socks5systemz | fe66709abfc8ebc81d937807326ec8919af8da242aac4c76562a98011c239929

General

Target

c7f269530aac06901c11c689ff5902ff.exe
Size

6.6MB
MD5

c7f269530aac06901c11c689ff5902ff
SHA1

7525944a775e54cd7b8a7b6a36415cbb17cc72d6
SHA256

fe66709abfc8ebc81d937807326ec8919af8da242aac4c76562a98011c239929
SHA512

1a2329c50666a81f594e9239795afefb9ece537a83326a80b15c4daf8af565b96c30c792938eb0d4836dc4a888fd60010c922bf00570776d47472f53492f4830
SSDEEP

196608:p0JwFa7+qvAq++YsoRxwNOfaHRn9+eoPOMO9CgT9v:pFA+qQhRxwsfaHVg/POM8d

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2536-92-0x00000000027B0000-0x0000000002852000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
3048	c7f269530aac06901c11c689ff5902ff.tmp
2768	berryplayer.exe
2536	berryplayer.exe

Loads dropped DLL 5 IoCs

pid	Process
2984	c7f269530aac06901c11c689ff5902ff.exe
3048	c7f269530aac06901c11c689ff5902ff.tmp
3048	c7f269530aac06901c11c689ff5902ff.tmp
3048	c7f269530aac06901c11c689ff5902ff.tmp
3048	c7f269530aac06901c11c689ff5902ff.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3048	c7f269530aac06901c11c689ff5902ff.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 3048	2984	c7f269530aac06901c11c689ff5902ff.exe	28
PID 2984 wrote to memory of 3048	2984	c7f269530aac06901c11c689ff5902ff.exe	28
PID 2984 wrote to memory of 3048	2984	c7f269530aac06901c11c689ff5902ff.exe	28
PID 2984 wrote to memory of 3048	2984	c7f269530aac06901c11c689ff5902ff.exe	28
PID 2984 wrote to memory of 3048	2984	c7f269530aac06901c11c689ff5902ff.exe	28
PID 2984 wrote to memory of 3048	2984	c7f269530aac06901c11c689ff5902ff.exe	28
PID 2984 wrote to memory of 3048	2984	c7f269530aac06901c11c689ff5902ff.exe	28
PID 3048 wrote to memory of 2768	3048	c7f269530aac06901c11c689ff5902ff.tmp	29
PID 3048 wrote to memory of 2768	3048	c7f269530aac06901c11c689ff5902ff.tmp	29
PID 3048 wrote to memory of 2768	3048	c7f269530aac06901c11c689ff5902ff.tmp	29
PID 3048 wrote to memory of 2768	3048	c7f269530aac06901c11c689ff5902ff.tmp	29
PID 3048 wrote to memory of 2536	3048	c7f269530aac06901c11c689ff5902ff.tmp	30
PID 3048 wrote to memory of 2536	3048	c7f269530aac06901c11c689ff5902ff.tmp	30
PID 3048 wrote to memory of 2536	3048	c7f269530aac06901c11c689ff5902ff.tmp	30
PID 3048 wrote to memory of 2536	3048	c7f269530aac06901c11c689ff5902ff.tmp	30

C:\Users\Admin\AppData\Local\Temp\c7f269530aac06901c11c689ff5902ff.exe
"C:\Users\Admin\AppData\Local\Temp\c7f269530aac06901c11c689ff5902ff.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\is-STFM2.tmp\c7f269530aac06901c11c689ff5902ff.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-STFM2.tmp\c7f269530aac06901c11c689ff5902ff.tmp" /SL5="$30150,6626097,54272,C:\Users\Admin\AppData\Local\Temp\c7f269530aac06901c11c689ff5902ff.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\AppData\Local\Berry Player\berryplayer.exe
    "C:\Users\Admin\AppData\Local\Berry Player\berryplayer.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2768
- - C:\Users\Admin\AppData\Local\Berry Player\berryplayer.exe
    "C:\Users\Admin\AppData\Local\Berry Player\berryplayer.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Berry Player\berryplayer.exe

Filesize
5.2MB

MD5
f0e327aae4d7e3c2f5389c2d2ab11215

SHA1
3321fcc71fc19f96d4bc0f46b7b3a449b5262e3a

SHA256
48c0d7de96ff41b0b1cf1ec36efaeb961269935ea5e893c8852d108c2ea1f197

SHA512
f3936620ce6d73b6566b5a13da7d99952c70dd17667d968b44f0020eba20214bdcf7abb6f6241ac3da6942944e10c9aa662f4f5f963273670fbbc01b5b5d300c

Download Submit
\Users\Admin\AppData\Local\Temp\is-PDVL7.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-PDVL7.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-STFM2.tmp\c7f269530aac06901c11c689ff5902ff.tmp

Filesize
680KB

MD5
b809a8c0040fe49b2577fba871c59727

SHA1
b9829c613284f08b50474e2b9d06298d135c253a

SHA256
8dcb0851c97099ae63a077dc7d51a9510bce2351134710f00a0805b6f488a0d4

SHA512
46a30a52d9e377ce983e7767b4b1607fbbc741f97e1b77c2c8c0836fd50847bf413fbabdc876505efc2fa00d49348d0880e8dfd89da2f8cfacbdf41dd00c5d8b

Download Submit
memory/2536-92-0x00000000027B0000-0x0000000002852000-memory.dmp

Filesize
648KB

Download
memory/2536-82-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2536-120-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2536-117-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2536-113-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2536-110-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2536-107-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2536-71-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2536-104-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2536-101-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2536-75-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2536-98-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2536-79-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2536-91-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2536-85-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2536-88-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2768-69-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2768-66-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2768-65-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2984-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2984-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2984-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3048-12-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3048-76-0x0000000005920000-0x0000000005E5C000-memory.dmp

Filesize
5.2MB

Download
memory/3048-74-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3048-64-0x0000000005920000-0x0000000005E5C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing