Analysis
-
max time kernel
291s -
max time network
299s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-05-2024 23:12
Static task
static1
Behavioral task
behavioral1
Sample
87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.exe
Resource
win10-20240404-en
General
-
Target
87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.exe
-
Size
4.5MB
-
MD5
3f4ac40876eb79c202b6f2c0e74ceab2
-
SHA1
8a9b592e912523eb1706e834a184a4c05b66aebf
-
SHA256
87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a
-
SHA512
ad306778d9e0200e56ea8078073f6ea0dfe2ade9893e753f8d95d96d22473bb74430debc2707b919df6c4280863ec2d332a2e453d94300d852f9b79f77a565e7
-
SSDEEP
98304:m2lMhJhWnooZDUpYUSDig+2wsH8jrerMcmTFf4:/y7JoZDCYUSWO8jfcKf4
Malware Config
Signatures
-
Detect Socks5Systemz Payload 1 IoCs
resource yara_rule behavioral2/memory/924-85-0x0000000000910000-0x00000000009B2000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
pid Process 4596 87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.tmp 3292 vaervideorecorder.exe 924 vaervideorecorder.exe -
Loads dropped DLL 1 IoCs
pid Process 4596 87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.tmp -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 141.98.234.31 Destination IP 141.98.234.31 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4596 87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1268 wrote to memory of 4596 1268 87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.exe 73 PID 1268 wrote to memory of 4596 1268 87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.exe 73 PID 1268 wrote to memory of 4596 1268 87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.exe 73 PID 4596 wrote to memory of 3292 4596 87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.tmp 74 PID 4596 wrote to memory of 3292 4596 87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.tmp 74 PID 4596 wrote to memory of 3292 4596 87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.tmp 74 PID 4596 wrote to memory of 924 4596 87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.tmp 75 PID 4596 wrote to memory of 924 4596 87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.tmp 75 PID 4596 wrote to memory of 924 4596 87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.tmp 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.exe"C:\Users\Admin\AppData\Local\Temp\87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\is-INPG5.tmp\87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.tmp"C:\Users\Admin\AppData\Local\Temp\is-INPG5.tmp\87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.tmp" /SL5="$502FE,4458431,54272,C:\Users\Admin\AppData\Local\Temp\87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Users\Admin\AppData\Local\Vaer Video Recorder\vaervideorecorder.exe"C:\Users\Admin\AppData\Local\Vaer Video Recorder\vaervideorecorder.exe" -i3⤵
- Executes dropped EXE
PID:3292
-
-
C:\Users\Admin\AppData\Local\Vaer Video Recorder\vaervideorecorder.exe"C:\Users\Admin\AppData\Local\Vaer Video Recorder\vaervideorecorder.exe" -s3⤵
- Executes dropped EXE
PID:924
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-INPG5.tmp\87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.tmp
Filesize680KB
MD547d9bbe70b5142eecee1594b8283ebd6
SHA1a23ad785865f2f40d20ff7ccd317e46f7325a104
SHA256bbfcaecc64b36dcb118ba9136246dfd943f3b70812c6a949f9b507a46282dbc3
SHA512b38d94d48eb44beb404d9a7577a37968bcd181c2855f88e9909d12bdc9891a18f7a6229c588ec508e36ee46b62ebe255f00ba8b8368569acebee29b48ecfc8d0
-
Filesize
2.6MB
MD561fba91a41d52c314f742ea51162afef
SHA1ae6c3086f5e6a142e8cd8db1b2a3ce159099d872
SHA256be28a09fc83afbe7da0b7af8910e76ff09b6e570a71a65b05e31ede2b2da860f
SHA5122e31392a2249fbad79be1cac235af329f4869acc02209befe93f7d5037ee7655ca33fc26439f30700ed48c2ccdb0b9187d54f8f796f123075aaec3eba000199f
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63