socks5systemz | 0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b

General

Target

0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe
Size

4.5MB
MD5

6fa8e5a9a19d422bdbf6a903599245dc
SHA1

91f466b0cdf818b6496a74ddef252bff25228ea1
SHA256

0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b
SHA512

2acd1a13dd49b53a94bf3e688a78099a7f10efebfde30c8865f3db967d8872c737a19c0d81e3f0c58bacbdda77419436d08c5523da2baf8df3221a221c1547bb
SSDEEP

98304:mkNLNdvxtsqhqUbfePSKcYFLseNdGw+TE0/SiLdl+8LA+14n6:3BdvxtsiqGOFLRuE0/SAd5546

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

cevjbgp.net

http://cevjbgp.net/search/?q=67e28dd83955a42b4006aa1b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ee8889b5e4fa9281ae978f671ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a6e8cff14c4e69d

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2908-92-0x0000000002240000-0x00000000022E2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2604	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp
2468	freeaudioextractor32.exe
2908	freeaudioextractor32.exe

Loads dropped DLL 5 IoCs

pid	Process
2964	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe
2604	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp
2604	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp
2604	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp
2604	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2604	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2604	2964	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe	28
PID 2964 wrote to memory of 2604	2964	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe	28
PID 2964 wrote to memory of 2604	2964	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe	28
PID 2964 wrote to memory of 2604	2964	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe	28
PID 2964 wrote to memory of 2604	2964	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe	28
PID 2964 wrote to memory of 2604	2964	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe	28
PID 2964 wrote to memory of 2604	2964	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe	28
PID 2604 wrote to memory of 2468	2604	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp	29
PID 2604 wrote to memory of 2468	2604	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp	29
PID 2604 wrote to memory of 2468	2604	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp	29
PID 2604 wrote to memory of 2468	2604	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp	29
PID 2604 wrote to memory of 2908	2604	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp	30
PID 2604 wrote to memory of 2908	2604	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp	30
PID 2604 wrote to memory of 2908	2604	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp	30
PID 2604 wrote to memory of 2908	2604	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp	30

C:\Users\Admin\AppData\Local\Temp\0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe
"C:\Users\Admin\AppData\Local\Temp\0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\is-D97J6.tmp\0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-D97J6.tmp\0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp" /SL5="$400EA,4470656,54272,C:\Users\Admin\AppData\Local\Temp\0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe
    "C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2468
- - C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe
    "C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe

Filesize
2.7MB

MD5
2163374e0f8a793fc02c4669173be198

SHA1
a31156ca663956a5ce32834fd1a80935d4c3d66b

SHA256
35ea091b35d4c50c4cf9f5b8e311f25648fd161ef50beee615fdbff0a905617b

SHA512
fcd552e9b91e825e01ae9305f565b25c0a7e93adf13217b22c82344601f8d4c078fffb8ee39211e83084c241cf9b42244242273ada3077a00e8460f2022ceb8d

Download Submit
\Users\Admin\AppData\Local\Temp\is-D97J6.tmp\0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp

Filesize
680KB

MD5
be751b14a5f1bea2d2b2563a6b5d43e2

SHA1
c8e6aab342703f3c0cb5f2d346ec02e7fb217443

SHA256
59b3ba9039a9452887e018b15872a8a82971bd2c27b2987fb093e5057f1600fb

SHA512
42545220bfefeba930e6c6f843e6bdcd7a78d157f4e419221a7914d429d402bb740760c83b4a636011fe1d30666b9d8354dca4f899dcaf035602d884509a8f94

Download Submit
\Users\Admin\AppData\Local\Temp\is-TO4FA.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-TO4FA.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2468-65-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2468-66-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2468-69-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2604-74-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2604-79-0x0000000003990000-0x0000000003C3D000-memory.dmp

Filesize
2.7MB

Download
memory/2604-17-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2604-64-0x0000000003990000-0x0000000003C3D000-memory.dmp

Filesize
2.7MB

Download
memory/2908-78-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-98-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-71-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-75-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-135-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-132-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-82-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-85-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-88-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-91-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-92-0x0000000002240000-0x00000000022E2000-memory.dmp

Filesize
648KB

Download
memory/2908-129-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-101-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-104-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-107-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-110-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-113-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-117-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-120-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-123-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2908-126-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2964-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2964-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2964-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing