socks5systemz | 6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a

General

Target

6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.exe
Size

2.0MB
MD5

b105b09f5d81ab91aaadd47c1d75fe0c
SHA1

888f5685be3ad1707aa25920b3f4ef6c61644745
SHA256

6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a
SHA512

7cd60db3cd1f6d84ecbac065217c6f78b9b5f1e5abf8203f21881d7d0d9a2f7cb2fde9bddfe2bd113f0377358b0351f2e381201840eaa82d2ce7b5938afaf7df
SSDEEP

49152:32Un/9hBnoiCCx0C3+mHJ9p3MPeE6BNIe0lVT0FTFJroZ:mUn/9h9f+e1m6BNIJ3YpLroZ

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

http://bmmormz.com/search/?q=67e28dd83f08f2204807f9497c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4be8889b5e4fa9281ae978ff71ea771795af8e05c644db22f31dfe339426fa12a466c553adb719a9577e55b8603e983a608ffe16c1ed95993b

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/5044-68-0x0000000000970000-0x0000000000A12000-memory.dmp	family_socks5systemz
behavioral2/memory/5044-67-0x0000000000970000-0x0000000000A12000-memory.dmp	family_socks5systemz
behavioral2/memory/5044-78-0x0000000000970000-0x0000000000A12000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
3240	6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp
3628	codecpackupdate.exe
5044	codecpackupdate.exe

Loads dropped DLL 1 IoCs

pid	Process
3240	6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 3240	960	6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.exe	79
PID 960 wrote to memory of 3240	960	6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.exe	79
PID 960 wrote to memory of 3240	960	6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.exe	79
PID 3240 wrote to memory of 3628	3240	6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp	81
PID 3240 wrote to memory of 3628	3240	6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp	81
PID 3240 wrote to memory of 3628	3240	6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp	81
PID 3240 wrote to memory of 5044	3240	6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp	82
PID 3240 wrote to memory of 5044	3240	6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp	82
PID 3240 wrote to memory of 5044	3240	6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp	82

C:\Users\Admin\AppData\Local\Temp\6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.exe
"C:\Users\Admin\AppData\Local\Temp\6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\is-75IL1.tmp\6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-75IL1.tmp\6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp" /SL5="$7015A,1745466,54272,C:\Users\Admin\AppData\Local\Temp\6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe
    "C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe" -i
    3⤵
    - Executes dropped EXE
    PID:3628
- - C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe
    "C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe" -s
    3⤵
    - Executes dropped EXE
    PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe

Filesize
1.9MB

MD5
8c17e2feb7f8ec8fd3885df9b4b06724

SHA1
4f76f14ee886c0d1ca12e05ef67d193b97d546c0

SHA256
81ea32ecdf793d954fd2cce61c8c2317259e146015eb96e08e7a116ebdf4aea5

SHA512
ee294d792c1ee124967492e7af862b9a1be55923d7a2be343f52be4fa0542ef68ac6d56fede721328fe696b0542ac72ed384e643a0cc354bd4dd5465557a11fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-75IL1.tmp\6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp

Filesize
677KB

MD5
d8e53e1b8ea1b12bc3f40bb9f8b14f38

SHA1
0a0d2b30da9f9a7f92721ad517087aaa3fdb7278

SHA256
715726acbfe23ec2e9651b187888c25bea815cc49933a6cef1e2110d07e736eb

SHA512
7dbe3aff2ffd5eb5a424dbecce6340cb304c7940cc9c758f441e00c485d301a7b74435689e26db32caddd66db3ddc91cc76b008e1a4c5ce10fe2ac1a4437d947

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ETNF2.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/960-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/960-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3240-50-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/3240-7-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/3240-48-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3628-38-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/3628-39-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/3628-43-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/5044-54-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/5044-67-0x0000000000970000-0x0000000000A12000-memory.dmp

Filesize
648KB

Download
memory/5044-53-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/5044-46-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/5044-57-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/5044-60-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/5044-63-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/5044-66-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/5044-68-0x0000000000970000-0x0000000000A12000-memory.dmp

Filesize
648KB

Download
memory/5044-49-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/5044-74-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/5044-77-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/5044-78-0x0000000000970000-0x0000000000A12000-memory.dmp

Filesize
648KB

Download
memory/5044-81-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/5044-84-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/5044-87-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/5044-90-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/5044-94-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/5044-97-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing