socks5systemz | 2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b

General

Target

2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.exe
Size

4.7MB
MD5

994514b71eedc26a1d4e6dfc572f3ada
SHA1

272ee3e93aeb8f77a6a3e4cddb872e4db6f8fe9d
SHA256

2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b
SHA512

d0ee3157e0ebebb4d47ead0470c4abba5cffbe7e51c5a0d10491e1a18cc2a9c4279d6997d4cb891dece30664b4821abd40f24e6d84484d31e2e9128d506a1b96
SSDEEP

98304:mTXL0KRQVwC27bXncQ70+G94suUbcOsVGLGwfd0FAon/YH:u1R9p7rU3xbJsZq0FAo/YH

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

ebnnece.ua

http://ebnnece.ua/search/?q=67e28dd86809f27b415ba51b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa1de8889b5e4fa9281ae978a771ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ff613c0e9959c38

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2368-84-0x00000000023D0000-0x0000000002472000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
4064	2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.tmp
228	freeaudioextractor32.exe
2368	freeaudioextractor32.exe

Loads dropped DLL 1 IoCs

pid	Process
4064	2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4064	2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 4064	3796	2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.exe	74
PID 3796 wrote to memory of 4064	3796	2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.exe	74
PID 3796 wrote to memory of 4064	3796	2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.exe	74
PID 4064 wrote to memory of 228	4064	2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.tmp	75
PID 4064 wrote to memory of 228	4064	2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.tmp	75
PID 4064 wrote to memory of 228	4064	2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.tmp	75
PID 4064 wrote to memory of 2368	4064	2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.tmp	76
PID 4064 wrote to memory of 2368	4064	2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.tmp	76
PID 4064 wrote to memory of 2368	4064	2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.tmp	76

C:\Users\Admin\AppData\Local\Temp\2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.exe
"C:\Users\Admin\AppData\Local\Temp\2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Users\Admin\AppData\Local\Temp\is-BLV9M.tmp\2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-BLV9M.tmp\2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.tmp" /SL5="$601FE,4647501,54272,C:\Users\Admin\AppData\Local\Temp\2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe
    "C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe" -i
    3⤵
    - Executes dropped EXE
    PID:228
- - C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe
    "C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe

Filesize
2.8MB

MD5
6cddcec247be097ae97031655707c348

SHA1
1b8c58995fa3f33929d73d5a880f576dfb2513a4

SHA256
b9d9b39f885087fced475dc45e07ffd7545a4571ed129785c562cf491f8d59c0

SHA512
fea7057544af9883efb5d531cb3e2ac91fe47913c4a97423be1a0cde0e2e5fa2022560d1d0efb7ab195c9f169ef060cbe4fa9a9ccc6a7d0f79a78708d16318a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BLV9M.tmp\2faf264c85a6b48958e0e5366b7fe2d2f98f30ac7b12a74c811afe20052be06b.tmp

Filesize
680KB

MD5
78ec448a3bcfd314f65986059ce6d9d0

SHA1
8d55d1b45ecaaa22fb0b85d856282d2e7cae362a

SHA256
d4eb11254fd6b7b40802bb7b680f38955c9931c7a83a8a055d54a9f9046bb0c9

SHA512
b4f6f2abb1916663a566dd8d86c0f030573ad04b323f100b85e87637cc82a3ca32a2df32dbee5be26ee7a2644059dd292dd82f19f64f3dec44b4fee6e458ee1c

Download Submit
\Users\Admin\AppData\Local\Temp\is-P8NL4.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/228-59-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/228-63-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/228-60-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-81-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-91-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-128-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-66-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-125-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-122-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-69-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-72-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-75-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-78-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-119-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-84-0x00000000023D0000-0x0000000002472000-memory.dmp

Filesize
648KB

Download
memory/2368-88-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-116-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-94-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-97-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-100-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-103-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-106-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-109-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-113-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/3796-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3796-67-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3796-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4064-13-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4064-68-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing