socks5systemz | 79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1

General

Target

79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.exe
Size

4.6MB
MD5

badf0e3994943ce24bda4ad1117ae0c3
SHA1

4bfd57dbb6cab7fbcad0706bc18ef82964efc962
SHA256

79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1
SHA512

cf3cef7aea4eac91b8a15dc005b08cd824159a4c114a21c68447d20597bcc7909de0b5ea3c5fd8bd70d21fd2fd8cf02ca6810e201e31cea49b771bf5ff5139ab
SSDEEP

98304:m/+KXm5zCadoNaUS5P4gMIk0ihjABYKa2eP+7KKlR:XKXOmadooj2gtk0ipABYKC49R

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

ebuaiui.ua

jejqkoi.info

Signatures

Detect Socks5Systemz Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2548-92-0x00000000023C0000-0x0000000002462000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Executes dropped EXE 3 IoCs

Processes:

79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmpplayercloudfree32.exeplayercloudfree32.exe

pid process

2032 79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp
3004 playercloudfree32.exe
2548 playercloudfree32.exe

pid	process
2032	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp
3004	playercloudfree32.exe
2548	playercloudfree32.exe

Loads dropped DLL 5 IoCs

Processes:

79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.exe79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp

pid	process
2224	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.exe
2032	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp
2032	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp
2032	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp
2032	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp

Unexpected DNS network traffic destination 13 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	81.31.197.38
Destination IP	152.89.198.214
Destination IP	152.89.198.214
Destination IP	91.211.247.248
Destination IP	152.89.198.214
Destination IP	141.98.234.31
Destination IP	45.155.250.90
Destination IP	91.211.247.248
Destination IP	45.155.250.90
Destination IP	152.89.198.214
Destination IP	45.155.250.90
Destination IP	141.98.234.31
Destination IP	81.31.197.38

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp

pid process

2032 79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp

pid	process
2032	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.exe79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp

description	pid	process	target process
PID 2224 wrote to memory of 2032	2224	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.exe	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp
PID 2224 wrote to memory of 2032	2224	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.exe	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp
PID 2224 wrote to memory of 2032	2224	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.exe	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp
PID 2224 wrote to memory of 2032	2224	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.exe	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp
PID 2224 wrote to memory of 2032	2224	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.exe	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp
PID 2224 wrote to memory of 2032	2224	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.exe	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp
PID 2224 wrote to memory of 2032	2224	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.exe	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp
PID 2032 wrote to memory of 3004	2032	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp	playercloudfree32.exe
PID 2032 wrote to memory of 3004	2032	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp	playercloudfree32.exe
PID 2032 wrote to memory of 3004	2032	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp	playercloudfree32.exe
PID 2032 wrote to memory of 3004	2032	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp	playercloudfree32.exe
PID 2032 wrote to memory of 2548	2032	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp	playercloudfree32.exe
PID 2032 wrote to memory of 2548	2032	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp	playercloudfree32.exe
PID 2032 wrote to memory of 2548	2032	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp	playercloudfree32.exe
PID 2032 wrote to memory of 2548	2032	79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp	playercloudfree32.exe

C:\Users\Admin\AppData\Local\Temp\79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.exe
"C:\Users\Admin\AppData\Local\Temp\79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Local\Temp\is-KIFVC.tmp\79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KIFVC.tmp\79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp" /SL5="$40150,4593748,54272,C:\Users\Admin\AppData\Local\Temp\79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\FanPlayer Cloud Free\playercloudfree32.exe
"C:\Users\Admin\AppData\Local\FanPlayer Cloud Free\playercloudfree32.exe" -i
3⤵
- Executes dropped EXE
PID:3004

C:\Users\Admin\AppData\Local\FanPlayer Cloud Free\playercloudfree32.exe
"C:\Users\Admin\AppData\Local\FanPlayer Cloud Free\playercloudfree32.exe" -s
3⤵
- Executes dropped EXE
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\FanPlayer Cloud Free\playercloudfree32.exe

Filesize
2.8MB

MD5
4777d5f35e3ef36e2d3a5e8a3ce73a09

SHA1
fd9b8708c7e2779d7a9ce921f3d9128a85107588

SHA256
64b5e38d99b2fc5a60787b14784a085ee8555982d41f8d172ce77606df85ff8f

SHA512
65713cb7a6742e7d4c3d0e0abe009793b127deff45ede0504ffad787a196617372f6ce78035fcabaa937409b1489c06ec9e282d8579c101d8a24d031bcaac67e

Download Submit
\Users\Admin\AppData\Local\Temp\is-KIFVC.tmp\79b5a0229adc138d63a611b4982b1c2dc1bc7ed459473bd2bdaa82db544318e1.tmp

Filesize
680KB

MD5
18e1f77fda7cca9e6162bbfc406b4340

SHA1
b73e1046cb4dc7c12923d84eb311e27acfae795b

SHA256
e46557f8e4fce33af732b6d1eff19f00105f6e112de1b5a555aa233988858ab3

SHA512
71a1ac2b0aec70d1f47625850bbf916abb5d960ba7ec6a37cb8f22037c3839917134b6c82955feff37772dddb2d5ad34f76c9bb68337729c4159ab451eaffe57

Download Submit
\Users\Admin\AppData\Local\Temp\is-T4J1I.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-T4J1I.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2032-12-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2032-64-0x0000000003520000-0x00000000037E9000-memory.dmp

Filesize
2.8MB

Download
memory/2032-79-0x0000000003520000-0x00000000037E9000-memory.dmp

Filesize
2.8MB

Download
memory/2032-74-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2224-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2224-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2224-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2548-104-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-98-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-134-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-75-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-78-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-131-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-82-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-85-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-88-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-91-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-92-0x00000000023C0000-0x0000000002462000-memory.dmp

Filesize
648KB

Download
memory/2548-71-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-101-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-128-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-107-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-110-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-113-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-116-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-119-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-122-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/2548-125-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/3004-66-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/3004-67-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/3004-69-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads