socks5systemz | 9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd

General

Target

9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.exe
Size

4.7MB
MD5

0de63d14ea3d23e255c2d351370b1755
SHA1

ee2b167ff8b844d13efbde6fad9225f4cb85c679
SHA256

9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd
SHA512

c24d8d3e98eea89658c402d2a8943eaba7f02c8c1f1d8a265fe1e464901fd01dccb8b1bad73df22d2949e61cea719f94fb2f3d479d2f945337e4834425fe3e84
SSDEEP

98304:mnmZnOg2mmvANe1se+/FpqBJBxo0Rl0U37BPF7BnrAlME3hbIFgNU:QzGmINe19MwO07v7Bt7BGMEpxNU

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/2376-85-0x00000000028F0000-0x0000000002992000-memory.dmp	family_socks5systemz
behavioral2/memory/2376-109-0x00000000028F0000-0x0000000002992000-memory.dmp	family_socks5systemz
behavioral2/memory/2376-110-0x00000000028F0000-0x0000000002992000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
4160	9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.tmp
2452	moonvideo2audio.exe
2376	moonvideo2audio.exe

Loads dropped DLL 1 IoCs

pid	Process
4160	9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4160	9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 4160	2228	9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.exe	79
PID 2228 wrote to memory of 4160	2228	9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.exe	79
PID 2228 wrote to memory of 4160	2228	9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.exe	79
PID 4160 wrote to memory of 2452	4160	9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.tmp	80
PID 4160 wrote to memory of 2452	4160	9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.tmp	80
PID 4160 wrote to memory of 2452	4160	9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.tmp	80
PID 4160 wrote to memory of 2376	4160	9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.tmp	81
PID 4160 wrote to memory of 2376	4160	9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.tmp	81
PID 4160 wrote to memory of 2376	4160	9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.tmp	81

C:\Users\Admin\AppData\Local\Temp\9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.exe
"C:\Users\Admin\AppData\Local\Temp\9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\is-4IVVR.tmp\9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4IVVR.tmp\9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.tmp" /SL5="$50052,4705965,54272,C:\Users\Admin\AppData\Local\Temp\9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Users\Admin\AppData\Local\Moon VideoToAudio\moonvideo2audio.exe
    "C:\Users\Admin\AppData\Local\Moon VideoToAudio\moonvideo2audio.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2452
- - C:\Users\Admin\AppData\Local\Moon VideoToAudio\moonvideo2audio.exe
    "C:\Users\Admin\AppData\Local\Moon VideoToAudio\moonvideo2audio.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Moon VideoToAudio\moonvideo2audio.exe

Filesize
2.8MB

MD5
a9c864247c7217a488484c412d2784c4

SHA1
e5bceefdf24284e7044f9def8d28280596115014

SHA256
5e46c7d921102127bf5a20718cce712f484aafa659c563a1a8f756d898414684

SHA512
e05d59df66b51d2023c60be1fbaa5a4d6b673dd24fa1565601ba428381966b5412c496c6b690272d54826ccf3716c6b489525f39d1e4b4e8a22fa15958371cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4IVVR.tmp\9fa4afa1e9b92cdb46e166d3545501e657d4f2b8457d9bfb5285167657d908dd.tmp

Filesize
680KB

MD5
476d9303236716c16be3f81757c05df3

SHA1
3873b0b66c7efb5e86b1a75301af0a271b273263

SHA256
74be7ac810d0f7fa3ed7c7d05e1e2338b38a2a2841fc6b895e92487d5f766d0b

SHA512
c777c5d2cd1cc591b0a2c54719fe11d42f1477a65bbfc29d422ef36ad6256e9987e378fe96d1cfc622bdbbedd41c69adb9cefa80be0a44b10086adb903e85226

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H5K31.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/2228-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2228-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2228-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2376-99-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2376-85-0x00000000028F0000-0x0000000002992000-memory.dmp

Filesize
648KB

Download
memory/2376-117-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2376-67-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2376-114-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2376-110-0x00000000028F0000-0x0000000002992000-memory.dmp

Filesize
648KB

Download
memory/2376-70-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2376-73-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2376-76-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2376-79-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2376-82-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2376-109-0x00000000028F0000-0x0000000002992000-memory.dmp

Filesize
648KB

Download
memory/2376-88-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2376-93-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2376-96-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2376-108-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2376-102-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2376-105-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2452-60-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2452-59-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2452-64-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/4160-16-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4160-69-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing