Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
133s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
29/03/2024, 11:32
Static task
static1
Behavioral task
behavioral1
Sample
6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.exe
Resource
win11-20240221-en
General
-
Target
6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.exe
-
Size
2.0MB
-
MD5
b105b09f5d81ab91aaadd47c1d75fe0c
-
SHA1
888f5685be3ad1707aa25920b3f4ef6c61644745
-
SHA256
6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a
-
SHA512
7cd60db3cd1f6d84ecbac065217c6f78b9b5f1e5abf8203f21881d7d0d9a2f7cb2fde9bddfe2bd113f0377358b0351f2e381201840eaa82d2ce7b5938afaf7df
-
SSDEEP
49152:32Un/9hBnoiCCx0C3+mHJ9p3MPeE6BNIe0lVT0FTFJroZ:mUn/9h9f+e1m6BNIJ3YpLroZ
Malware Config
Extracted
socks5systemz
http://bmmormz.com/search/?q=67e28dd83f08f2204807f9497c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4be8889b5e4fa9281ae978ff71ea771795af8e05c644db22f31dfe339426fa12a466c553adb719a9577e55b8603e983a608ffe16c1ed95993b
Signatures
-
Detect Socks5Systemz Payload 3 IoCs
resource yara_rule behavioral2/memory/5044-68-0x0000000000970000-0x0000000000A12000-memory.dmp family_socks5systemz behavioral2/memory/5044-67-0x0000000000970000-0x0000000000A12000-memory.dmp family_socks5systemz behavioral2/memory/5044-78-0x0000000000970000-0x0000000000A12000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
pid Process 3240 6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp 3628 codecpackupdate.exe 5044 codecpackupdate.exe -
Loads dropped DLL 1 IoCs
pid Process 3240 6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 141.98.234.31 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 960 wrote to memory of 3240 960 6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.exe 79 PID 960 wrote to memory of 3240 960 6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.exe 79 PID 960 wrote to memory of 3240 960 6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.exe 79 PID 3240 wrote to memory of 3628 3240 6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp 81 PID 3240 wrote to memory of 3628 3240 6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp 81 PID 3240 wrote to memory of 3628 3240 6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp 81 PID 3240 wrote to memory of 5044 3240 6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp 82 PID 3240 wrote to memory of 5044 3240 6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp 82 PID 3240 wrote to memory of 5044 3240 6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.exe"C:\Users\Admin\AppData\Local\Temp\6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\is-75IL1.tmp\6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp"C:\Users\Admin\AppData\Local\Temp\is-75IL1.tmp\6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp" /SL5="$7015A,1745466,54272,C:\Users\Admin\AppData\Local\Temp\6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe"C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe" -i3⤵
- Executes dropped EXE
PID:3628
-
-
C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe"C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe" -s3⤵
- Executes dropped EXE
PID:5044
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD58c17e2feb7f8ec8fd3885df9b4b06724
SHA14f76f14ee886c0d1ca12e05ef67d193b97d546c0
SHA25681ea32ecdf793d954fd2cce61c8c2317259e146015eb96e08e7a116ebdf4aea5
SHA512ee294d792c1ee124967492e7af862b9a1be55923d7a2be343f52be4fa0542ef68ac6d56fede721328fe696b0542ac72ed384e643a0cc354bd4dd5465557a11fb
-
C:\Users\Admin\AppData\Local\Temp\is-75IL1.tmp\6a7474c2816a133d9bd91aac037fd5711943a15cccae04f86b62e03abc53426a.tmp
Filesize677KB
MD5d8e53e1b8ea1b12bc3f40bb9f8b14f38
SHA10a0d2b30da9f9a7f92721ad517087aaa3fdb7278
SHA256715726acbfe23ec2e9651b187888c25bea815cc49933a6cef1e2110d07e736eb
SHA5127dbe3aff2ffd5eb5a424dbecce6340cb304c7940cc9c758f441e00c485d301a7b74435689e26db32caddd66db3ddc91cc76b008e1a4c5ce10fe2ac1a4437d947
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63