socks5systemz | 36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee

General

Target

36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee.exe
Size

5.2MB
MD5

3543dc2fb466db6f1ed3cdab877228c8
SHA1

ac965c9b843446bd18bb8ad58682eefcb3e43a56
SHA256

36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee
SHA512

91b777224ad9829448cbddefb5ab0acb606116cb96de11ec70955e5ac69c3b4992e65c27aa836d9a2af43233b16ed0662e7022d3fc50a12bb3c9becf65e959fa
SSDEEP

98304:mPDPe+Aqtx+yb/jwnvo1XCrIpfSRAD+J+bJtf52:GDG+ntJb/AoZCr1I+kB2

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

http://bpcvvvo.com/search/?q=67e28dd86b5bf57b435daf497c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f271ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffa18c4e6909c3f

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4464-88-0x00000000025D0000-0x0000000002672000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2420	36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee.tmp
4976	freestudio.exe
4464	freestudio.exe

Loads dropped DLL 1 IoCs

pid	Process
2420	36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2420	2900	36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee.exe	82
PID 2900 wrote to memory of 2420	2900	36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee.exe	82
PID 2900 wrote to memory of 2420	2900	36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee.exe	82
PID 2420 wrote to memory of 4976	2420	36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee.tmp	83
PID 2420 wrote to memory of 4976	2420	36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee.tmp	83
PID 2420 wrote to memory of 4976	2420	36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee.tmp	83
PID 2420 wrote to memory of 4464	2420	36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee.tmp	84
PID 2420 wrote to memory of 4464	2420	36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee.tmp	84
PID 2420 wrote to memory of 4464	2420	36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee.tmp	84

C:\Users\Admin\AppData\Local\Temp\36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee.exe
"C:\Users\Admin\AppData\Local\Temp\36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\is-TKABU.tmp\36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TKABU.tmp\36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee.tmp" /SL5="$401DC,5242334,54272,C:\Users\Admin\AppData\Local\Temp\36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Free Studio\freestudio.exe
    "C:\Users\Admin\AppData\Local\Free Studio\freestudio.exe" -i
    3⤵
    - Executes dropped EXE
    PID:4976
- - C:\Users\Admin\AppData\Local\Free Studio\freestudio.exe
    "C:\Users\Admin\AppData\Local\Free Studio\freestudio.exe" -s
    3⤵
    - Executes dropped EXE
    PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Free Studio\freestudio.exe

Filesize
3.4MB

MD5
612125f99b75e76cdcfa92c2219ed924

SHA1
4e7893010090d0330136527226fef1f27035b763

SHA256
b4f34304e783f744973dc3d824b2639f721c5f9220dd9655b2351c88812bd5f6

SHA512
5d7c90631664c07edd0b19af91e0386959c8c65380045106a45b1244ec64aa809eb6fa30a6d850282fe07ed9db46c927663f75ceedcba908ae3de668ffb68c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8NMUP.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TKABU.tmp\36916c08e555af01ded3ea914fbb85cdae583171d9eede75b33f9de7343bd2ee.tmp

Filesize
677KB

MD5
ce39a787d16c503b708181aac5b0b36d

SHA1
8af8b7e76463904510bd51538bfbc515f4a671d7

SHA256
b302e6c5371590c9bd74cd3c7d1eca1cbc16fe81dedd5f28b5f8f4b1f0fa4b29

SHA512
eb6dc0a1397cf4675516094a64218108675ba09991817a28091cfd794635e20c1636ea12fd92740d716f4e4c92fd627239a0afa7604241549e4076f57ce0e855

Download Submit
memory/2420-10-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2420-70-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2900-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2900-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2900-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4464-94-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4464-87-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4464-68-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4464-116-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4464-113-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4464-71-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4464-74-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4464-75-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4464-78-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4464-81-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4464-84-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4464-109-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4464-88-0x00000000025D0000-0x0000000002672000-memory.dmp

Filesize
648KB

Download
memory/4464-106-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4464-97-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4464-100-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4464-103-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4976-59-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4976-65-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4976-60-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/4976-61-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing