID 2192 wrote to memory of 1384	2192	ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.tmp	79
PID 2192 wrote to memory of 1384	2192	ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.tmp	79

C:\Users\Admin\AppData\Local\Temp\ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.exe
"C:\Users\Admin\AppData\Local\Temp\ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\is-20TFR.tmp\ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-20TFR.tmp\ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.tmp" /SL5="$40216,1771820,54272,C:\Users\Admin\AppData\Local\Temp\ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Users\Admin\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
    "C:\Users\Admin\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1772
- - C:\Users\Admin\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
    "C:\Users\Admin\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe" -s
    3⤵
    - Executes dropped EXE
    PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe

Filesize
1.9MB

MD5
99453cad55390b4c5fcf3dd052b7c8fe

SHA1
77b6a656504c59f3c347f6d69252e847a244784d

SHA256
435b6d2665d1c001826e367f95618039ba6a17ab88434c0f9b084997246b11c1

SHA512
b7a19ec9e918bf083f0071b7e7a1458963f29ea19e103f318537dbd590ddbf270dda7da58eb2b4f6ee792114cb2e2488d92678c8fe3c31c5b9fdf0a7b558da5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-20TFR.tmp\ed74023070e87ae804dfbdef6e235c3a419799a32f3677945ac8156588f0044a.tmp

Filesize
677KB

MD5
8e02bc0df97f95a1df3fd1eee341c73f

SHA1
725a46c1380c1d56bcfdf2e1e69efbaba192a1cb

SHA256
52823d5894e5bd513eae0efac44079187a078a37d023017d37670d1381b4566d

SHA512
522cb11ffdc238f2febbca868d52887b2c3b957ee51448488b3949f7ad7707103891fd5c80b0105fffdebfb7b666fadd58afa6e0060d789dc5b1e6c652a73449

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SAI6G.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SAI6G.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b6f11a0ab7715f570f45900a1fe84732

SHA1
77b1201e535445af5ea94c1b03c0a1c34d67a77b

SHA256
e47dd306a9854599f02bc1b07ca6dfbd5220f8a1352faa9616d1a327de0bbf67

SHA512
78a757e67d21eb7cc95954df15e3eeff56113d6b40fb73f0c5f53304265cc52c79125d6f1b3655b64f9a411711b5b70f746080d708d7c222f4e65bad64b1b771

Download Submit
memory/1384-85-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1384-82-0x00000000007D0000-0x0000000000872000-memory.dmp

Filesize
648KB

Download
memory/1384-103-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1384-100-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1384-96-0x00000000007D0000-0x0000000000872000-memory.dmp

Filesize
648KB

Download
memory/1384-51-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1384-95-0x00000000007D0000-0x0000000000872000-memory.dmp

Filesize
648KB

Download
memory/1384-94-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1384-54-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1384-91-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1384-58-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1384-59-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1384-62-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1384-65-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1384-68-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1384-72-0x00000000007D0000-0x0000000000872000-memory.dmp

Filesize
648KB

Download
memory/1384-71-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1384-78-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1384-81-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1384-88-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1772-47-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1772-44-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1772-43-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2192-6-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/2192-55-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/2192-53-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5052-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5052-52-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing