Malware Analysis Report

2024-11-15 04:58

Sample ID 240624-t773cssdjf
Target 9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c
SHA256 9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c
Tags
socks5systemz botnet discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c

Threat Level: Known bad

The file 9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c was found to be: Known bad.

Malicious Activity Summary

socks5systemz botnet discovery

Detect Socks5Systemz Payload

Socks5Systemz

Loads dropped DLL

Unexpected DNS network traffic destination

Executes dropped EXE

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 16:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 16:43

Reported

2024-06-24 16:45

Platform

win10v2004-20240611-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 45.155.250.90 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AQGJK.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 748 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.exe C:\Users\Admin\AppData\Local\Temp\is-AQGJK.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp
PID 748 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.exe C:\Users\Admin\AppData\Local\Temp\is-AQGJK.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp
PID 748 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.exe C:\Users\Admin\AppData\Local\Temp\is-AQGJK.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp
PID 892 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\is-AQGJK.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp C:\Users\Admin\AppData\Local\Winypux\winypux32.exe
PID 892 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\is-AQGJK.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp C:\Users\Admin\AppData\Local\Winypux\winypux32.exe
PID 892 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\is-AQGJK.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp C:\Users\Admin\AppData\Local\Winypux\winypux32.exe
PID 892 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\is-AQGJK.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp C:\Users\Admin\AppData\Local\Winypux\winypux32.exe
PID 892 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\is-AQGJK.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp C:\Users\Admin\AppData\Local\Winypux\winypux32.exe
PID 892 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\is-AQGJK.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp C:\Users\Admin\AppData\Local\Winypux\winypux32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.exe

"C:\Users\Admin\AppData\Local\Temp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.exe"

C:\Users\Admin\AppData\Local\Temp\is-AQGJK.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp

"C:\Users\Admin\AppData\Local\Temp\is-AQGJK.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp" /SL5="$700EC,4768713,54272,C:\Users\Admin\AppData\Local\Temp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.exe"

C:\Users\Admin\AppData\Local\Winypux\winypux32.exe

"C:\Users\Admin\AppData\Local\Winypux\winypux32.exe" -i

C:\Users\Admin\AppData\Local\Winypux\winypux32.exe

"C:\Users\Admin\AppData\Local\Winypux\winypux32.exe" -s

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
SE 45.155.250.90:53 bnafhdf.com udp
TR 94.156.8.80:80 bnafhdf.com tcp
US 8.8.8.8:53 90.250.155.45.in-addr.arpa udp
NL 79.132.128.125:2023 tcp
US 8.8.8.8:53 80.8.156.94.in-addr.arpa udp
US 8.8.8.8:53 125.128.132.79.in-addr.arpa udp

Files

memory/748-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/748-3-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AQGJK.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp

MD5 1eee4412e30594991e3501c1ac6c47bb
SHA1 d532da40e6cfbb15dbdb272f3186111cdbdb6cad
SHA256 819409a928f8dc308b38d03f76e58c448bb3e9c323f77e6b6e0a17553f0a8916
SHA512 cbba2bd056ceb17c75ddead7b10612f0272c64cd385bab3eb2973d4ddbe85c283fb76f045f1090487775f243918d2335bdef5f01e0f7c1cd447af4dfcab670bc

memory/892-10-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-2KPHL.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Winypux\winypux32.exe

MD5 bcabd83e08fce61ade515dd2a40f0f0c
SHA1 0eb3348c2f384b802ed2294f76a4cdecba811804
SHA256 7e21c8fd9ec92c3259d7f552a4e9a9d93334cb59500990c5fd51f62d846d8788
SHA512 c5b29320669a882321c4bddf1b4490dc17fd85c67675bcbfb4a3baec5b9dc1e9b6a15dd62aa4e5b1c3b148bcf7bf7f3eb1ae4993137550032c1bc974ce14972e

memory/2664-59-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/2664-60-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/2664-65-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/2664-64-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/3144-67-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/748-69-0x0000000000400000-0x0000000000414000-memory.dmp

memory/892-70-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/3144-71-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/3144-74-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/3144-77-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/3144-80-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/3144-83-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/3144-86-0x0000000000950000-0x00000000009F2000-memory.dmp

memory/3144-88-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/3144-93-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/3144-96-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/3144-99-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/3144-102-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/3144-105-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/3144-108-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/3144-110-0x0000000000950000-0x00000000009F2000-memory.dmp

memory/3144-109-0x0000000000950000-0x00000000009F2000-memory.dmp

memory/3144-114-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/3144-117-0x0000000000400000-0x00000000006C8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 16:43

Reported

2024-06-24 16:45

Platform

win11-20240611-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 141.98.234.31 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-Q0ONE.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4056 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.exe C:\Users\Admin\AppData\Local\Temp\is-Q0ONE.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp
PID 4056 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.exe C:\Users\Admin\AppData\Local\Temp\is-Q0ONE.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp
PID 4056 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.exe C:\Users\Admin\AppData\Local\Temp\is-Q0ONE.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp
PID 4156 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\is-Q0ONE.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp C:\Users\Admin\AppData\Local\Winypux\winypux32.exe
PID 4156 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\is-Q0ONE.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp C:\Users\Admin\AppData\Local\Winypux\winypux32.exe
PID 4156 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\is-Q0ONE.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp C:\Users\Admin\AppData\Local\Winypux\winypux32.exe
PID 4156 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\is-Q0ONE.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp C:\Users\Admin\AppData\Local\Winypux\winypux32.exe
PID 4156 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\is-Q0ONE.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp C:\Users\Admin\AppData\Local\Winypux\winypux32.exe
PID 4156 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\is-Q0ONE.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp C:\Users\Admin\AppData\Local\Winypux\winypux32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.exe

"C:\Users\Admin\AppData\Local\Temp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.exe"

C:\Users\Admin\AppData\Local\Temp\is-Q0ONE.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp

"C:\Users\Admin\AppData\Local\Temp\is-Q0ONE.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp" /SL5="$40208,4768713,54272,C:\Users\Admin\AppData\Local\Temp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.exe"

C:\Users\Admin\AppData\Local\Winypux\winypux32.exe

"C:\Users\Admin\AppData\Local\Winypux\winypux32.exe" -i

C:\Users\Admin\AppData\Local\Winypux\winypux32.exe

"C:\Users\Admin\AppData\Local\Winypux\winypux32.exe" -s

Network

Country Destination Domain Proto
HK 141.98.234.31:53 aqmtqri.ru udp
TR 94.156.8.80:80 aqmtqri.ru tcp
CH 176.10.111.158:2023 tcp
US 8.8.8.8:53 158.111.10.176.in-addr.arpa udp

Files

memory/4056-1-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4056-3-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-Q0ONE.tmp\9b6a3eb67f666120885a27717f6998d6e4175343dbde8c8327a1e5619ed0540c.tmp

MD5 1eee4412e30594991e3501c1ac6c47bb
SHA1 d532da40e6cfbb15dbdb272f3186111cdbdb6cad
SHA256 819409a928f8dc308b38d03f76e58c448bb3e9c323f77e6b6e0a17553f0a8916
SHA512 cbba2bd056ceb17c75ddead7b10612f0272c64cd385bab3eb2973d4ddbe85c283fb76f045f1090487775f243918d2335bdef5f01e0f7c1cd447af4dfcab670bc

memory/4156-7-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-NLL6S.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Winypux\winypux32.exe

MD5 bcabd83e08fce61ade515dd2a40f0f0c
SHA1 0eb3348c2f384b802ed2294f76a4cdecba811804
SHA256 7e21c8fd9ec92c3259d7f552a4e9a9d93334cb59500990c5fd51f62d846d8788
SHA512 c5b29320669a882321c4bddf1b4490dc17fd85c67675bcbfb4a3baec5b9dc1e9b6a15dd62aa4e5b1c3b148bcf7bf7f3eb1ae4993137550032c1bc974ce14972e

memory/1132-59-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/1132-60-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/1132-65-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4392-67-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/1132-63-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4392-69-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4056-70-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4156-71-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/4392-72-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4392-75-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4392-76-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4392-79-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4392-82-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4392-85-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4392-88-0x00000000009F0000-0x0000000000A92000-memory.dmp

memory/4392-91-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4392-96-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4392-99-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4392-102-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4392-105-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4392-108-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4392-111-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4392-112-0x00000000009F0000-0x0000000000A92000-memory.dmp

memory/4392-113-0x00000000009F0000-0x0000000000A92000-memory.dmp

memory/4392-117-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4392-120-0x0000000000400000-0x00000000006C8000-memory.dmp