socks5systemz | 115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415

General

Target

115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.exe
Size

4.5MB
MD5

7349b41ae1386ba41cbd2c527a791cc0
SHA1

1bd1be063facd0b8e58c52a84cc1b9c283406f83
SHA256

115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415
SHA512

81ee53b8b321ee68a2f7293bd548aa1285c63aaddf2adfec77a38593e1f4e6a22a5055f7b96cacf5a253ff9a207023862b2e61c6ceb87c85505f17ea4c7b90c8
SSDEEP

98304:mkIVgsXFyGsYKO3ujhvUChaMZY00TL5XXMGFGg/a7:tygsXFyx3ku9cg03ZMOS

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

csrdxxq.net

hcfuoen.net

Signatures

Detect Socks5Systemz Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2628-92-0x0000000002620000-0x00000000026C2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Executes dropped EXE 3 IoCs

Processes:

115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmpmediaplayerrptuning32.exemediaplayerrptuning32.exe

pid process

316 115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp
1216 mediaplayerrptuning32.exe
2628 mediaplayerrptuning32.exe

pid	process
316	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp
1216	mediaplayerrptuning32.exe
2628	mediaplayerrptuning32.exe

Loads dropped DLL 5 IoCs

Processes:

115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.exe115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp

pid	process
2216	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.exe
316	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp
316	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp
316	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp
316	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp

Unexpected DNS network traffic destination 13 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	91.211.247.248
Destination IP	141.98.234.31
Destination IP	152.89.198.214
Destination IP	91.211.247.248
Destination IP	141.98.234.31
Destination IP	45.155.250.90
Destination IP	152.89.198.214
Destination IP	91.211.247.248
Destination IP	152.89.198.214
Destination IP	45.155.250.90
Destination IP	141.98.234.31
Destination IP	81.31.197.38
Destination IP	81.31.197.38

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp

pid process

316 115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp

pid	process
316	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.exe115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp

description	pid	process	target process
PID 2216 wrote to memory of 316	2216	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.exe	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp
PID 2216 wrote to memory of 316	2216	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.exe	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp
PID 2216 wrote to memory of 316	2216	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.exe	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp
PID 2216 wrote to memory of 316	2216	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.exe	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp
PID 2216 wrote to memory of 316	2216	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.exe	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp
PID 2216 wrote to memory of 316	2216	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.exe	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp
PID 2216 wrote to memory of 316	2216	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.exe	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp
PID 316 wrote to memory of 1216	316	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp	mediaplayerrptuning32.exe
PID 316 wrote to memory of 1216	316	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp	mediaplayerrptuning32.exe
PID 316 wrote to memory of 1216	316	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp	mediaplayerrptuning32.exe
PID 316 wrote to memory of 1216	316	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp	mediaplayerrptuning32.exe
PID 316 wrote to memory of 2628	316	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp	mediaplayerrptuning32.exe
PID 316 wrote to memory of 2628	316	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp	mediaplayerrptuning32.exe
PID 316 wrote to memory of 2628	316	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp	mediaplayerrptuning32.exe
PID 316 wrote to memory of 2628	316	115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp	mediaplayerrptuning32.exe

C:\Users\Admin\AppData\Local\Temp\115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.exe
"C:\Users\Admin\AppData\Local\Temp\115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Local\Temp\is-VUEHH.tmp\115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VUEHH.tmp\115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp" /SL5="$400F6,4435208,54272,C:\Users\Admin\AppData\Local\Temp\115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Local\Media Player RPTuning\mediaplayerrptuning32.exe
"C:\Users\Admin\AppData\Local\Media Player RPTuning\mediaplayerrptuning32.exe" -i
3⤵
- Executes dropped EXE
PID:1216

C:\Users\Admin\AppData\Local\Media Player RPTuning\mediaplayerrptuning32.exe
"C:\Users\Admin\AppData\Local\Media Player RPTuning\mediaplayerrptuning32.exe" -s
3⤵
- Executes dropped EXE
PID:2628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Media Player RPTuning\mediaplayerrptuning32.exe
Filesize
2.3MB

MD5
eef29b649d63ccaa5b4b6110f8e7778d

SHA1
9827c140a889b244b8dd44ca2606853304e7921b

SHA256
7ca9d06027e28e1089a1cf6fc8bb9c0dee43d7251b54452339bb4ab18f8a9cde

SHA512
b13509c2c386bfad461924f6abbaabb693617d682c5581801beb77cbfab99b8cbd6e97ac4bb273656f93e24f6297ff787df7169050db3d4dcef237b8e4a0f51c

Download Submit
\Users\Admin\AppData\Local\Temp\is-KDSEM.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-KDSEM.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-VUEHH.tmp\115cd73c234674adbcc04ebe6a5e39c2c2b0af9d8195ae9adc5203a2dbb15415.tmp
Filesize
680KB

MD5
0974ba095ce319c21275c60758122947

SHA1
a459f36fc33297d242af213eda9d326967c9bcd5

SHA256
b1d3bfec6e0fd3effd9f9c661082d9b8bd8b01cc7168b0ec73d2e1df195362a6

SHA512
01bdc7b62f999a2a099277a6caee7e721bb1cb3e9639e955edf412e206ea6de4d7b68cb60c31644869a09c9e28ee02b4b327bf2e3e338dbbe8a2b3537055c7ec

Download Submit
memory/316-79-0x0000000003550000-0x00000000037A9000-memory.dmp

Filesize
2.3MB

Download
memory/316-64-0x0000000003550000-0x00000000037A9000-memory.dmp

Filesize
2.3MB

Download
memory/316-19-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/316-74-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1216-65-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/1216-67-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/1216-69-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2216-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2216-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2216-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2628-88-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-107-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-75-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-82-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-85-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-71-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-91-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-92-0x0000000002620000-0x00000000026C2000-memory.dmp

Filesize
648KB

Download
memory/2628-98-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-101-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-104-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-78-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-110-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-113-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-116-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-119-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-122-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-125-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-128-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-131-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2628-134-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads