socks5systemz | c7b130f5b5a0c5d2fa4d202143d40393eccd2bcf563c7496a51ee267dd50bc16

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.exe
Size

4.7MB
MD5

d30043dfaa42f25de126e50c5e9ed047
SHA1

c80d749438fe7d51b92c6fa6b3274681347419a5
SHA256

18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076
SHA512

70a454e8dfa2ee462f4983c89a726ec8bf1d77a97546cc3f48392c6a31e7588cccab7eb591630443b12e5feb351a79cc682edc81e9ac481b530f426383bf11c1
SSDEEP

98304:mhV9nxxynoPMx+Us2wdqATwnwxZNjPp/nMe53rCkUmFail6IGx:FozdUnkbPp/bUm7l6P

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

erqrieg.ua

http://erqrieg.ua/search/?q=67e28dd83e0bfb2e455aa5187c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ae8889b5e4fa9281ae978f171ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ff716c9e9929d32

Signatures

Detect Socks5Systemz Payload 1 IoCs

Processes:

resource	yara_rule
behavioral5/memory/2352-88-0x0000000000960000-0x0000000000A02000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Executes dropped EXE 3 IoCs

Processes:

18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmpvirtualsoundcard32.exevirtualsoundcard32.exe

pid process

4892 18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp
1828 virtualsoundcard32.exe
2352 virtualsoundcard32.exe
Loads dropped DLL 1 IoCs

Processes:

18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp

pid process

4892 18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 141.98.234.31
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp

pid process

4892 18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp

pid	process
4892	18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp
1828	virtualsoundcard32.exe
2352	virtualsoundcard32.exe

pid	process
4892	18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp

description	ioc
Destination IP	141.98.234.31

pid	process
4892	18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.exe18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp

description	pid	process	target process
PID 4532 wrote to memory of 4892	4532	18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.exe	18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp
PID 4532 wrote to memory of 4892	4532	18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.exe	18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp
PID 4532 wrote to memory of 4892	4532	18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.exe	18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp
PID 4892 wrote to memory of 1828	4892	18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp	virtualsoundcard32.exe
PID 4892 wrote to memory of 1828	4892	18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp	virtualsoundcard32.exe
PID 4892 wrote to memory of 1828	4892	18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp	virtualsoundcard32.exe
PID 4892 wrote to memory of 2352	4892	18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp	virtualsoundcard32.exe
PID 4892 wrote to memory of 2352	4892	18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp	virtualsoundcard32.exe
PID 4892 wrote to memory of 2352	4892	18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp	virtualsoundcard32.exe

C:\Users\Admin\AppData\Local\Temp\18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.exe
"C:\Users\Admin\AppData\Local\Temp\18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4532

C:\Users\Admin\AppData\Local\Temp\is-U1KI1.tmp\18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U1KI1.tmp\18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp" /SL5="$801DA,4643210,54272,C:\Users\Admin\AppData\Local\Temp\18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4892

C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe
"C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe" -i
3⤵
- Executes dropped EXE
PID:1828

C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe
"C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe" -s
3⤵
- Executes dropped EXE
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-3NJ3F.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U1KI1.tmp\18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.tmp
Filesize
680KB

MD5
6d75c2498ef0af9a91b71d0d81d1b95e

SHA1
1476ec8e947af9a397658bec20b17854042cc0c3

SHA256
468db6dd9e5c87c34d9cb7e56ddbfaf068bbe44436fa2cfc2ada8029051e4bee

SHA512
bdc9b460a463da60c019eda9dd40929a61e77081b699d6c3a4c05309280252f7493015cf463243ff9dd3e20ddd324db39a8697f312fabfea64c78aed9ddb5027

Download Submit
C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard32.exe
Filesize
2.7MB

MD5
bc0c473b23c44af01cbb8ba970117f3e

SHA1
8ad4bc8affeb71150f173953d540d61e3d558bac

SHA256
b42200048f2fd7ada339a47e6b5c27ba772ec4b72072a98aacb9b05997bd8786

SHA512
d0067e036fa993bdd1a6d287215676c972db958165324a9ed7c8e325558530a4d2b979f0150d508f5fa671957101df023791d22f027ad38ab29e46e626b68d11

Download Submit
memory/1828-60-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/1828-63-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/1828-65-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/1828-59-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2352-72-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2352-99-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2352-67-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2352-118-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2352-69-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2352-115-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2352-111-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2352-108-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2352-75-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2352-76-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2352-79-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2352-82-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2352-85-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2352-88-0x0000000000960000-0x0000000000A02000-memory.dmp

Filesize
648KB

Download
memory/2352-91-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2352-96-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2352-105-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2352-102-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/4532-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4532-70-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4532-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4892-13-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4892-71-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download