Analysis
-
max time kernel
293s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-05-2024 22:47
Static task
static1
Behavioral task
behavioral1
Sample
398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.exe
Resource
win10-20240404-en
General
-
Target
398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.exe
-
Size
4.7MB
-
MD5
b3c7e4f8c52230723bbd727e3638e4a5
-
SHA1
701f94fa55424df50849bf06a3e808d6b3b3a1b4
-
SHA256
398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc
-
SHA512
461db5588b5b69e444e42bd80ee52301dbf509f90a765c1155e7236b39e81bcd8d02e82a60dcbd8d87137ee3b7000a357b6cc27f8c1190e23af99bf9f09839d3
-
SSDEEP
98304:m0qzsDm5CN4enWyQ0ZNIfmfKHijuKHWBmr+4NlRbtANBk10DXIyolQ:e4t2eWVc0mfKHijPHWB81NlVtAPk10Df
Malware Config
Signatures
-
Detect Socks5Systemz Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3388-83-0x0000000000950000-0x00000000009F2000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
Processes:
398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmpfgaudioconverter.exefgaudioconverter.exepid process 2724 398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmp 3372 fgaudioconverter.exe 3388 fgaudioconverter.exe -
Loads dropped DLL 1 IoCs
Processes:
398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmppid process 2724 398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmp -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 45.155.250.90 Destination IP 141.98.234.31 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmppid process 2724 398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.exe398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmpdescription pid process target process PID 920 wrote to memory of 2724 920 398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.exe 398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmp PID 920 wrote to memory of 2724 920 398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.exe 398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmp PID 920 wrote to memory of 2724 920 398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.exe 398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmp PID 2724 wrote to memory of 3372 2724 398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmp fgaudioconverter.exe PID 2724 wrote to memory of 3372 2724 398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmp fgaudioconverter.exe PID 2724 wrote to memory of 3372 2724 398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmp fgaudioconverter.exe PID 2724 wrote to memory of 3388 2724 398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmp fgaudioconverter.exe PID 2724 wrote to memory of 3388 2724 398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmp fgaudioconverter.exe PID 2724 wrote to memory of 3388 2724 398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmp fgaudioconverter.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.exe"C:\Users\Admin\AppData\Local\Temp\398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Users\Admin\AppData\Local\Temp\is-VKV2H.tmp\398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmp"C:\Users\Admin\AppData\Local\Temp\is-VKV2H.tmp\398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmp" /SL5="$502DE,4677919,54272,C:\Users\Admin\AppData\Local\Temp\398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\FGaudioConverter\fgaudioconverter.exe"C:\Users\Admin\AppData\Local\FGaudioConverter\fgaudioconverter.exe" -i3⤵
- Executes dropped EXE
PID:3372
-
-
C:\Users\Admin\AppData\Local\FGaudioConverter\fgaudioconverter.exe"C:\Users\Admin\AppData\Local\FGaudioConverter\fgaudioconverter.exe" -s3⤵
- Executes dropped EXE
PID:3388
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD55811b31818deae55b0135d91e51ce7e4
SHA1e220764f2724526686512c9e9b5d372692b8f0be
SHA2562ee01123a90c39b237514de2b9338121f616bb0e5dd4ed14385143d3473436a2
SHA512be674bbc95e4f884517cc69c3077532b08f3494077492e9cea72400b2cc246a8161dd1606e7ed27431a2eded8da3c9e79e1b25d58648a0ce15efaa1c38e8ae70
-
C:\Users\Admin\AppData\Local\Temp\is-VKV2H.tmp\398d7b8aee82bc60010cbe0a6fee08280267d97c73854ca5d24919c512ed89cc.tmp
Filesize680KB
MD573c4ccd27a4e4d2e7a6e3aa5b58dfce1
SHA10336533f24380362330e9cba68490f49e2566699
SHA256c94d874b8d23a6e00ef7f1d6706a82c17fbfd763205eb24a5ece9c5f1130e89f
SHA512cca454547f32cc60d9ae2d2f4ba1192781efe48ebf0c4ee231f2a7a2501d3b05ddbb31dcb9547ac4d46b987bf55ca97b70741b5ff0a32b8202ff4479c21d6b9d
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63