socks5systemz | 51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9

General

Target

51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.exe
Size

4.8MB
MD5

386c7d06155d8754f0eeddf9a984eef2
SHA1

1613630666cb0ba426ad0acf0cb8a6d7ee0d2a4e
SHA256

51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9
SHA512

5e2e1b8229e5e6026277b1630cc718592667aeef3603979ca0a08f137856f3ebed5765dd699107db0646ced40d8e2ffa539877272ab62b4ac52e179ef0f39f82
SSDEEP

98304:my5CT2EQsbOgvAi9VaFgWoTKOwTuKRygJlt4A5nG/C:1CT2Hgvbbm4JwSKRy+BVG/C

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

bfidbcp.com

gdyctpo.com

Signatures

Detect Socks5Systemz Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2496-92-0x00000000025F0000-0x0000000002692000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Executes dropped EXE 3 IoCs

Processes:

51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmpm4atomp3converter.exem4atomp3converter.exe

pid process

2008 51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp
2492 m4atomp3converter.exe
2496 m4atomp3converter.exe

pid	process
2008	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp
2492	m4atomp3converter.exe
2496	m4atomp3converter.exe

Loads dropped DLL 5 IoCs

Processes:

51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.exe51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp

pid	process
2256	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.exe
2008	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp
2008	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp
2008	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp
2008	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp

Unexpected DNS network traffic destination 13 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	152.89.198.214
Destination IP	45.155.250.90
Destination IP	141.98.234.31
Destination IP	152.89.198.214
Destination IP	141.98.234.31
Destination IP	91.211.247.248
Destination IP	141.98.234.31
Destination IP	141.98.234.31
Destination IP	152.89.198.214
Destination IP	81.31.197.38
Destination IP	91.211.247.248
Destination IP	81.31.197.38
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp

pid process

2008 51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp

pid	process
2008	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.exe51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp

description	pid	process	target process
PID 2256 wrote to memory of 2008	2256	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.exe	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp
PID 2256 wrote to memory of 2008	2256	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.exe	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp
PID 2256 wrote to memory of 2008	2256	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.exe	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp
PID 2256 wrote to memory of 2008	2256	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.exe	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp
PID 2256 wrote to memory of 2008	2256	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.exe	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp
PID 2256 wrote to memory of 2008	2256	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.exe	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp
PID 2256 wrote to memory of 2008	2256	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.exe	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp
PID 2008 wrote to memory of 2492	2008	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp	m4atomp3converter.exe
PID 2008 wrote to memory of 2492	2008	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp	m4atomp3converter.exe
PID 2008 wrote to memory of 2492	2008	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp	m4atomp3converter.exe
PID 2008 wrote to memory of 2492	2008	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp	m4atomp3converter.exe
PID 2008 wrote to memory of 2496	2008	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp	m4atomp3converter.exe
PID 2008 wrote to memory of 2496	2008	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp	m4atomp3converter.exe
PID 2008 wrote to memory of 2496	2008	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp	m4atomp3converter.exe
PID 2008 wrote to memory of 2496	2008	51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp	m4atomp3converter.exe

C:\Users\Admin\AppData\Local\Temp\51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.exe
"C:\Users\Admin\AppData\Local\Temp\51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\AppData\Local\Temp\is-CM090.tmp\51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CM090.tmp\51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp" /SL5="$3012E,4801606,54272,C:\Users\Admin\AppData\Local\Temp\51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\M4A to MP3 Free Converter\m4atomp3converter.exe
"C:\Users\Admin\AppData\Local\M4A to MP3 Free Converter\m4atomp3converter.exe" -i
3⤵
- Executes dropped EXE
PID:2492

C:\Users\Admin\AppData\Local\M4A to MP3 Free Converter\m4atomp3converter.exe
"C:\Users\Admin\AppData\Local\M4A to MP3 Free Converter\m4atomp3converter.exe" -s
3⤵
- Executes dropped EXE
PID:2496

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\M4A to MP3 Free Converter\m4atomp3converter.exe
Filesize
2.9MB

MD5
98889915a7331404165b1b921af5c5e7

SHA1
1300f471cb455cf375eefc63c6f07ba955e14174

SHA256
cef231d56d9ba3b136f92be995e89d39dd4d08eae57a34e03bc762b658b195e9

SHA512
e6282b56925afcb7504ae2cc526964043ed0c1a6a10385ecae561dcc70345d8e5846ed2b2596a8a6469dba5cb9327fcc267c091c77172d269b56b69d4fc5e103

Download Submit
\Users\Admin\AppData\Local\Temp\is-CM090.tmp\51bb1e820aa2e4148973c854ddb8a322cccca0f4885fb40cb62e760feaf8e9d9.tmp
Filesize
680KB

MD5
984e6b8a7e6fa5cbf5a45904b1defc00

SHA1
37ce92d6cf1a117a191d14cc7fa1a6a97c05c967

SHA256
3313fd9ad369bdee368d356036858a7fcc6182175a30a92a6b73e41e1b2a5eb7

SHA512
55af997bfcc532ff01e593471197555432481587c263eb3777e511c656e030edd6c34edce0778b07e117dae4b9ed18976d2ec5c2fe127511a5f29928223ab7c8

Download Submit
\Users\Admin\AppData\Local\Temp\is-J7QQL.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-J7QQL.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2008-9-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2008-78-0x0000000004280000-0x000000000456C000-memory.dmp

Filesize
2.9MB

Download
memory/2008-63-0x0000000004280000-0x000000000456C000-memory.dmp

Filesize
2.9MB

Download
memory/2008-74-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2256-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2256-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2256-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2492-65-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2492-66-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2492-69-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-79-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-107-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-71-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-82-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-85-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-88-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-91-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-92-0x00000000025F0000-0x0000000002692000-memory.dmp

Filesize
648KB

Download
memory/2496-98-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-101-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-104-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-75-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-110-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-113-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-116-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-119-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-122-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-125-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-128-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-131-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2496-134-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads