Malware Analysis Report

2024-10-10 10:40

Sample ID 240611-bjyjxayemn
Target 321e35385a1910a07011008666e9b09c.exe
SHA256 025d0d86a0f636647681f95d1b9db3067fc854b81925915680118ae586b80cf0
Tags
socks5systemz botnet discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

025d0d86a0f636647681f95d1b9db3067fc854b81925915680118ae586b80cf0

Threat Level: Known bad

The file 321e35385a1910a07011008666e9b09c.exe was found to be: Known bad.

Malicious Activity Summary

socks5systemz botnet discovery

Detect Socks5Systemz Payload

Socks5Systemz

Unexpected DNS network traffic destination

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 01:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 01:11

Reported

2024-06-11 01:13

Platform

win7-20240508-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\321e35385a1910a07011008666e9b09c.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 45.155.250.90 N/A N/A
Destination IP 152.89.198.214 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\321e35385a1910a07011008666e9b09c.exe C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp
PID 1712 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\321e35385a1910a07011008666e9b09c.exe C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp
PID 1712 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\321e35385a1910a07011008666e9b09c.exe C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp
PID 1712 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\321e35385a1910a07011008666e9b09c.exe C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp
PID 1712 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\321e35385a1910a07011008666e9b09c.exe C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp
PID 1712 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\321e35385a1910a07011008666e9b09c.exe C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp
PID 1712 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\321e35385a1910a07011008666e9b09c.exe C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp
PID 2472 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe
PID 2472 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe
PID 2472 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe
PID 2472 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe
PID 2472 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe
PID 2472 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe
PID 2472 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe
PID 2472 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\321e35385a1910a07011008666e9b09c.exe

"C:\Users\Admin\AppData\Local\Temp\321e35385a1910a07011008666e9b09c.exe"

C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp

"C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp" /SL5="$500B6,4779156,54272,C:\Users\Admin\AppData\Local\Temp\321e35385a1910a07011008666e9b09c.exe"

C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe

"C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe" -i

C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe

"C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe" -s

Network

Country Destination Domain Proto
SE 45.155.250.90:53 bpugmei.com udp
RU 152.89.198.214:53 bpugmei.com udp
N/A 91.211.247.248:53 udp

Files

memory/1712-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1712-3-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-A147N.tmp\321e35385a1910a07011008666e9b09c.tmp

MD5 6d75c2498ef0af9a91b71d0d81d1b95e
SHA1 1476ec8e947af9a397658bec20b17854042cc0c3
SHA256 468db6dd9e5c87c34d9cb7e56ddbfaf068bbe44436fa2cfc2ada8029051e4bee
SHA512 bdc9b460a463da60c019eda9dd40929a61e77081b699d6c3a4c05309280252f7493015cf463243ff9dd3e20ddd324db39a8697f312fabfea64c78aed9ddb5027

memory/2472-9-0x0000000000400000-0x00000000004BA000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-IJ79T.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-IJ79T.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe

MD5 c64ca6ca69c83f19a71749f8bd5e5fc5
SHA1 7fd985230a5535c1b6bbfc1d703ecf91e8247739
SHA256 e6f4a8061032f1f5d1eb8eab50ababb644e301d2f5e5f98670dfebb0dca32b55
SHA512 4f04ad5363552bad2710e66965465ec3005b4bedccedf16f9b6b35b6421e47087cd5c9b231410df6fd9ac31139c996f91346045cf477f2bb387cc34a60a51a3e

memory/2472-64-0x0000000003520000-0x0000000003804000-memory.dmp

memory/2608-65-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2608-66-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2608-70-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/1712-73-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2472-74-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/2532-75-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2472-76-0x0000000003520000-0x0000000003804000-memory.dmp

memory/2532-79-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2532-82-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2532-85-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2532-88-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2532-91-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2532-92-0x00000000024D0000-0x0000000002572000-memory.dmp

memory/2532-98-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2532-101-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2532-104-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2532-107-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2532-110-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2532-113-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2532-116-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2532-119-0x0000000000400000-0x00000000006E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 01:11

Reported

2024-06-11 01:13

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\321e35385a1910a07011008666e9b09c.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C0J8D.tmp\321e35385a1910a07011008666e9b09c.tmp N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 141.98.234.31 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C0J8D.tmp\321e35385a1910a07011008666e9b09c.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4352 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\321e35385a1910a07011008666e9b09c.exe C:\Users\Admin\AppData\Local\Temp\is-C0J8D.tmp\321e35385a1910a07011008666e9b09c.tmp
PID 4352 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\321e35385a1910a07011008666e9b09c.exe C:\Users\Admin\AppData\Local\Temp\is-C0J8D.tmp\321e35385a1910a07011008666e9b09c.tmp
PID 4352 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\321e35385a1910a07011008666e9b09c.exe C:\Users\Admin\AppData\Local\Temp\is-C0J8D.tmp\321e35385a1910a07011008666e9b09c.tmp
PID 3640 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\is-C0J8D.tmp\321e35385a1910a07011008666e9b09c.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe
PID 3640 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\is-C0J8D.tmp\321e35385a1910a07011008666e9b09c.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe
PID 3640 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\is-C0J8D.tmp\321e35385a1910a07011008666e9b09c.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe
PID 3640 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\is-C0J8D.tmp\321e35385a1910a07011008666e9b09c.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe
PID 3640 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\is-C0J8D.tmp\321e35385a1910a07011008666e9b09c.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe
PID 3640 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\is-C0J8D.tmp\321e35385a1910a07011008666e9b09c.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\321e35385a1910a07011008666e9b09c.exe

"C:\Users\Admin\AppData\Local\Temp\321e35385a1910a07011008666e9b09c.exe"

C:\Users\Admin\AppData\Local\Temp\is-C0J8D.tmp\321e35385a1910a07011008666e9b09c.tmp

"C:\Users\Admin\AppData\Local\Temp\is-C0J8D.tmp\321e35385a1910a07011008666e9b09c.tmp" /SL5="$9011A,4779156,54272,C:\Users\Admin\AppData\Local\Temp\321e35385a1910a07011008666e9b09c.exe"

C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe

"C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe" -i

C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe

"C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe" -s

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 48.110.63.41.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
HK 141.98.234.31:53 bfwspzt.com udp
BG 93.123.39.193:80 bfwspzt.com tcp
US 8.8.8.8:53 31.234.98.141.in-addr.arpa udp
BG 93.123.39.193:80 bfwspzt.com tcp
BG 93.123.39.193:80 bfwspzt.com tcp

Files

memory/4352-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4352-3-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-C0J8D.tmp\321e35385a1910a07011008666e9b09c.tmp

MD5 6d75c2498ef0af9a91b71d0d81d1b95e
SHA1 1476ec8e947af9a397658bec20b17854042cc0c3
SHA256 468db6dd9e5c87c34d9cb7e56ddbfaf068bbe44436fa2cfc2ada8029051e4bee
SHA512 bdc9b460a463da60c019eda9dd40929a61e77081b699d6c3a4c05309280252f7493015cf463243ff9dd3e20ddd324db39a8697f312fabfea64c78aed9ddb5027

memory/3640-13-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BU8OD.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe

MD5 c64ca6ca69c83f19a71749f8bd5e5fc5
SHA1 7fd985230a5535c1b6bbfc1d703ecf91e8247739
SHA256 e6f4a8061032f1f5d1eb8eab50ababb644e301d2f5e5f98670dfebb0dca32b55
SHA512 4f04ad5363552bad2710e66965465ec3005b4bedccedf16f9b6b35b6421e47087cd5c9b231410df6fd9ac31139c996f91346045cf477f2bb387cc34a60a51a3e

memory/624-59-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/624-60-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/624-61-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/624-65-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2072-68-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/4352-69-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3640-70-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/2072-71-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2072-74-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2072-77-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2072-80-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2072-83-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2072-86-0x0000000002550000-0x00000000025F2000-memory.dmp

memory/2072-89-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2072-94-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2072-97-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2072-100-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2072-103-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2072-106-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2072-109-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2072-112-0x0000000000400000-0x00000000006E4000-memory.dmp

memory/2072-115-0x0000000000400000-0x00000000006E4000-memory.dmp