socks5systemz | edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086

General

Target

edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.exe
Size

4.6MB
MD5

376cb55898e8e7db7bb6b266a255fba9
SHA1

c206c9a5423f591f4b9a44309a04d3a8b15b452c
SHA256

edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086
SHA512

711732798526ce0934a7e171c41f7717e8dac139760d766692ccb529918e252200ee86ed24f0ec23c5a2932d7664f3f4765cf4fed5f8e48f12fdc421cf268105
SSDEEP

98304:mVFdzgMlvdfxNvBo58mWZ56PbEysBC++fw7/R2AdbJRDw:w5VdvvBoChWbEyY+oLgAdbJRDw

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2596-86-0x00000000009D0000-0x0000000000A72000-memory.dmp	family_socks5systemz
behavioral2/memory/2596-110-0x00000000009D0000-0x0000000000A72000-memory.dmp	family_socks5systemz
behavioral2/memory/2596-109-0x00000000009D0000-0x0000000000A72000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Executes dropped EXE 3 IoCs

Processes:

edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmpcybersoundaudiodirector.execybersoundaudiodirector.exe

pid process

3180 edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp
5016 cybersoundaudiodirector.exe
2596 cybersoundaudiodirector.exe
Loads dropped DLL 1 IoCs

Processes:

edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp

pid process

3180 edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 91.211.247.248
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp

pid process

3180 edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp

pid	process
3180	edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp
5016	cybersoundaudiodirector.exe
2596	cybersoundaudiodirector.exe

pid	process
3180	edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp

description	ioc
Destination IP	91.211.247.248

pid	process
3180	edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.exeedc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp

description	pid	process	target process
PID 2836 wrote to memory of 3180	2836	edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.exe	edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp
PID 2836 wrote to memory of 3180	2836	edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.exe	edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp
PID 2836 wrote to memory of 3180	2836	edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.exe	edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp
PID 3180 wrote to memory of 5016	3180	edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp	cybersoundaudiodirector.exe
PID 3180 wrote to memory of 5016	3180	edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp	cybersoundaudiodirector.exe
PID 3180 wrote to memory of 5016	3180	edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp	cybersoundaudiodirector.exe
PID 3180 wrote to memory of 2596	3180	edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp	cybersoundaudiodirector.exe
PID 3180 wrote to memory of 2596	3180	edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp	cybersoundaudiodirector.exe
PID 3180 wrote to memory of 2596	3180	edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp	cybersoundaudiodirector.exe

C:\Users\Admin\AppData\Local\Temp\edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.exe
"C:\Users\Admin\AppData\Local\Temp\edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\is-QLFFV.tmp\edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QLFFV.tmp\edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp" /SL5="$40204,4552424,54272,C:\Users\Admin\AppData\Local\Temp\edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3180

C:\Users\Admin\AppData\Local\CyberSound AudioDirector\cybersoundaudiodirector.exe
"C:\Users\Admin\AppData\Local\CyberSound AudioDirector\cybersoundaudiodirector.exe" -i
3⤵
- Executes dropped EXE
PID:5016

C:\Users\Admin\AppData\Local\CyberSound AudioDirector\cybersoundaudiodirector.exe
"C:\Users\Admin\AppData\Local\CyberSound AudioDirector\cybersoundaudiodirector.exe" -s
3⤵
- Executes dropped EXE
PID:2596

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CyberSound AudioDirector\cybersoundaudiodirector.exe
Filesize
2.5MB

MD5
07974c9ca4b3e17cef10909b4121e0d1

SHA1
c8d4c3d635d102c7d01531689a631d6e91f27302

SHA256
4a5532d22539bd1013fddf116249a2fa33d2505e5a2e251e53843d652503a87f

SHA512
e22b3f2cd9b0d9ef7c96717cba35ed4dfe4a6fa3b1b10b81bc0e5b7d2470245469fbe8ce4cc40e31f49edd624fa7c2ffbef08ea6f48f61a43a666f6cb4d6f177

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-887RD.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QLFFV.tmp\edc3373a5f607d11d498e86367b3c341cd565109cae42ad1b6049486800b7086.tmp
Filesize
680KB

MD5
2802793cff587bb6eeb2ef3767bae465

SHA1
8bfd261fd7d5c1bf3627b867815ad7eac56060ea

SHA256
639cdf357b7509177fa927cf90da7fb469a9134abbdb98a8b8f41b5e9866d53a

SHA512
27de32fa20bb2bbd8c18d2d69cc8bf0daf57d747d0cc09d98d29083ee34133d4dc0c029b8c823e47e96477ab6a915685d4832965838be68a63a00ac7b086adb1

Download Submit
memory/2596-96-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2596-80-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2596-117-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2596-114-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2596-109-0x00000000009D0000-0x0000000000A72000-memory.dmp

Filesize
648KB

Download
memory/2596-110-0x00000000009D0000-0x0000000000A72000-memory.dmp

Filesize
648KB

Download
memory/2596-108-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2596-68-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2596-105-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2596-102-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2596-71-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2596-74-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2596-77-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2596-99-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2596-83-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2596-86-0x00000000009D0000-0x0000000000A72000-memory.dmp

Filesize
648KB

Download
memory/2596-88-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2596-93-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2836-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2836-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2836-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3180-11-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3180-70-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/5016-63-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/5016-65-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/5016-60-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/5016-59-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing