socks5systemz | 0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed

General

Target

0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed.exe
Size

4.7MB
MD5

e5e23787ec50d71208a32b63304c3169
SHA1

66a677dc220c924b3ee33fa72218b3490215328a
SHA256

0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed
SHA512

66881400417e00d9ec38fb2b225deb3c5b6321b5f77b38cbf762c8f597f3988bf83e708f72f3394e34f0156e993b9308b13a2fd30eff63572f4b45f2555c81a5
SSDEEP

98304:KYGmEtw0dnFNEzrT2HB/6ybaGbN1MheX1duVIsi8QtD9JNHvp:KY8W0dYHuBh2G51MidZ5JNHvp

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1564-86-0x00000000008C0000-0x0000000000962000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2020	0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed.tmp
2820	victoriapigments.exe
1564	victoriapigments.exe

Loads dropped DLL 1 IoCs

pid	Process
2020	0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2020	2964	0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed.exe	78
PID 2964 wrote to memory of 2020	2964	0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed.exe	78
PID 2964 wrote to memory of 2020	2964	0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed.exe	78
PID 2020 wrote to memory of 2820	2020	0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed.tmp	80
PID 2020 wrote to memory of 2820	2020	0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed.tmp	80
PID 2020 wrote to memory of 2820	2020	0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed.tmp	80
PID 2020 wrote to memory of 1564	2020	0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed.tmp	81
PID 2020 wrote to memory of 1564	2020	0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed.tmp	81
PID 2020 wrote to memory of 1564	2020	0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed.tmp	81

C:\Users\Admin\AppData\Local\Temp\0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed.exe
"C:\Users\Admin\AppData\Local\Temp\0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\is-Q0CJ5.tmp\0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-Q0CJ5.tmp\0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed.tmp" /SL5="$50066,4670756,54272,C:\Users\Admin\AppData\Local\Temp\0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Local\Victoria Pigments\victoriapigments.exe
    "C:\Users\Admin\AppData\Local\Victoria Pigments\victoriapigments.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2820
- - C:\Users\Admin\AppData\Local\Victoria Pigments\victoriapigments.exe
    "C:\Users\Admin\AppData\Local\Victoria Pigments\victoriapigments.exe" -s
    3⤵
    - Executes dropped EXE
    PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-LL0I3.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q0CJ5.tmp\0df55988c016ca5853fbfe50690be0d80e02ecaf3f19f78a616121c5885ad1ed.tmp

Filesize
696KB

MD5
a547e7640d3d847b900341f379cad3ce

SHA1
9499a19a148b615bac77469bfa678993a1d6cb24

SHA256
6e675a539c582e9aed7a3d88c24018bd75280dd016f3e16e2ada34fe6c92d993

SHA512
6cb2fa7dcc6349f941b4545e5f92c07d8c3aaa5b7c12627c57850db6425dc7d5bd51d8a5ed26b0ae8eabd5f11f69bcb431e8961278c7b1ab78dc655f95708b2f

Download Submit
C:\Users\Admin\AppData\Local\Victoria Pigments\libeay32.dll

Filesize
1.9MB

MD5
876a839023b8f962a72d295da7495734

SHA1
62a7728679bc18784b1fbf1d013f7cece18cbec9

SHA256
a757d773da406411fb977761f6e56f016d48d224aedaf3d875ed4d4a9ede6158

SHA512
e1b23a2f5ec0100ff874ca075bbd0f90e9065a90fec66861f99df603d7aaa9db8e8ec326710fdc11ad41d01befe4ea3077136127acf613614d0d12ff23bec6c1

Download Submit
C:\Users\Admin\AppData\Local\Victoria Pigments\victoriapigments.exe

Filesize
2.7MB

MD5
72be084b6ef5977e8604331965310390

SHA1
78bcc34df1433839a0e92f4452eb3aaf4e4353ef

SHA256
c4fb183abc51ca11f57a6a192a2992e853c61f387e17371aa65e6f9a1662c5ab

SHA512
d6020adb668ed2e4b1799807623383fd3b26de8f00bedaa4836d7dc2e414a7e16d6153d33231d2171a0152ff502b073616ecf489f873a3fa905259333cbb79e2

Download Submit
memory/1564-91-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/1564-79-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/1564-117-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/1564-114-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/1564-111-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/1564-108-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/1564-68-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/1564-69-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/1564-105-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/1564-102-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/1564-72-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/1564-73-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/1564-76-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/1564-99-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/1564-82-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/1564-85-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/1564-86-0x00000000008C0000-0x0000000000962000-memory.dmp

Filesize
648KB

Download
memory/1564-96-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/2020-10-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2020-71-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2820-63-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/2820-60-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/2820-59-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/2964-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2964-70-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2964-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing