socks5systemz | c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994

General

Target

c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.exe
Size

4.6MB
MD5

9a1cd03106b58e79be50e1e0367814c3
SHA1

35de70ecfe06a3905eda04858116dc1401e8c382
SHA256

c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994
SHA512

c724c001470cb73379ff346fd2ef4e7146cd1beda9eec5eebc730f8e4cc9aca7f37362073a51c721024a8342057dec926959e6e1390460893425313b9a38615e
SSDEEP

98304:mu/ugoYX+LmCIRcOTwprfpZDhEqLQ6IGdAHDYZWa6fgjytY8Og:R/ugoZmjcOTktl+qL3SHcZTcgl8Og

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

bpdxvde.com

fyfkumx.ru

Signatures

Detect Socks5Systemz Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2532-92-0x0000000002570000-0x0000000002612000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Executes dropped EXE 3 IoCs

Processes:

c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmpvirtualsoundcard.exevirtualsoundcard.exe

pid process

2196 c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp
2236 virtualsoundcard.exe
2532 virtualsoundcard.exe

pid	process
2196	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp
2236	virtualsoundcard.exe
2532	virtualsoundcard.exe

Loads dropped DLL 5 IoCs

Processes:

c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.exec617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp

pid	process
2960	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.exe
2196	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp
2196	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp
2196	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp
2196	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp

Unexpected DNS network traffic destination 13 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	81.31.197.38
Destination IP	152.89.198.214
Destination IP	91.211.247.248
Destination IP	91.211.247.248
Destination IP	45.155.250.90
Destination IP	152.89.198.214
Destination IP	141.98.234.31
Destination IP	45.155.250.90
Destination IP	141.98.234.31
Destination IP	45.155.250.90
Destination IP	81.31.197.38
Destination IP	141.98.234.31
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp

pid process

2196 c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp

pid	process
2196	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.exec617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp

description	pid	process	target process
PID 2960 wrote to memory of 2196	2960	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.exe	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp
PID 2960 wrote to memory of 2196	2960	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.exe	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp
PID 2960 wrote to memory of 2196	2960	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.exe	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp
PID 2960 wrote to memory of 2196	2960	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.exe	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp
PID 2960 wrote to memory of 2196	2960	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.exe	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp
PID 2960 wrote to memory of 2196	2960	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.exe	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp
PID 2960 wrote to memory of 2196	2960	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.exe	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp
PID 2196 wrote to memory of 2236	2196	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp	virtualsoundcard.exe
PID 2196 wrote to memory of 2236	2196	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp	virtualsoundcard.exe
PID 2196 wrote to memory of 2236	2196	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp	virtualsoundcard.exe
PID 2196 wrote to memory of 2236	2196	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp	virtualsoundcard.exe
PID 2196 wrote to memory of 2532	2196	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp	virtualsoundcard.exe
PID 2196 wrote to memory of 2532	2196	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp	virtualsoundcard.exe
PID 2196 wrote to memory of 2532	2196	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp	virtualsoundcard.exe
PID 2196 wrote to memory of 2532	2196	c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp	virtualsoundcard.exe

C:\Users\Admin\AppData\Local\Temp\c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.exe
"C:\Users\Admin\AppData\Local\Temp\c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Local\Temp\is-9VJIL.tmp\c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9VJIL.tmp\c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp" /SL5="$40150,4581277,54272,C:\Users\Admin\AppData\Local\Temp\c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe
"C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe" -i
3⤵
- Executes dropped EXE
PID:2236

C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe
"C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe" -s
3⤵
- Executes dropped EXE
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-2FIGP.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-2FIGP.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-9VJIL.tmp\c617f96fa1a4855f1fa98176cad36cc4c38e28963324788230e1a9eaf97dc994.tmp
Filesize
680KB

MD5
e5c6fc27d2665f4ba98d9837652d4446

SHA1
68205e893b6b217a6b6beb921e758ee222fdd674

SHA256
b800a709dfe4e318a5160fda1fa01e2815e834bd6166e66cefa04298bce0cdbc

SHA512
f1989ea07a01b5696318e9d898f8ec4c10e846ab334ff053c58f00104a89804367f1ebd6c227033f3dd069ac311d0fe805694584e3a8152a8dc5eb23ae05dcbe

Download Submit
\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe
Filesize
2.6MB

MD5
8ce4111540411130233d63ca29c03d50

SHA1
d2a8711ae935250aefc156b7a6d2e9e2698b114a

SHA256
fb114d37e09d9f67d6760e46683b67f5aa0795a6c44fb38fdb654dd16c3f5d2a

SHA512
343ef30eb28c8f74ce3bcc7c1ea322fe6008e846bf808108c3b62142e5e6c6ed8460ebff06949e283e0339eff9debaa6c85b612d5749fd13554306cc345438ba

Download Submit
memory/2196-74-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2196-76-0x0000000005A30000-0x0000000005CD9000-memory.dmp

Filesize
2.7MB

Download
memory/2196-12-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2196-63-0x0000000005A30000-0x0000000005CD9000-memory.dmp

Filesize
2.7MB

Download
memory/2236-65-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2236-66-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2236-69-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-79-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-98-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-71-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-75-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-134-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-131-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-82-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-85-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-88-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-91-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-92-0x0000000002570000-0x0000000002612000-memory.dmp

Filesize
648KB

Download
memory/2532-128-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-101-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-104-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-107-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-110-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-113-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-116-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-119-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-122-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2532-125-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/2960-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2960-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2960-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads