Analysis
-
max time kernel
142s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-06-2024 17:03
Static task
static1
Behavioral task
behavioral1
Sample
1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.exe
Resource
win11-20240611-en
General
-
Target
1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.exe
-
Size
5.0MB
-
MD5
1f782a30f5dfaa6ea223181d7a41d103
-
SHA1
32cc6a195b9f5c4c683b8fb41e2fd91ed268e64f
-
SHA256
1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43
-
SHA512
881d5fa85e448bd8dde025e787dba49bb41f0a0d52a0f9594e090eca3232cef3fae14761984dd098de597ec630b06574166b1a424cbf478c7186e1041100fb32
-
SSDEEP
98304:ma45N1Wf9OUP+l6bH3iTkYyCiD+ikyx22QiGSw3O2wa8D:H45HcyTkYyRb62ySw3O2T8D
Malware Config
Extracted
socks5systemz
ddoggim.info
http://ddoggim.info/search/?q=67e28dd86d5ff17c1407ad1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ee8889b5e4fa9281ae978f571ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ff613c4e793923a
http://ddoggim.info/search/?q=67e28dd86d5ff17c1407ad1a7c27d78406abdd88be4b12eab517aa5c96bd86ef91804d825a8bbc896c58e713bc90c91b36b5281fc235a925ed3e56d6bd974a95129070b616e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee9c983fc5699e17
Signatures
-
Detect Socks5Systemz Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/4196-86-0x00000000008C0000-0x0000000000962000-memory.dmp family_socks5systemz behavioral1/memory/4196-109-0x00000000008C0000-0x0000000000962000-memory.dmp family_socks5systemz behavioral1/memory/4196-110-0x00000000008C0000-0x0000000000962000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
Processes:
1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmpwinypux32.exewinypux32.exepid process 4020 1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmp 3256 winypux32.exe 4196 winypux32.exe -
Loads dropped DLL 1 IoCs
Processes:
1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmppid process 4020 1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 141.98.234.31 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmppid process 4020 1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.exe1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmpdescription pid process target process PID 2024 wrote to memory of 4020 2024 1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.exe 1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmp PID 2024 wrote to memory of 4020 2024 1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.exe 1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmp PID 2024 wrote to memory of 4020 2024 1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.exe 1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmp PID 4020 wrote to memory of 3256 4020 1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmp winypux32.exe PID 4020 wrote to memory of 3256 4020 1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmp winypux32.exe PID 4020 wrote to memory of 3256 4020 1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmp winypux32.exe PID 4020 wrote to memory of 4196 4020 1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmp winypux32.exe PID 4020 wrote to memory of 4196 4020 1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmp winypux32.exe PID 4020 wrote to memory of 4196 4020 1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmp winypux32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.exe"C:\Users\Admin\AppData\Local\Temp\1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\is-D12BP.tmp\1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmp"C:\Users\Admin\AppData\Local\Temp\is-D12BP.tmp\1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmp" /SL5="$80090,4956183,54272,C:\Users\Admin\AppData\Local\Temp\1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\Winypux\winypux32.exe"C:\Users\Admin\AppData\Local\Winypux\winypux32.exe" -i3⤵
- Executes dropped EXE
PID:3256
-
-
C:\Users\Admin\AppData\Local\Winypux\winypux32.exe"C:\Users\Admin\AppData\Local\Winypux\winypux32.exe" -s3⤵
- Executes dropped EXE
PID:4196
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:81⤵PID:4068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-D12BP.tmp\1f2e8d0df5751478dc16fdcf6f5fa0d0f5ef4c14eb71f7b9f95b180cf5f86a43.tmp
Filesize680KB
MD5eaa8b83db483f98a3627895df4b475e9
SHA18cbdb9e28949fa30471d0c3595af4ff4bc93c8c5
SHA256b33ab0799c57e799dab21427b4b066e8d10b23e7ea0da56c238d9629c6595077
SHA512373088b3d8abefc5a0f70ebd46b2c803a55ef2cf906d057f124fa7508b1cc3c4ba56983ebe07a204aa8b284d9a75a61c702b4117fef76c1fd76bbc44bd995627
-
Filesize
3.0MB
MD5586b4eb586fda29e2715ad3847344426
SHA12c531d77b3e89f62f14d288e59b1bff28a887fb2
SHA256b35d97d894d9f151b0d2ae8b79692753fee50336f1202731517931e7225d5ff1
SHA512fdffe660158e3cae258b4fe60fbe1fcc08056cbbef3eb9d1971be14569e7f1363403d2b877599758156d689ea743a84b846585d645f91ea378a1f2f9b71f4a65