socks5systemz | e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee

General

Target

e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.exe
Size

4.7MB
MD5

fd3d305fbcf8727d7aafc869c3579b76
SHA1

404c85bad23a3e76256b87e0824607f89a4309ec
SHA256

e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee
SHA512

56479e2dd8ed464b156c861204bc1c67904afa5d983ee76365828eb3f782623384f26256756bcd68a5464e13f6196a27f68d10a8ff485a6cd8d2de902d083675
SSDEEP

98304:mme8wAi8KfZJHcTukhR5JBHm+Yuym66A8Ixs3Aoc+YnRnjQCHRd5yxMMG:8Ai1xJHcTH5JBG+Yu+fgAoMRjPxazG

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2468-92-0x00000000025E0000-0x0000000002682000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2384	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.tmp
2472	fgaudioconverter.exe
2468	fgaudioconverter.exe

Loads dropped DLL 5 IoCs

pid	Process
2740	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.exe
2384	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.tmp
2384	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.tmp
2384	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.tmp
2384	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.tmp

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2384	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2384	2740	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.exe	28
PID 2740 wrote to memory of 2384	2740	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.exe	28
PID 2740 wrote to memory of 2384	2740	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.exe	28
PID 2740 wrote to memory of 2384	2740	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.exe	28
PID 2740 wrote to memory of 2384	2740	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.exe	28
PID 2740 wrote to memory of 2384	2740	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.exe	28
PID 2740 wrote to memory of 2384	2740	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.exe	28
PID 2384 wrote to memory of 2472	2384	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.tmp	29
PID 2384 wrote to memory of 2472	2384	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.tmp	29
PID 2384 wrote to memory of 2472	2384	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.tmp	29
PID 2384 wrote to memory of 2472	2384	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.tmp	29
PID 2384 wrote to memory of 2468	2384	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.tmp	30
PID 2384 wrote to memory of 2468	2384	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.tmp	30
PID 2384 wrote to memory of 2468	2384	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.tmp	30
PID 2384 wrote to memory of 2468	2384	e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.tmp	30

C:\Users\Admin\AppData\Local\Temp\e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.exe
"C:\Users\Admin\AppData\Local\Temp\e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\is-O2GGP.tmp\e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-O2GGP.tmp\e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.tmp" /SL5="$5014E,4716753,54272,C:\Users\Admin\AppData\Local\Temp\e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Admin\AppData\Local\FGaudioConverter\fgaudioconverter.exe
    "C:\Users\Admin\AppData\Local\FGaudioConverter\fgaudioconverter.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2472
- - C:\Users\Admin\AppData\Local\FGaudioConverter\fgaudioconverter.exe
    "C:\Users\Admin\AppData\Local\FGaudioConverter\fgaudioconverter.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\FGaudioConverter\fgaudioconverter.exe

Filesize
2.8MB

MD5
92f136d8df2f6d15d308d911d5a3896b

SHA1
421e68168ce881859cbca6555db5227d3264a6e9

SHA256
b15cfba9bb12d1fd33c512d79ea37ae51384e820c384d0ac2e03bc5840c89d6a

SHA512
e20a578e148322f635ce8a7fc6a812e22be8aabaa72e95fd060a22cd8c24e1257074823d9c475a7eb95e5930fb3cf856755adcb4ed5da703aea6c83133d3ecdd

Download Submit
\Users\Admin\AppData\Local\Temp\is-9D9D5.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-9D9D5.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-O2GGP.tmp\e362af985a7297aa6eb102e810d7e32944fba39e4eb45236e02d0aa2243ec3ee.tmp

Filesize
680KB

MD5
94386e4fb729f842d84a111bd142174c

SHA1
e94df39057b51a1560933864c94124762a11e723

SHA256
0dbada1683b9820fa91c465ec837eecb0a243e32ce066d1202f6628c2c3b138e

SHA512
8614066d56b1b4968a787e384dc8249b82011f10cb7341a870145170d023fef8bcf62b4709fbbabe4ff83a179239d5ff1cb7f9ecf46bd7051ff6fd9c02586fbf

Download Submit
memory/2384-74-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2384-79-0x0000000003900000-0x0000000003BD8000-memory.dmp

Filesize
2.8MB

Download
memory/2384-12-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2384-64-0x0000000003900000-0x0000000003BD8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-104-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-92-0x00000000025E0000-0x0000000002682000-memory.dmp

Filesize
648KB

Download
memory/2468-135-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-71-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-132-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-129-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-75-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-78-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-126-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-82-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-85-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-88-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-91-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-122-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-98-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-101-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-119-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-107-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-110-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-113-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2468-116-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2472-66-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2472-65-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2472-69-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2740-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2740-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2740-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing