socks5systemz | b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f

General

Target

b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.exe
Size

4.6MB
MD5

3af6d529e9b5b26c4937c9e1444f1749
SHA1

5f19f868e151f7b5b0c1c279809237a5442ee003
SHA256

b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f
SHA512

3964ad5e1fd6c2afee9b1b2eddf069b5a3b3a7abba9705ab550c738c740b2de6bc8ffd75718e9f52bbc08c1df65365bf9eb83b9b2f3bef6f55ce855609017f2e
SSDEEP

98304:+/f9gO8aEjEKlo0fDYmyzka8Suks7DDzovtNq2CUoHd1Zq:/O8aa+4DWT8SqDzmNfCUo9Xq

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

http://aqmpalp.ru/search/?q=67e28dd8685af379125bfd4e7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f271ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ffa13c1ee9c9933

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2652-83-0x00000000008F0000-0x0000000000992000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
768	b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.tmp
2960	virtualaudiomixer.exe
2652	virtualaudiomixer.exe

Loads dropped DLL 1 IoCs

pid	Process
768	b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 768	3936	b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.exe	72
PID 3936 wrote to memory of 768	3936	b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.exe	72
PID 3936 wrote to memory of 768	3936	b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.exe	72
PID 768 wrote to memory of 2960	768	b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.tmp	73
PID 768 wrote to memory of 2960	768	b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.tmp	73
PID 768 wrote to memory of 2960	768	b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.tmp	73
PID 768 wrote to memory of 2652	768	b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.tmp	74
PID 768 wrote to memory of 2652	768	b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.tmp	74
PID 768 wrote to memory of 2652	768	b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.tmp	74

C:\Users\Admin\AppData\Local\Temp\b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.exe
"C:\Users\Admin\AppData\Local\Temp\b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Users\Admin\AppData\Local\Temp\is-R53EA.tmp\b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-R53EA.tmp\b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.tmp" /SL5="$70216,4584799,54272,C:\Users\Admin\AppData\Local\Temp\b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Users\Admin\AppData\Local\Virtual Audio Mixer\virtualaudiomixer.exe
    "C:\Users\Admin\AppData\Local\Virtual Audio Mixer\virtualaudiomixer.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2960
- - C:\Users\Admin\AppData\Local\Virtual Audio Mixer\virtualaudiomixer.exe
    "C:\Users\Admin\AppData\Local\Virtual Audio Mixer\virtualaudiomixer.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-R53EA.tmp\b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.tmp

Filesize
695KB

MD5
9706e8ea6084abcba484923418f52acc

SHA1
5682e8c8e6dea0238451adbd5e02f08541c2af59

SHA256
9595ae9619654978e7934658a6726ae6b47183b05152d679fc7612e77a51256f

SHA512
d4647f2a652d26a7550f9bafe8dcb7d7e7534fd8505c879f0d842ace9504933c91295fd115756efc75f6a2d1de16651003393ed68c90605eb08eca9f1a2f4da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R53EA.tmp\b02286f07e1cae1f73faab98b0516f81bc9318ee25e55f34ca49f8b53a3c699f.tmp

Filesize
448KB

MD5
fe211c8119a31a9f10c268ad5b87deb4

SHA1
7c7b75f9d25b49dbdc0a5a9555e709b477568639

SHA256
a0124e90baa4f0407b7c0a253a37e599257ea86f40e733c28323ccc34a28fc0c

SHA512
404ea1046c4e394ba894796963cbefb7ce67cbe3124538887d0271dad17eb8ff32bcfd8b2b537cd95bdca6db48ba54be462b97cbeaeebbdacc07ee864173fd45

Download Submit
C:\Users\Admin\AppData\Local\Virtual Audio Mixer\libeay32.dll

Filesize
2.0MB

MD5
1176a2fcbc3cfb77207db7575dd6a522

SHA1
e0a854c77a65e542712c9fe3feae2331fcddb7f4

SHA256
553200e21658e7976d496c52cc1aeb50446b877ccda4f0b073a553ec3fb48560

SHA512
bb00340e4931342c4db499d68e98542f401a985c062810225ee661a7a289a885dab8c64f37fb231212ad2a5d703f3fd0528e8402fc1033cf4128d075714e3f34

Download Submit
C:\Users\Admin\AppData\Local\Virtual Audio Mixer\virtualaudiomixer.exe

Filesize
1.8MB

MD5
fb5acc8a76c4e962f13c0feb9bbe8d9e

SHA1
72e0de4e521167360db12cccd8e740b57a0acbf9

SHA256
aedd64c2e99d114e730b98102725418a6b668d1cc0663e54544a4f9b0241d05d

SHA512
1046c808ef5d8465e6c1a0e363b4d2cc2e3507a726c9764d12c4f7e2bc9f30cd29466bc763afa122c9ce2215464c5c638b9f7c4acaf451db7932b3dd87a482e4

Download Submit
C:\Users\Admin\AppData\Local\Virtual Audio Mixer\virtualaudiomixer.exe

Filesize
448KB

MD5
2381fd18d05899f4b289c851e3126d4a

SHA1
b229ffec7aaa500545f7038d12fb2cf1a07f6b11

SHA256
c1ebfa4f3ee86c93f45670ca7d43e18a01b22d4480517e4c0208fd3265e0f1d6

SHA512
b17d9bdfec1fa4cf48326eabf72727a18f8a5b80d6af83f3d47363f80cd4cbdb97cde2a711d08fadb54677055db88e1567723b4b8f386dbdf9e840f493f0f26a

Download Submit
\Users\Admin\AppData\Local\Temp\is-9FFHT.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/768-10-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/768-69-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2652-101-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-92-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-131-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-126-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-123-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-120-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-70-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-73-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-76-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-79-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-82-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-83-0x00000000008F0000-0x0000000000992000-memory.dmp

Filesize
648KB

Download
memory/2652-87-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-117-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-95-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-98-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-114-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-104-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-107-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-111-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2960-64-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2960-59-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2960-60-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3936-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3936-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3936-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing