socks5systemz | 0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648

General

Target

0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.exe
Size

5.6MB
MD5

81b460232b437c7f31aec4d2bfa94ff3
SHA1

bcc068cfdde712f4c93ea7049f56761efb7f56f7
SHA256

0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648
SHA512

d58987dade30dee7c69baee5cd0e77d4b14bd1c6d89b377d6f37e3c6f03a2144aaf0567509417462c3af1ef4985cdaf09c3a2e7023dffbc382d5ccdc7a1b17c4
SSDEEP

98304:mvH8khUR2Lelf6HATyu+t/aLyWLssgo5xpaoxz4w5ZAicPGLAWpsqe2nAEfd4:SH8khUL6K+1g3ssgexcg2YLA4e2vd4

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

ezywljj.ua

kbjdxkg.ua

Signatures

Detect Socks5Systemz Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2292-95-0x0000000002670000-0x0000000002712000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Executes dropped EXE 3 IoCs

Processes:

0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmplampungsoundstage.exelampungsoundstage.exe

pid process

2980 0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp
2208 lampungsoundstage.exe
2292 lampungsoundstage.exe

pid	process
2980	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp
2208	lampungsoundstage.exe
2292	lampungsoundstage.exe

Loads dropped DLL 6 IoCs

Processes:

0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.exe0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp

pid	process
1936	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.exe
2980	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp
2980	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp
2980	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp
2980	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp
2980	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp

Unexpected DNS network traffic destination 13 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	152.89.198.214
Destination IP	152.89.198.214
Destination IP	152.89.198.214
Destination IP	141.98.234.31
Destination IP	152.89.198.214
Destination IP	141.98.234.31
Destination IP	81.31.197.38
Destination IP	91.211.247.248
Destination IP	81.31.197.38
Destination IP	91.211.247.248
Destination IP	45.155.250.90
Destination IP	141.98.234.31
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp

pid process

2980 0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp

pid	process
2980	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.exe0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp

description	pid	process	target process
PID 1936 wrote to memory of 2980	1936	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.exe	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp
PID 1936 wrote to memory of 2980	1936	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.exe	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp
PID 1936 wrote to memory of 2980	1936	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.exe	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp
PID 1936 wrote to memory of 2980	1936	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.exe	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp
PID 1936 wrote to memory of 2980	1936	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.exe	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp
PID 1936 wrote to memory of 2980	1936	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.exe	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp
PID 1936 wrote to memory of 2980	1936	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.exe	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp
PID 2980 wrote to memory of 2208	2980	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp	lampungsoundstage.exe
PID 2980 wrote to memory of 2208	2980	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp	lampungsoundstage.exe
PID 2980 wrote to memory of 2208	2980	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp	lampungsoundstage.exe
PID 2980 wrote to memory of 2208	2980	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp	lampungsoundstage.exe
PID 2980 wrote to memory of 2292	2980	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp	lampungsoundstage.exe
PID 2980 wrote to memory of 2292	2980	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp	lampungsoundstage.exe
PID 2980 wrote to memory of 2292	2980	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp	lampungsoundstage.exe
PID 2980 wrote to memory of 2292	2980	0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp	lampungsoundstage.exe

C:\Users\Admin\AppData\Local\Temp\0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.exe
"C:\Users\Admin\AppData\Local\Temp\0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\is-VQL2F.tmp\0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VQL2F.tmp\0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp" /SL5="$400F4,5658713,54272,C:\Users\Admin\AppData\Local\Temp\0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2980

C:\Users\Admin\AppData\Local\Lampung Soundstage\lampungsoundstage.exe
"C:\Users\Admin\AppData\Local\Lampung Soundstage\lampungsoundstage.exe" -i
3⤵
- Executes dropped EXE
PID:2208

C:\Users\Admin\AppData\Local\Lampung Soundstage\lampungsoundstage.exe
"C:\Users\Admin\AppData\Local\Lampung Soundstage\lampungsoundstage.exe" -s
3⤵
- Executes dropped EXE
PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Lampung Soundstage\lampungsoundstage.exe
Filesize
3.2MB

MD5
75a9f6a66f3fc0722b8d91cb7e241dac

SHA1
72c739be2ba36d482ee7cdc0253b0746aa745c77

SHA256
83dac4ba941ef27b6fe0eebf983a7423b452dba22769c43e91c88a5177567dc8

SHA512
b8051e3e6b08e2e2dfc3824e211509b3997c0137f1cf3098cc2eaf01e5f63306f11696a84e8661d6d03c51c7ea5046774315608b86e2c52983ae4330d2b06942

Download Submit
\Users\Admin\AppData\Local\Temp\is-GDQ6L.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-GDQ6L.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-GDQ6L.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-VQL2F.tmp\0c7cea2b9cbbceae281325ce3a8b22efe71326df833a027c61269bf64a1ea648.tmp
Filesize
680KB

MD5
5baf97b8447c7245e308c807eba2b172

SHA1
628c759120b7595bb697c14dd265f7f4616c8e72

SHA256
ef10ffb51e1be8ba1b160ebdfee12c968b3f98f71310bdcb003dd117f4b2a124

SHA512
dc38d1a5ae1e8b6f3779aea908a55a1853ecf7b6a632f11c50d9abc48aafa60e90182eb5a280d3ba94430d2ce5f02624b4c2000bd636da34643f25c95772e47d

Download Submit
memory/1936-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1936-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1936-76-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2208-72-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2208-68-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2208-69-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-85-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-122-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-137-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-134-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-78-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-131-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-82-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-128-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-88-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-91-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-94-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-95-0x0000000002670000-0x0000000002712000-memory.dmp

Filesize
648KB

Download
memory/2292-101-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-104-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-107-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-110-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-113-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-116-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-119-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-74-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2292-125-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2980-9-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2980-81-0x0000000003930000-0x0000000003C72000-memory.dmp

Filesize
3.3MB

Download
memory/2980-77-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2980-66-0x0000000003930000-0x0000000003C72000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads