socks5systemz | 7fcf9da4f0365c791ee2e24a2cdf92f2a42c130ea851380096c267a98e77d791

General

Target

5a0091e55a8dde139614c4fe106a6ce1.exe
Size

4.2MB
MD5

5a0091e55a8dde139614c4fe106a6ce1
SHA1

cf965423ca85bb3862c62bd0712d2ead032208fd
SHA256

7fcf9da4f0365c791ee2e24a2cdf92f2a42c130ea851380096c267a98e77d791
SHA512

e78dece9d1a75ee5f2767b2739e1ed24c85fa775615393b51e14c39012fa86b7472b185ded1a740604f5d970ed3fb01cfb3cd4a8a3c36f5f2b1af282976003a0
SSDEEP

98304:sy3FP4P0AHs4AKN4tAT7xdfFG1acTWRYch5fye0xcxLdsV8vSt:syKP0t4AKNwAT1DGnWi8wpxArv6

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

http://bebkemv.com/search/?q=67e28dd83d5fa62d1358fa4d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978ff71ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a628afe15c2e997

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2840-93-0x00000000024B0000-0x0000000002552000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2136	5a0091e55a8dde139614c4fe106a6ce1.tmp
2464	mixerfreeedition.exe
2840	mixerfreeedition.exe

Loads dropped DLL 5 IoCs

pid	Process
2660	5a0091e55a8dde139614c4fe106a6ce1.exe
2136	5a0091e55a8dde139614c4fe106a6ce1.tmp
2136	5a0091e55a8dde139614c4fe106a6ce1.tmp
2136	5a0091e55a8dde139614c4fe106a6ce1.tmp
2136	5a0091e55a8dde139614c4fe106a6ce1.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2136	2660	5a0091e55a8dde139614c4fe106a6ce1.exe	28
PID 2660 wrote to memory of 2136	2660	5a0091e55a8dde139614c4fe106a6ce1.exe	28
PID 2660 wrote to memory of 2136	2660	5a0091e55a8dde139614c4fe106a6ce1.exe	28
PID 2660 wrote to memory of 2136	2660	5a0091e55a8dde139614c4fe106a6ce1.exe	28
PID 2660 wrote to memory of 2136	2660	5a0091e55a8dde139614c4fe106a6ce1.exe	28
PID 2660 wrote to memory of 2136	2660	5a0091e55a8dde139614c4fe106a6ce1.exe	28
PID 2660 wrote to memory of 2136	2660	5a0091e55a8dde139614c4fe106a6ce1.exe	28
PID 2136 wrote to memory of 2464	2136	5a0091e55a8dde139614c4fe106a6ce1.tmp	29
PID 2136 wrote to memory of 2464	2136	5a0091e55a8dde139614c4fe106a6ce1.tmp	29
PID 2136 wrote to memory of 2464	2136	5a0091e55a8dde139614c4fe106a6ce1.tmp	29
PID 2136 wrote to memory of 2464	2136	5a0091e55a8dde139614c4fe106a6ce1.tmp	29
PID 2136 wrote to memory of 2840	2136	5a0091e55a8dde139614c4fe106a6ce1.tmp	30
PID 2136 wrote to memory of 2840	2136	5a0091e55a8dde139614c4fe106a6ce1.tmp	30
PID 2136 wrote to memory of 2840	2136	5a0091e55a8dde139614c4fe106a6ce1.tmp	30
PID 2136 wrote to memory of 2840	2136	5a0091e55a8dde139614c4fe106a6ce1.tmp	30

C:\Users\Admin\AppData\Local\Temp\5a0091e55a8dde139614c4fe106a6ce1.exe
"C:\Users\Admin\AppData\Local\Temp\5a0091e55a8dde139614c4fe106a6ce1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\is-MUOIC.tmp\5a0091e55a8dde139614c4fe106a6ce1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MUOIC.tmp\5a0091e55a8dde139614c4fe106a6ce1.tmp" /SL5="$7011E,4101844,54272,C:\Users\Admin\AppData\Local\Temp\5a0091e55a8dde139614c4fe106a6ce1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Users\Admin\AppData\Local\Mixer Free Edition\mixerfreeedition.exe
    "C:\Users\Admin\AppData\Local\Mixer Free Edition\mixerfreeedition.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2464
- - C:\Users\Admin\AppData\Local\Mixer Free Edition\mixerfreeedition.exe
    "C:\Users\Admin\AppData\Local\Mixer Free Edition\mixerfreeedition.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mixer Free Edition\libeay32.dll

Filesize
1.9MB

MD5
5fbd844a6ce26deb5337e8e6dd7c7b70

SHA1
5302e49b2027a07c7bb8f95d45510efc0d954cf8

SHA256
f0d640c4e07c81c29f0ec2b603ec3017bdd4db0d0e26c3fa364a6bbf45826058

SHA512
c383b5ec9fb9efd53cdf00c2b0940fe60a35a857f8be40ae0763647c3523712553910aca8504768cc86895b2168525fa6043d567e66e0ed5696e2c8e5e7b992d

Download Submit
\Users\Admin\AppData\Local\Mixer Free Edition\mixerfreeedition.exe

Filesize
1.7MB

MD5
a8114231cdb1fa3459a12f7f95b73993

SHA1
c6f060c139b46da8e51e1143433abc4c2f4c453f

SHA256
71551da3bacea0190f4be447bd00cc91d59cb7f62ea02f67e3541924588411fe

SHA512
88a7ed2a5c770f178bfde5836698f3b5055415c6b2bf7daf17f892a2c669bc3cde56d0f10fe8417c5093dc6fd5197792d280f39d4d7deceabf52ae863734bc5a

Download Submit
\Users\Admin\AppData\Local\Temp\is-36HLG.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-36HLG.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-MUOIC.tmp\5a0091e55a8dde139614c4fe106a6ce1.tmp

Filesize
696KB

MD5
c6061f804038f66af0cbf28c43abf849

SHA1
0473fc63f6514857bba850ce50206fbe8c992b64

SHA256
6261d17d1ab1744496c0f2988954989398d6829f2417df5420ffdf6d64f8678e

SHA512
edf27bfeec82752b6d52a8eb68853dde5d5effd9c3a8c1c93e181167d8bc5ae2c6d7b19ac74955c91aa4e90913fb7dcc8439d33a5e0c8aac5fe71c914596e0ae

Download Submit
memory/2136-11-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2136-78-0x00000000036B0000-0x0000000003873000-memory.dmp

Filesize
1.8MB

Download
memory/2136-63-0x00000000036B0000-0x0000000003873000-memory.dmp

Filesize
1.8MB

Download
memory/2136-75-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2464-65-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2464-66-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2464-70-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2660-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2660-74-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2660-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2840-76-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2840-80-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2840-83-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2840-86-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2840-89-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2840-92-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2840-93-0x00000000024B0000-0x0000000002552000-memory.dmp

Filesize
648KB

Download
memory/2840-99-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2840-102-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2840-105-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2840-108-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2840-111-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2840-114-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2840-118-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2840-121-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing