socks5systemz | 777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa

General

Target

777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.exe
Size

5.0MB
MD5

5caa366d1efe02cff18ee6d4d8d9fb56
SHA1

e2cbbfeaa67ad193736e08d057f92e4481834adc
SHA256

777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa
SHA512

7a4fa9328dbb475d28540ffbe6c271d184b6d5b516ce5511c57ab5324643ffdeda8109ba07866c15d7a33f9f4514d8c94ced87fb1c8b3b89de8c00f290700311
SSDEEP

98304:mfb6skPJXWcPhKyx1F+CLmUEo6MflGimy356qVtc4s0EReZbL0N5E6SmdQ9zcBG:M5kPJBPM0FWklVJdm4sZMHgENmdQ9wBG

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

bevlmyv.com

http://bevlmyv.com/search/?q=67e28dd86c0ca72e110aab177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa48e8889b5e4fa9281ae978f671ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a6f87fd12c9e694

Signatures

Detect Socks5Systemz Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2960-92-0x0000000002360000-0x0000000002402000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Executes dropped EXE 3 IoCs

Processes:

777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmpsvomediaplayer.exesvomediaplayer.exe

pid process

2988 777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp
2524 svomediaplayer.exe
2960 svomediaplayer.exe

pid	process
2988	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp
2524	svomediaplayer.exe
2960	svomediaplayer.exe

Loads dropped DLL 5 IoCs

Processes:

777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.exe777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp

pid	process
1760	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.exe
2988	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp
2988	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp
2988	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp
2988	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 141.98.234.31
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp

pid process

2988 777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp

description	ioc
Destination IP	141.98.234.31

pid	process
2988	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.exe777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp

description	pid	process	target process
PID 1760 wrote to memory of 2988	1760	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.exe	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp
PID 1760 wrote to memory of 2988	1760	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.exe	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp
PID 1760 wrote to memory of 2988	1760	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.exe	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp
PID 1760 wrote to memory of 2988	1760	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.exe	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp
PID 1760 wrote to memory of 2988	1760	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.exe	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp
PID 1760 wrote to memory of 2988	1760	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.exe	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp
PID 1760 wrote to memory of 2988	1760	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.exe	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp
PID 2988 wrote to memory of 2524	2988	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp	svomediaplayer.exe
PID 2988 wrote to memory of 2524	2988	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp	svomediaplayer.exe
PID 2988 wrote to memory of 2524	2988	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp	svomediaplayer.exe
PID 2988 wrote to memory of 2524	2988	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp	svomediaplayer.exe
PID 2988 wrote to memory of 2960	2988	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp	svomediaplayer.exe
PID 2988 wrote to memory of 2960	2988	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp	svomediaplayer.exe
PID 2988 wrote to memory of 2960	2988	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp	svomediaplayer.exe
PID 2988 wrote to memory of 2960	2988	777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp	svomediaplayer.exe

C:\Users\Admin\AppData\Local\Temp\777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.exe
"C:\Users\Admin\AppData\Local\Temp\777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\is-QP13G.tmp\777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QP13G.tmp\777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp" /SL5="$40150,4978193,54272,C:\Users\Admin\AppData\Local\Temp\777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\SVO Media Player\svomediaplayer.exe
"C:\Users\Admin\AppData\Local\SVO Media Player\svomediaplayer.exe" -i
3⤵
- Executes dropped EXE
PID:2524

C:\Users\Admin\AppData\Local\SVO Media Player\svomediaplayer.exe
"C:\Users\Admin\AppData\Local\SVO Media Player\svomediaplayer.exe" -s
3⤵
- Executes dropped EXE
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\SVO Media Player\svomediaplayer.exe

Filesize
3.2MB

MD5
3b12c7a7a5a7bca107784597793bbf08

SHA1
7f7768cb78dc96126487ec1dd294ce629d11c9f9

SHA256
2ae5fa0dbb3274ed901fc031862b371e0ff34865b8fd76f9c3525f9ea84cff28

SHA512
451ebcd7c3283de341c6fed85c6cd4a5921a276ec565f18b1e960f66d896fe25f32d022f0d0929d4bff4927cca9e34f1772a3b8f2441cb5284292e7bef719955

Download Submit
\Users\Admin\AppData\Local\Temp\is-1ARL5.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-1ARL5.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-QP13G.tmp\777402d9b676812bcf6538b694c1d1c5d47ac27e449e1954971010d9222a18aa.tmp

Filesize
680KB

MD5
f37cd0eb17015c4634d4612386a59e08

SHA1
db484a81b4e8e6bc1d5333d984e8bdca356b444a

SHA256
028c13f7b44b54dbb1020946769a780424d6116dc7f3f23273b8c09bb4984761

SHA512
1649a8c3b043dbe65c2ce63e29fbba04fc6b764f772dc20b61cca40e2eea9d5dea72fd07ddc1e058064664781080fe21def72cf59fc531a0e2b78fd2c8065852

Download Submit
memory/1760-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1760-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1760-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2524-69-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2524-65-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2524-66-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-75-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-92-0x0000000002360000-0x0000000002402000-memory.dmp

Filesize
648KB

Download
memory/2960-137-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-132-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-126-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-78-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-129-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-82-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-85-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-88-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-91-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-71-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-98-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-101-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-104-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-107-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-110-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-113-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-117-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-120-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2960-123-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/2988-64-0x00000000038E0000-0x0000000003C17000-memory.dmp

Filesize
3.2MB

Download
memory/2988-79-0x00000000038E0000-0x0000000003C17000-memory.dmp

Filesize
3.2MB

Download
memory/2988-74-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2988-9-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads