socks5systemz | 0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b

General

Target

0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe
Size

4.5MB
MD5

6fa8e5a9a19d422bdbf6a903599245dc
SHA1

91f466b0cdf818b6496a74ddef252bff25228ea1
SHA256

0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b
SHA512

2acd1a13dd49b53a94bf3e688a78099a7f10efebfde30c8865f3db967d8872c737a19c0d81e3f0c58bacbdda77419436d08c5523da2baf8df3221a221c1547bb
SSDEEP

98304:mkNLNdvxtsqhqUbfePSKcYFLseNdGw+TE0/SiLdl+8LA+14n6:3BdvxtsiqGOFLRuE0/SAd5546

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

bnuuieg.com

http://bnuuieg.com/search/?q=67e28dd86d5ff028450dff177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f571ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ff613c0ea919333

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4228-82-0x00000000028B0000-0x0000000002952000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
1316	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp
2824	freeaudioextractor32.exe
4228	freeaudioextractor32.exe

Loads dropped DLL 1 IoCs

pid	Process
1316	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1316	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 1316	4892	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe	73
PID 4892 wrote to memory of 1316	4892	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe	73
PID 4892 wrote to memory of 1316	4892	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe	73
PID 1316 wrote to memory of 2824	1316	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp	74
PID 1316 wrote to memory of 2824	1316	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp	74
PID 1316 wrote to memory of 2824	1316	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp	74
PID 1316 wrote to memory of 4228	1316	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp	75
PID 1316 wrote to memory of 4228	1316	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp	75
PID 1316 wrote to memory of 4228	1316	0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp	75

C:\Users\Admin\AppData\Local\Temp\0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe
"C:\Users\Admin\AppData\Local\Temp\0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Local\Temp\is-VDG08.tmp\0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-VDG08.tmp\0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp" /SL5="$70232,4470656,54272,C:\Users\Admin\AppData\Local\Temp\0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe
    "C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2824
- - C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe
    "C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe" -s
    3⤵
    - Executes dropped EXE
    PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe

Filesize
2.7MB

MD5
2163374e0f8a793fc02c4669173be198

SHA1
a31156ca663956a5ce32834fd1a80935d4c3d66b

SHA256
35ea091b35d4c50c4cf9f5b8e311f25648fd161ef50beee615fdbff0a905617b

SHA512
fcd552e9b91e825e01ae9305f565b25c0a7e93adf13217b22c82344601f8d4c078fffb8ee39211e83084c241cf9b42244242273ada3077a00e8460f2022ceb8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VDG08.tmp\0c52f90830cb918ef112f9aa79d7737871d73785f207c35df19905bc91f91b8b.tmp

Filesize
680KB

MD5
be751b14a5f1bea2d2b2563a6b5d43e2

SHA1
c8e6aab342703f3c0cb5f2d346ec02e7fb217443

SHA256
59b3ba9039a9452887e018b15872a8a82971bd2c27b2987fb093e5057f1600fb

SHA512
42545220bfefeba930e6c6f843e6bdcd7a78d157f4e419221a7914d429d402bb740760c83b4a636011fe1d30666b9d8354dca4f899dcaf035602d884509a8f94

Download Submit
\Users\Admin\AppData\Local\Temp\is-T2CFM.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1316-68-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1316-16-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2824-63-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2824-59-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2824-60-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-81-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-91-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-130-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-125-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-69-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-72-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-75-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-78-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-122-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-82-0x00000000028B0000-0x0000000002952000-memory.dmp

Filesize
648KB

Download
memory/4228-86-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-66-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-94-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-97-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-100-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-103-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-106-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-110-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-113-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-116-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4228-119-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4892-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4892-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4892-67-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing