socks5systemz | 5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90

General

Target

5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90.exe
Size

4.5MB
MD5

8cbb575b3734ec12651148f05e603111
SHA1

5c1933a0aeac8d35233b538eae4f9d22052e6147
SHA256

5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90
SHA512

213b935ba52037bf4126b13e6922e473438ca9a6e907545df7408ed68b2d9375a9894f9b5787ed9cfcc86adc84eeff3a208558d46d9bf30563b6d9c2a5cc7fcf
SSDEEP

98304:+o0h78ZNuiAcT45ABTxvBKdkBNOkarMVaqrngGimgDpPad1ZK:wNH5ABTxJKdk1arMV/ry2XK

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

http://eztyeui.ua/search/?q=67e28dd86809f27b415ba51b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa1de8889b5e4fa9281ae978a771ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ffa10c2ed929d3d

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3344-83-0x0000000000920000-0x00000000009C2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
1128	5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90.tmp
1292	auditorium.exe
3344	auditorium.exe

Loads dropped DLL 1 IoCs

pid	Process
1128	5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 1128	4144	5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90.exe	74
PID 4144 wrote to memory of 1128	4144	5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90.exe	74
PID 4144 wrote to memory of 1128	4144	5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90.exe	74
PID 1128 wrote to memory of 1292	1128	5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90.tmp	75
PID 1128 wrote to memory of 1292	1128	5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90.tmp	75
PID 1128 wrote to memory of 1292	1128	5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90.tmp	75
PID 1128 wrote to memory of 3344	1128	5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90.tmp	76
PID 1128 wrote to memory of 3344	1128	5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90.tmp	76
PID 1128 wrote to memory of 3344	1128	5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90.tmp	76

C:\Users\Admin\AppData\Local\Temp\5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90.exe
"C:\Users\Admin\AppData\Local\Temp\5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Users\Admin\AppData\Local\Temp\is-KFT87.tmp\5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KFT87.tmp\5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90.tmp" /SL5="$60200,4431990,54272,C:\Users\Admin\AppData\Local\Temp\5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Users\Admin\AppData\Local\Auditorium\auditorium.exe
    "C:\Users\Admin\AppData\Local\Auditorium\auditorium.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1292
- - C:\Users\Admin\AppData\Local\Auditorium\auditorium.exe
    "C:\Users\Admin\AppData\Local\Auditorium\auditorium.exe" -s
    3⤵
    - Executes dropped EXE
    PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Auditorium\auditorium.exe

Filesize
2.4MB

MD5
02fd49adc311ea73a7a2b8a556102361

SHA1
365d365ed247e5e0e119fd9f72bfc1bd369eaa17

SHA256
9970385e7ee45145cf238ba70d75493eff4e0f54e464eccb9be8fdfebd9b2793

SHA512
bba33e64aa0192e59fd9d76dbb4ec7d59476485a3cd57fc795f536b0bec22cd1da8ee1e01fba67c185b2a381951b1e8623c4bcd71def7c99bc6fab4b4076cde0

Download Submit
C:\Users\Admin\AppData\Local\Auditorium\libeay32.dll

Filesize
2.3MB

MD5
5afad5dd0bae7f01c2be79f9f168c9e8

SHA1
553fe32e9cc002b3357c11de74478b85b04657bc

SHA256
4c5c6debe9453f0343f163aa72b7049f3167bc08d3b2d549fcabc4ee6bfbafcd

SHA512
3f78196965db2fa5f6a13fecd9d93abbbaafaa52a6b43e8bd957d3b1e52bc3930db2d72e79cd34315f56b9758ed37a5d6b122533351d90296abfe8ca7f62fb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KFT87.tmp\5a5fc49184a4477aa6ee4f7ba51f6699608362272c440cd68255f4ec3c717a90.tmp

Filesize
695KB

MD5
26965fc7a85aba3f9a63bfa9289b879a

SHA1
1fe5a0fc8ee517d32c384968ec82231625a4e42b

SHA256
dd4bd63b7d00383a3951f11eaba27033e7ee6192b119dc30f5ab48ffd8514c9c

SHA512
f92127f1221fea71da5baceaccb6f06adc29f0a1e4e88e7e4982aa629b6f0d7c7860a83d746686c6b61c350c2b68dc0030caa6123d73aa568c0a83275ace19f7

Download Submit
\Users\Admin\AppData\Local\Temp\is-2Q9BQ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1128-69-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1128-16-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1292-59-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/1292-63-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/1292-60-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-79-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-92-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-131-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-126-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-70-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-73-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-76-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-123-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-82-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-83-0x0000000000920000-0x00000000009C2000-memory.dmp

Filesize
648KB

Download
memory/3344-87-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-67-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-95-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-98-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-101-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-104-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-108-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-111-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-114-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-117-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/3344-120-0x0000000000400000-0x0000000000665000-memory.dmp

Filesize
2.4MB

Download
memory/4144-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4144-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4144-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing