socks5systemz | d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8

General

Target

d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.exe
Size

4.8MB
MD5

95cdd4acc94a2a915f3cff3e07aa9491
SHA1

b54601f39978e3428ec7daece9245c2c2a2e5726
SHA256

d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8
SHA512

16ef5330ba1175d01e7c9182287463b35abc265150fe93e1ee2cbac3ee0f84ef991a8cf90fe173194cb7222a10843135f6d236f6e8eb25ae338e11311f487c79
SSDEEP

98304:mzraY+eARtaMWM0Q2wqzQ+7VK42UqtjC76b5uBwWI2Jmt0K0RIV5N:WvzA3hWQ2w6B/2rtjXbctg0KQ6N

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/4424-85-0x0000000000930000-0x00000000009D2000-memory.dmp	family_socks5systemz
behavioral2/memory/4424-109-0x0000000000930000-0x00000000009D2000-memory.dmp	family_socks5systemz
behavioral2/memory/4424-108-0x0000000000930000-0x00000000009D2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
1320	d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.tmp
1328	ddsoundrecorder.exe
4424	ddsoundrecorder.exe

Loads dropped DLL 1 IoCs

pid	Process
1320	d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1320	d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1320	2424	d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.exe	74
PID 2424 wrote to memory of 1320	2424	d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.exe	74
PID 2424 wrote to memory of 1320	2424	d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.exe	74
PID 1320 wrote to memory of 1328	1320	d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.tmp	75
PID 1320 wrote to memory of 1328	1320	d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.tmp	75
PID 1320 wrote to memory of 1328	1320	d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.tmp	75
PID 1320 wrote to memory of 4424	1320	d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.tmp	76
PID 1320 wrote to memory of 4424	1320	d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.tmp	76
PID 1320 wrote to memory of 4424	1320	d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.tmp	76

C:\Users\Admin\AppData\Local\Temp\d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.exe
"C:\Users\Admin\AppData\Local\Temp\d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\is-G1RMB.tmp\d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-G1RMB.tmp\d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.tmp" /SL5="$901EC,4762220,54272,C:\Users\Admin\AppData\Local\Temp\d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Users\Admin\AppData\Local\DD Sound Recorder\ddsoundrecorder.exe
    "C:\Users\Admin\AppData\Local\DD Sound Recorder\ddsoundrecorder.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1328
- - C:\Users\Admin\AppData\Local\DD Sound Recorder\ddsoundrecorder.exe
    "C:\Users\Admin\AppData\Local\DD Sound Recorder\ddsoundrecorder.exe" -s
    3⤵
    - Executes dropped EXE
    PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DD Sound Recorder\ddsoundrecorder.exe

Filesize
2.1MB

MD5
7794b34b9d9ed70b05e78008a3feac2e

SHA1
d343c608ec31463c40d3e8517c5a74b8eb20df1c

SHA256
f3730659276da0f354310ed3fd32d4b7dcb779c4e266d583c27acdd8f226217a

SHA512
511cbb0779a4696f8169cb0976adede40b908ad69361cab493628116b04182ec35b2f1c60f86cc55ac3194c1f8f73a4b508e13df5240d75fad0d05356879ca88

Download Submit
C:\Users\Admin\AppData\Local\DD Sound Recorder\ddsoundrecorder.exe

Filesize
448KB

MD5
cf7cf2f9e8fd3c057f2017d89267c585

SHA1
546d070f7eaab446df69c9688b185d1dadc1bb92

SHA256
2bbc6a98f02c33ec9771183723d3cef9a358f200e61519ce57fd8a13cd6f73ba

SHA512
8c8b32522487f5773f9951138b2c8784ac7ae710faadc505e3f13e71792f9582e74baaee9094f21be929d4efd2f20ab3301ba761ac65b34184f20f3dfd15e3fb

Download Submit
C:\Users\Admin\AppData\Local\DD Sound Recorder\ddsoundrecorder.exe

Filesize
512KB

MD5
9a38a43454131a0517128eebe73b719c

SHA1
c1f08273a8c312faa95917c109b9260003e7f403

SHA256
fea2ba2a4bc338b673ffe97878803035d4343da0ed6d2adc18710d70fd399343

SHA512
0672bbcd81a3d2d92c3ac8d72a619833d8b41038268d714e581da46ac6dee5577a0e1f87e1c50f094de9f3d9e3ab82efe251e64da7597e1b4e39a30ea674cd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G1RMB.tmp\d19259f947fa51897af848841af56cac8195b66d1c23db23347936248a5071c8.tmp

Filesize
680KB

MD5
2c4a8f1ff8f10954432c5f20acfdea93

SHA1
f936bd942225d6581916ab90083175d65fa4224a

SHA256
1544806eea6eb81034b3d569e90aa4ac8482d2d3794095fbef882c00e1ea2969

SHA512
eec4cd2db771aaada05facf1d6d486952894ca8dcdf02428dd3d1817ba78ddac01688c4b2d8a48b49dff2d7b81389ce8460c7b05bb5830d6394fe34bc5b6bca6

Download Submit
\Users\Admin\AppData\Local\Temp\is-TGBPN.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1320-69-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1320-8-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1328-60-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/1328-64-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/1328-59-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/2424-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2424-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2424-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4424-76-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-101-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-73-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-66-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-79-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-82-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-85-0x0000000000930000-0x00000000009D2000-memory.dmp

Filesize
648KB

Download
memory/4424-87-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-92-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-95-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-98-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-70-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-104-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-107-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-109-0x0000000000930000-0x00000000009D2000-memory.dmp

Filesize
648KB

Download
memory/4424-108-0x0000000000930000-0x00000000009D2000-memory.dmp

Filesize
648KB

Download
memory/4424-113-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-116-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-119-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-122-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-125-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-128-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing