socks5systemz | d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9

General

Target

d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.exe
Size

4.9MB
MD5

a38cd912033bfa30896e0877a2ad31c0
SHA1

7a18139ff0c9ab1a8c570e47e9c1db98bcf526c3
SHA256

d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9
SHA512

b166084a0ac085520482bae79b011befb8f12dc62a901302edea8994babb0800521ca871a044f1c0968b932a77ecfc56db300a0f46cb858e263f17869e125ff0
SSDEEP

98304:m7D/RL+V5xCyjWydeuerhhbffe+sWj5OTnTIxLYlOcQc5NuIKCDzEO:8L+fxCgZef7XsNTusnYIHnP

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2508-92-0x0000000002630000-0x00000000026D2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2928	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.tmp
2780	ddsoundrecorder.exe
2508	ddsoundrecorder.exe

Loads dropped DLL 5 IoCs

pid	Process
3044	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.exe
2928	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.tmp
2928	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.tmp
2928	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.tmp
2928	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2928	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2928	3044	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.exe	28
PID 3044 wrote to memory of 2928	3044	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.exe	28
PID 3044 wrote to memory of 2928	3044	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.exe	28
PID 3044 wrote to memory of 2928	3044	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.exe	28
PID 3044 wrote to memory of 2928	3044	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.exe	28
PID 3044 wrote to memory of 2928	3044	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.exe	28
PID 3044 wrote to memory of 2928	3044	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.exe	28
PID 2928 wrote to memory of 2780	2928	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.tmp	29
PID 2928 wrote to memory of 2780	2928	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.tmp	29
PID 2928 wrote to memory of 2780	2928	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.tmp	29
PID 2928 wrote to memory of 2780	2928	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.tmp	29
PID 2928 wrote to memory of 2508	2928	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.tmp	30
PID 2928 wrote to memory of 2508	2928	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.tmp	30
PID 2928 wrote to memory of 2508	2928	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.tmp	30
PID 2928 wrote to memory of 2508	2928	d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.tmp	30

C:\Users\Admin\AppData\Local\Temp\d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.exe
"C:\Users\Admin\AppData\Local\Temp\d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\is-IKMAM.tmp\d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IKMAM.tmp\d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.tmp" /SL5="$30098,4871470,54272,C:\Users\Admin\AppData\Local\Temp\d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\DD Sound Recorder\ddsoundrecorder.exe
    "C:\Users\Admin\AppData\Local\DD Sound Recorder\ddsoundrecorder.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2780
- - C:\Users\Admin\AppData\Local\DD Sound Recorder\ddsoundrecorder.exe
    "C:\Users\Admin\AppData\Local\DD Sound Recorder\ddsoundrecorder.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\DD Sound Recorder\ddsoundrecorder.exe

Filesize
3.4MB

MD5
2ecfffe908dd9d123727e908d8db0f5a

SHA1
7e98823dfa418f932bf81c2c9e3579f3032264b4

SHA256
07bff68d5de8499243115d088a885c204c6e7ae26c1d9fbd739ccc53a16fedb5

SHA512
8bedeb3bbeaf261fa2d30a078afd0671106a4ef8d6db5e3f3b439636597a4bf8acbc9ac2b3745f06452e423eefc6a42795fd3c6852385f4ef9ad82a93cf4183f

Download Submit
\Users\Admin\AppData\Local\Temp\is-036E2.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-036E2.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-IKMAM.tmp\d0def0491d9aae6922fa2d6389a2c93d8fe5863b6559912df9628153474cd4b9.tmp

Filesize
680KB

MD5
70fd6deadd1960b2ff7b8af1130115a5

SHA1
3910f645f5f3a50f13246b63945faa38fef17df2

SHA256
851e14a559110237fc543724e581da0098f4f52e10045cb4d97a6fed1923b361

SHA512
784830b1b2dc3b89d6aaa3276578fb8ec07edfcfc288659e59b92c5d012b7791d6bfbd95570652e993ec041a51a156b31a7ba962dc3dcb5e064faa04f3de180e

Download Submit
memory/2508-92-0x0000000002630000-0x00000000026D2000-memory.dmp

Filesize
648KB

Download
memory/2508-82-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/2508-119-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/2508-116-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/2508-113-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/2508-110-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/2508-107-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/2508-71-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/2508-104-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/2508-101-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/2508-75-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/2508-78-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/2508-98-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/2508-91-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/2508-85-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/2508-88-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/2780-69-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/2780-66-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/2780-65-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/2928-12-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2928-79-0x0000000003C30000-0x0000000003F9D000-memory.dmp

Filesize
3.4MB

Download
memory/2928-74-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2928-64-0x0000000003C30000-0x0000000003F9D000-memory.dmp

Filesize
3.4MB

Download
memory/3044-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3044-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3044-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing