socks5systemz | d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f

General

Target

d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.exe
Size

2.0MB
MD5

b54e0754e830e15f6d3e031017e0daf8
SHA1

2658468b0ed7828bf6b0d04ca12f69aecf9d11f0
SHA256

d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f
SHA512

d2513d957a72d069f7ce8a486cc7486dc9ac0799f497c5dfa9c4bc7ab59588ec3a74d922729b7461f39cc3203244db367ca675c8a06c8cf3125264c8c48aeef1
SSDEEP

49152:32C12cWML/YcHkvuzn66FL0VTyjGneSq2:mu1JEvuR5vjGJh

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

http://ccptisc.net/search/?q=67e28dd86a5cf47e155fff1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978ff71ea771795af8e05c644db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffe16c3e7939338

http://ccptisc.net/search/?q=67e28dd86a5cf47e155fff1a7c27d78406abdd88be4b12eab517aa5c96bd86e9978f49875a8bbc896c58e713bc90c91836b5281fc235a925ed3e5cd6bd974a95129070b617e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee949d38c5699f15

Signatures

Detect Socks5Systemz Payload 4 IoCs

resource	yara_rule
behavioral1/memory/4744-65-0x00000000008A0000-0x0000000000942000-memory.dmp	family_socks5systemz
behavioral1/memory/4744-75-0x00000000008A0000-0x0000000000942000-memory.dmp	family_socks5systemz
behavioral1/memory/4744-88-0x00000000008A0000-0x0000000000942000-memory.dmp	family_socks5systemz
behavioral1/memory/4744-89-0x00000000008A0000-0x0000000000942000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2020	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp
3420	codecpackupdate.exe
4744	codecpackupdate.exe

Loads dropped DLL 1 IoCs

pid	Process
2020	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 2020	4420	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.exe	85
PID 4420 wrote to memory of 2020	4420	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.exe	85
PID 4420 wrote to memory of 2020	4420	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.exe	85
PID 2020 wrote to memory of 3420	2020	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp	88
PID 2020 wrote to memory of 3420	2020	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp	88
PID 2020 wrote to memory of 3420	2020	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp	88
PID 2020 wrote to memory of 4744	2020	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp	90
PID 2020 wrote to memory of 4744	2020	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp	90
PID 2020 wrote to memory of 4744	2020	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp	90

C:\Users\Admin\AppData\Local\Temp\d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.exe
"C:\Users\Admin\AppData\Local\Temp\d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Users\Admin\AppData\Local\Temp\is-MLBOF.tmp\d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MLBOF.tmp\d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp" /SL5="$E0060,1748602,54272,C:\Users\Admin\AppData\Local\Temp\d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe
    "C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe" -i
    3⤵
    - Executes dropped EXE
    PID:3420
- - C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe
    "C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe" -s
    3⤵
    - Executes dropped EXE
    PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe

Filesize
1.9MB

MD5
5863554ff3580e08b291a78ab69eb0b6

SHA1
c0076bc258b9d32cff6f211e23dd01c026340256

SHA256
09bab30c7d40a5648f4c0665398dee405f8ed2406bcdde1ac0376dedafee8404

SHA512
dab17123817340dba446b5e934a6789bae327028f334e45886d96dbb85a903161e2b350cf1766d819a7bb26b3e144dfc1de54592674b51324400797a271263b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0OK32.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MLBOF.tmp\d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp

Filesize
677KB

MD5
83d7000d5d49537dcd2e9440ecad3636

SHA1
e161b66bc7fe08b31822e836ba6a7d68aa1cedf7

SHA256
af439e9d0ea6fd7d73ca83be3436720bd4d65c4b9a700856cd1f4dd232087c00

SHA512
ae744ae54ecedb604896f55e9620b3245f0e69dc56eb51524461f11781e98f48e41b45e91898fc6622e6e9e1a5a9ee7c2568f1face3b69111b21b381dd2bc332

Download Submit
memory/2020-48-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2020-6-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2020-46-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3420-37-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/3420-38-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/3420-41-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4420-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4420-45-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4744-52-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-71-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-51-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-44-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-55-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-58-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-61-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-64-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-65-0x00000000008A0000-0x0000000000942000-memory.dmp

Filesize
648KB

Download
memory/4744-47-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-74-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-75-0x00000000008A0000-0x0000000000942000-memory.dmp

Filesize
648KB

Download
memory/4744-78-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-81-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-84-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-87-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-88-0x00000000008A0000-0x0000000000942000-memory.dmp

Filesize
648KB

Download
memory/4744-89-0x00000000008A0000-0x0000000000942000-memory.dmp

Filesize
648KB

Download
memory/4744-93-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-96-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing