Analysis
-
max time kernel
293s -
max time network
286s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-05-2024 22:53
Static task
static1
Behavioral task
behavioral1
Sample
4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.exe
Resource
win10-20240404-en
General
-
Target
4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.exe
-
Size
4.8MB
-
MD5
891b730626b28b9e4e50e8f997afac34
-
SHA1
23962b4bee1742dd3fd448c5de7613bc15687261
-
SHA256
4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc
-
SHA512
fe2df050e4b6e6135c0c88dbff7dd4ce999ce954ae7560247b81cf5e471c7bbc575e251a4b662572f0d2bd566d2a892e07197b70d0dfc4aca4f31eb2bd1405e2
-
SSDEEP
98304:mN3Kb+NHR4ydR4PXKT10hTXlGvZS9FRDS7vGQ87jcvXx385EMuZC:3qWydPuRov0X0vGQphTC
Malware Config
Signatures
-
Detect Socks5Systemz Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2904-85-0x0000000000A50000-0x0000000000AF2000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
Processes:
4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmpsubmoremediaplayer32.exesubmoremediaplayer32.exepid process 776 4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmp 2424 submoremediaplayer32.exe 2904 submoremediaplayer32.exe -
Loads dropped DLL 1 IoCs
Processes:
4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmppid process 776 4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmp -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 152.89.198.214 Destination IP 45.155.250.90 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmppid process 776 4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.exe4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmpdescription pid process target process PID 5008 wrote to memory of 776 5008 4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.exe 4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmp PID 5008 wrote to memory of 776 5008 4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.exe 4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmp PID 5008 wrote to memory of 776 5008 4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.exe 4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmp PID 776 wrote to memory of 2424 776 4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmp submoremediaplayer32.exe PID 776 wrote to memory of 2424 776 4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmp submoremediaplayer32.exe PID 776 wrote to memory of 2424 776 4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmp submoremediaplayer32.exe PID 776 wrote to memory of 2904 776 4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmp submoremediaplayer32.exe PID 776 wrote to memory of 2904 776 4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmp submoremediaplayer32.exe PID 776 wrote to memory of 2904 776 4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmp submoremediaplayer32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.exe"C:\Users\Admin\AppData\Local\Temp\4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\is-59P2K.tmp\4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmp"C:\Users\Admin\AppData\Local\Temp\is-59P2K.tmp\4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmp" /SL5="$60200,4814299,54272,C:\Users\Admin\AppData\Local\Temp\4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Users\Admin\AppData\Local\Submore Media Player\submoremediaplayer32.exe"C:\Users\Admin\AppData\Local\Submore Media Player\submoremediaplayer32.exe" -i3⤵
- Executes dropped EXE
PID:2424
-
-
C:\Users\Admin\AppData\Local\Submore Media Player\submoremediaplayer32.exe"C:\Users\Admin\AppData\Local\Submore Media Player\submoremediaplayer32.exe" -s3⤵
- Executes dropped EXE
PID:2904
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5d54756955c9cf7310d70aae28cf5445f
SHA1703c34d6ef88b5ab063631c6acca9ba3d6d01e96
SHA25605f2285e9a6bf2c2830d213aa7b859de56a5cd609991d249fdf74cdb8a488e30
SHA51267542aacaac63318bcc6c35768324577342e8b46ec1acadd838660a9d122a1be6b1aba6ac783d9341c8dabc07a7c1d157f671a074562a624a9bd9f4e4bc58c64
-
C:\Users\Admin\AppData\Local\Temp\is-59P2K.tmp\4914e621acfc7667849598dd0e8acf35c356ac734bb50d621bb7c378502375fc.tmp
Filesize680KB
MD5fc38d5561cb12e0d573c043f2a02587c
SHA185881a5502366649652ef68aa644af8eb81baf1b
SHA2561affeed602ac019e9274932be152257f6b4dde1fee65c4d4f9b5f64bf1d758b9
SHA512de6dc4bca4c3a6d1d178e62349d00b74cb02ab308fca25b772a1a47c669657fa5b70fe6adb971a5221da853a009822b70f0dfc64527abe3b4a13acb1f652cf31
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63