socks5systemz | 8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd

General

Target

8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.exe
Size

5.1MB
MD5

834a7f8ea3a786f4888c64e76e1cd601
SHA1

2a756ddefc27182ba96f1d6124309d8f3c8a0232
SHA256

8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd
SHA512

ac3d997f862505ba71e6061b0a88035d0f32368627ac821f5c226c7c285c94ba3e725f6a31351c256838562ea131b9ea67df5f09178bbc8f92051955b55ab1b4
SSDEEP

98304:mOLLt3h+ihHYCRMyDRcmjHUhajVfqv84qcoEpKQWfQy02GlBawQNDaAnmY6g7JXR:ltACbqMUYRS2UWn0pld4jLJIk

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1216-85-0x00000000028F0000-0x0000000002992000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
1436	8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.tmp
2156	vvsoundrecorder.exe
1216	vvsoundrecorder.exe

Loads dropped DLL 1 IoCs

pid	Process
1436	8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1436	8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1436	2396	8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.exe	80
PID 2396 wrote to memory of 1436	2396	8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.exe	80
PID 2396 wrote to memory of 1436	2396	8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.exe	80
PID 1436 wrote to memory of 2156	1436	8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.tmp	82
PID 1436 wrote to memory of 2156	1436	8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.tmp	82
PID 1436 wrote to memory of 2156	1436	8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.tmp	82
PID 1436 wrote to memory of 1216	1436	8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.tmp	83
PID 1436 wrote to memory of 1216	1436	8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.tmp	83
PID 1436 wrote to memory of 1216	1436	8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.tmp	83

C:\Users\Admin\AppData\Local\Temp\8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.exe
"C:\Users\Admin\AppData\Local\Temp\8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\is-AAQFK.tmp\8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-AAQFK.tmp\8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.tmp" /SL5="$A01E8,5140288,54272,C:\Users\Admin\AppData\Local\Temp\8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Users\Admin\AppData\Local\VV SoundRecorder\vvsoundrecorder.exe
    "C:\Users\Admin\AppData\Local\VV SoundRecorder\vvsoundrecorder.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2156
- - C:\Users\Admin\AppData\Local\VV SoundRecorder\vvsoundrecorder.exe
    "C:\Users\Admin\AppData\Local\VV SoundRecorder\vvsoundrecorder.exe" -s
    3⤵
    - Executes dropped EXE
    PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-AAQFK.tmp\8dc784c1c46afbf731510fa8a170da5a2ffe226d3785a68de48fc0b87177e6bd.tmp

Filesize
680KB

MD5
be7ab81cb755ba48bd72eb7fa19830d7

SHA1
f0cf56fe6f9ae3321ee073de7317765a086bd0b3

SHA256
a7dad56e78f3d3fc99b81dee9458ee9e16fb8bd00c826c92d6d98401fc69a1cf

SHA512
890e0398040e82a46f5e0b237a31443cd6fe5d3c095ceb7c5f19772c569463e18b1a8130961276376683bb978f0431dd7fd41ca1ca25722db0b4ba3d20a9a2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MTEIQ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\VV SoundRecorder\vvsoundrecorder.exe

Filesize
3.2MB

MD5
d970ec9002193b06864a516dbe519a9b

SHA1
803956735a30e8161ba8593d04646c7ae9e8eceb

SHA256
d5a55d10fc4a58f8c04bc127838606077a5f768d768d6ac68925f50004b3578a

SHA512
69085ef94678ecca5f5081d0c116a4b9e76310a256730cdf33e0cba806b6590950275483171b8c1ea9d4c394ddc7589c4d8dc33dac4a1e84aae74e3318509200

Download Submit
memory/1216-88-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/1216-76-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/1216-114-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/1216-111-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/1216-108-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/1216-105-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/1216-67-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/1216-102-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/1216-99-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/1216-70-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/1216-73-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/1216-96-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/1216-79-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/1216-82-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/1216-85-0x00000000028F0000-0x0000000002992000-memory.dmp

Filesize
648KB

Download
memory/1216-93-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/1436-16-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1436-69-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2156-64-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/2156-61-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/2156-59-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/2396-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2396-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2396-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing