socks5systemz | d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 18:57 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.exe
Size

2.0MB
MD5

b54e0754e830e15f6d3e031017e0daf8
SHA1

2658468b0ed7828bf6b0d04ca12f69aecf9d11f0
SHA256

d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f
SHA512

d2513d957a72d069f7ce8a486cc7486dc9ac0799f497c5dfa9c4bc7ab59588ec3a74d922729b7461f39cc3203244db367ca675c8a06c8cf3125264c8c48aeef1
SSDEEP

49152:32C12cWML/YcHkvuzn66FL0VTyjGneSq2:mu1JEvuR5vjGJh

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

http://ccptisc.net/search/?q=67e28dd86a5cf47e155fff1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978ff71ea771795af8e05c644db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffe16c3e7939338

http://ccptisc.net/search/?q=67e28dd86a5cf47e155fff1a7c27d78406abdd88be4b12eab517aa5c96bd86e9978f49875a8bbc896c58e713bc90c91836b5281fc235a925ed3e5cd6bd974a95129070b617e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee949d38c5699f15

Signatures

Detect Socks5Systemz Payload 4 IoCs

resource	yara_rule
behavioral1/memory/4744-65-0x00000000008A0000-0x0000000000942000-memory.dmp	family_socks5systemz
behavioral1/memory/4744-75-0x00000000008A0000-0x0000000000942000-memory.dmp	family_socks5systemz
behavioral1/memory/4744-88-0x00000000008A0000-0x0000000000942000-memory.dmp	family_socks5systemz
behavioral1/memory/4744-89-0x00000000008A0000-0x0000000000942000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2020	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp
3420	codecpackupdate.exe
4744	codecpackupdate.exe

Loads dropped DLL 1 IoCs

pid	Process
2020	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 2020	4420	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.exe	85
PID 4420 wrote to memory of 2020	4420	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.exe	85
PID 4420 wrote to memory of 2020	4420	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.exe	85
PID 2020 wrote to memory of 3420	2020	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp	88
PID 2020 wrote to memory of 3420	2020	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp	88
PID 2020 wrote to memory of 3420	2020	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp	88
PID 2020 wrote to memory of 4744	2020	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp	90
PID 2020 wrote to memory of 4744	2020	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp	90
PID 2020 wrote to memory of 4744	2020	d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp	90

C:\Users\Admin\AppData\Local\Temp\d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.exe
"C:\Users\Admin\AppData\Local\Temp\d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Users\Admin\AppData\Local\Temp\is-MLBOF.tmp\d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MLBOF.tmp\d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp" /SL5="$E0060,1748602,54272,C:\Users\Admin\AppData\Local\Temp\d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe
    "C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe" -i
    3⤵
    - Executes dropped EXE
    PID:3420
- - C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe
    "C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe" -s
    3⤵
    - Executes dropped EXE
    PID:4744

Network

DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

40.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

40.134.221.88.in-addr.arpa

IN PTR

Response

40.134.221.88.in-addr.arpa

IN PTR

a88-221-134-40deploystaticakamaitechnologiescom
DNS

71.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.31.126.40.in-addr.arpa

IN PTR

Response
DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

219.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

219.135.221.88.in-addr.arpa

IN PTR

Response

219.135.221.88.in-addr.arpa

IN PTR

a88-221-135-219deploystaticakamaitechnologiescom
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

ccptisc.net

codecpackupdate.exe

Remote address:

45.155.250.90:53

Request

ccptisc.net

IN A

Response

ccptisc.net

IN A

45.142.214.240
GET

http://ccptisc.net/search/?q=67e28dd86a5cf47e155fff1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978ff71ea771795af8e05c644db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffe16c3e7939338

codecpackupdate.exe

Remote address:

45.142.214.240:80

Request

GET /search/?q=67e28dd86a5cf47e155fff1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978ff71ea771795af8e05c644db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffe16c3e7939338 HTTP/1.1
Host: ccptisc.net
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Response

HTTP/1.1 200 OK

Server: nginx/1.20.1
Date: Fri, 29 Mar 2024 18:59:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.4.33
GET

http://ccptisc.net/search/?q=67e28dd86a5cf47e155fff1a7c27d78406abdd88be4b12eab517aa5c96bd86e9978f49875a8bbc896c58e713bc90c91836b5281fc235a925ed3e5cd6bd974a95129070b617e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee949d38c5699f15

codecpackupdate.exe

Remote address:

45.142.214.240:80

Request

GET /search/?q=67e28dd86a5cf47e155fff1a7c27d78406abdd88be4b12eab517aa5c96bd86e9978f49875a8bbc896c58e713bc90c91836b5281fc235a925ed3e5cd6bd974a95129070b617e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee949d38c5699f15 HTTP/1.1
Host: ccptisc.net
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Response

HTTP/1.1 200 OK

Server: nginx/1.20.1
Date: Fri, 29 Mar 2024 18:59:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.4.33
DNS

240.214.142.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.214.142.45.in-addr.arpa

IN PTR

Response

240.214.142.45.in-addr.arpa

IN PTR

vm2232303stark-industries solutions
DNS

90.250.155.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

90.250.155.45.in-addr.arpa

IN PTR

Response
DNS

12.174.154.195.in-addr.arpa

Remote address:

8.8.8.8:53

Request

12.174.154.195.in-addr.arpa

IN PTR

Response

12.174.154.195.in-addr.arpa

IN PTR

195-154-174-12revponeytelecomeu
DNS

123.10.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

123.10.44.20.in-addr.arpa

IN PTR

Response

45.142.214.240:80

http://ccptisc.net/search/?q=67e28dd86a5cf47e155fff1a7c27d78406abdd88be4b12eab517aa5c96bd86e9978f49875a8bbc896c58e713bc90c91836b5281fc235a925ed3e5cd6bd974a95129070b617e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee949d38c5699f15

http

codecpackupdate.exe

1.0kB
2.0kB
8
7

HTTP Request

GET http://ccptisc.net/search/?q=67e28dd86a5cf47e155fff1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978ff71ea771795af8e05c644db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffe16c3e7939338

HTTP Response

200

HTTP Request

GET http://ccptisc.net/search/?q=67e28dd86a5cf47e155fff1a7c27d78406abdd88be4b12eab517aa5c96bd86e9978f49875a8bbc896c58e713bc90c91836b5281fc235a925ed3e5cd6bd974a95129070b617e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee949d38c5699f15

HTTP Response

200
195.154.174.12:2023

codecpackupdate.exe

810 B
174 B
5
4

8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

40.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

40.134.221.88.in-addr.arpa
8.8.8.8:53

71.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

71.31.126.40.in-addr.arpa
8.8.8.8:53

183.142.211.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

183.142.211.20.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

219.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

219.135.221.88.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
45.155.250.90:53

ccptisc.net

dns

codecpackupdate.exe

57 B
84 B
1
1

DNS Request

ccptisc.net

DNS Response

45.142.214.240
8.8.8.8:53

240.214.142.45.in-addr.arpa

dns

73 B
123 B
1
1

DNS Request

240.214.142.45.in-addr.arpa
8.8.8.8:53

90.250.155.45.in-addr.arpa

dns

72 B
135 B
1
1

DNS Request

90.250.155.45.in-addr.arpa
8.8.8.8:53

12.174.154.195.in-addr.arpa

dns

73 B
121 B
1
1

DNS Request

12.174.154.195.in-addr.arpa
8.8.8.8:53

123.10.44.20.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

123.10.44.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Codec Pack Update\codecpackupdate.exe

Filesize
1.9MB

MD5
5863554ff3580e08b291a78ab69eb0b6

SHA1
c0076bc258b9d32cff6f211e23dd01c026340256

SHA256
09bab30c7d40a5648f4c0665398dee405f8ed2406bcdde1ac0376dedafee8404

SHA512
dab17123817340dba446b5e934a6789bae327028f334e45886d96dbb85a903161e2b350cf1766d819a7bb26b3e144dfc1de54592674b51324400797a271263b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0OK32.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MLBOF.tmp\d68a900fc7325f6bcb19635081147c4ffe8c4f62eefcd16a2fe8592ae195860f.tmp

Filesize
677KB

MD5
83d7000d5d49537dcd2e9440ecad3636

SHA1
e161b66bc7fe08b31822e836ba6a7d68aa1cedf7

SHA256
af439e9d0ea6fd7d73ca83be3436720bd4d65c4b9a700856cd1f4dd232087c00

SHA512
ae744ae54ecedb604896f55e9620b3245f0e69dc56eb51524461f11781e98f48e41b45e91898fc6622e6e9e1a5a9ee7c2568f1face3b69111b21b381dd2bc332

Download Submit
memory/2020-48-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2020-6-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2020-46-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3420-37-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/3420-38-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/3420-41-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4420-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4420-45-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4744-52-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-71-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-51-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-44-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-55-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-58-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-61-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-64-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-65-0x00000000008A0000-0x0000000000942000-memory.dmp

Filesize
648KB

Download
memory/4744-47-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-74-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-75-0x00000000008A0000-0x0000000000942000-memory.dmp

Filesize
648KB

Download
memory/4744-78-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-81-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-84-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-87-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-88-0x00000000008A0000-0x0000000000942000-memory.dmp

Filesize
648KB

Download
memory/4744-89-0x00000000008A0000-0x0000000000942000-memory.dmp

Filesize
648KB

Download
memory/4744-93-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4744-96-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.