Analysis
-
max time kernel
293s -
max time network
301s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 00:07
Static task
static1
Behavioral task
behavioral1
Sample
e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.exe
Resource
win10-20240404-en
General
-
Target
e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.exe
-
Size
4.7MB
-
MD5
9cc66a8985ecfc10d165ec22bd023687
-
SHA1
af66dbd2ef77036ccf5c7c0fb6a86daf072b19c9
-
SHA256
e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592
-
SHA512
93d480cc430ecf8686b975a30ec1d1215b4c1dfcb8f177300f74bc0f00f0b7bf8b4daaef639e4cab224ce3122f7faa406bc4337340a76dbb34f69213bbb80285
-
SSDEEP
98304:mvL/sSGKm6RTeq5z58vBhgUzU5IAIgA5n7QL5FtE5ViHvBbFx:y/sSGK7TFz5cBh7v8AnU5F4Ax
Malware Config
Extracted
socks5systemz
ckocdgu.net
godhawj.com
Signatures
-
Detect Socks5Systemz Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2948-92-0x0000000002460000-0x0000000002502000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
Processes:
e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmplinuxmultiMediastudio32.exelinuxmultiMediastudio32.exepid process 2944 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp 2612 linuxmultiMediastudio32.exe 2948 linuxmultiMediastudio32.exe -
Loads dropped DLL 5 IoCs
Processes:
e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.exee7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmppid process 2360 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.exe 2944 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp 2944 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp 2944 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp 2944 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp -
Unexpected DNS network traffic destination 13 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 141.98.234.31 Destination IP 45.155.250.90 Destination IP 91.211.247.248 Destination IP 141.98.234.31 Destination IP 91.211.247.248 Destination IP 81.31.197.38 Destination IP 45.155.250.90 Destination IP 81.31.197.38 Destination IP 141.98.234.31 Destination IP 152.89.198.214 Destination IP 152.89.198.214 Destination IP 152.89.198.214 Destination IP 141.98.234.31 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmppid process 2944 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.exee7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmpdescription pid process target process PID 2360 wrote to memory of 2944 2360 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.exe e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp PID 2360 wrote to memory of 2944 2360 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.exe e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp PID 2360 wrote to memory of 2944 2360 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.exe e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp PID 2360 wrote to memory of 2944 2360 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.exe e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp PID 2360 wrote to memory of 2944 2360 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.exe e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp PID 2360 wrote to memory of 2944 2360 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.exe e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp PID 2360 wrote to memory of 2944 2360 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.exe e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp PID 2944 wrote to memory of 2612 2944 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp linuxmultiMediastudio32.exe PID 2944 wrote to memory of 2612 2944 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp linuxmultiMediastudio32.exe PID 2944 wrote to memory of 2612 2944 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp linuxmultiMediastudio32.exe PID 2944 wrote to memory of 2612 2944 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp linuxmultiMediastudio32.exe PID 2944 wrote to memory of 2948 2944 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp linuxmultiMediastudio32.exe PID 2944 wrote to memory of 2948 2944 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp linuxmultiMediastudio32.exe PID 2944 wrote to memory of 2948 2944 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp linuxmultiMediastudio32.exe PID 2944 wrote to memory of 2948 2944 e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp linuxmultiMediastudio32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.exe"C:\Users\Admin\AppData\Local\Temp\e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\is-ACCQI.tmp\e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp"C:\Users\Admin\AppData\Local\Temp\is-ACCQI.tmp\e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmp" /SL5="$5014E,4710995,54272,C:\Users\Admin\AppData\Local\Temp\e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio32.exe"C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio32.exe" -i3⤵
- Executes dropped EXE
PID:2612 -
C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio32.exe"C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio32.exe" -s3⤵
- Executes dropped EXE
PID:2948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio32.exeFilesize
2.8MB
MD520aedea04db72b4f15f5bb4b7333d65c
SHA167dd86d3250551d866603d7460ca41049bcdbdb5
SHA25617773733ae280a2bebccbbf885508227046f25daa7cf0b068ba78ed00623ed80
SHA5126d854cacb3da17a4a3e5b1d796628648030aa92d9b013979a9d43eb700bb09b8dd5e0664aed2e793465feba69e1c5a5bffd9f88c454c10322ce4962982d5e30c
-
\Users\Admin\AppData\Local\Temp\is-ACCQI.tmp\e7d7ab5931cc59dbffa5f5f90131b4bc41306bbd0e536624d2a7e54a57f1f592.tmpFilesize
680KB
MD5da3e3293eadae0b9e8e0bb85b53bf263
SHA16fd7ba9a4f76f8500f7ec3d820f70ca0c869173f
SHA256ecf5f7145a55f9014f86014fd3d9a6048b8f29e653409604e4d12cb1bda2302d
SHA512c1b4a03f7f657f1db5bbf21f68ebce7373b90135698eb5fe4c432630e7066f0c89eeddd0f6cbb0af631ad62026992503df42e31e6999b166a541044c688a0fb8
-
\Users\Admin\AppData\Local\Temp\is-PR5EE.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
\Users\Admin\AppData\Local\Temp\is-PR5EE.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
memory/2360-2-0x0000000000401000-0x000000000040B000-memory.dmpFilesize
40KB
-
memory/2360-0-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2360-73-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2612-65-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2612-66-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2612-69-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2944-14-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/2944-76-0x0000000003560000-0x0000000003836000-memory.dmpFilesize
2.8MB
-
memory/2944-64-0x0000000003560000-0x0000000003836000-memory.dmpFilesize
2.8MB
-
memory/2944-74-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/2948-79-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-107-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-71-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-82-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-85-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-88-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-91-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-92-0x0000000002460000-0x0000000002502000-memory.dmpFilesize
648KB
-
memory/2948-98-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-101-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-104-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-75-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-110-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-113-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-116-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-119-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-122-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-125-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-128-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-131-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2948-134-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB