Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-06-2024 19:14
Static task
static1
Behavioral task
behavioral1
Sample
ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.exe
Resource
win11-20240419-en
General
-
Target
ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.exe
-
Size
5.1MB
-
MD5
8f58f8249af23ca626ac65508568551b
-
SHA1
af22d86d078c89055faebad0303275f1726505b4
-
SHA256
ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242
-
SHA512
7725193d72d0bb40e8603d4859792fb9efb74667cf4702592c95338659667db2362bfe778090aa4c3ef3bdaffd6220be3d9acb511a7144e2a617958056d1f345
-
SSDEEP
98304:mcwsI1hGw7wudHcYwAcLzDTdh+PkBDY7ijzUdl5r4+ME783v2o6zwvYegcvppxNH:v6pBrEzHzPLsu+xkvYvcppH
Malware Config
Extracted
socks5systemz
bnodfoo.com
Signatures
-
Detect Socks5Systemz Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1920-86-0x0000000000970000-0x0000000000A12000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
Processes:
ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmpwinypux32.exewinypux32.exepid process 848 ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmp 3712 winypux32.exe 1920 winypux32.exe -
Loads dropped DLL 1 IoCs
Processes:
ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmppid process 848 ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmp -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 152.89.198.214 Destination IP 91.211.247.248 Destination IP 91.211.247.248 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmppid process 848 ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.exeff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmpdescription pid process target process PID 1588 wrote to memory of 848 1588 ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.exe ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmp PID 1588 wrote to memory of 848 1588 ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.exe ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmp PID 1588 wrote to memory of 848 1588 ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.exe ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmp PID 848 wrote to memory of 3712 848 ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmp winypux32.exe PID 848 wrote to memory of 3712 848 ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmp winypux32.exe PID 848 wrote to memory of 3712 848 ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmp winypux32.exe PID 848 wrote to memory of 1920 848 ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmp winypux32.exe PID 848 wrote to memory of 1920 848 ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmp winypux32.exe PID 848 wrote to memory of 1920 848 ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmp winypux32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.exe"C:\Users\Admin\AppData\Local\Temp\ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\is-OK23H.tmp\ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmp"C:\Users\Admin\AppData\Local\Temp\is-OK23H.tmp\ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmp" /SL5="$40222,5079536,54272,C:\Users\Admin\AppData\Local\Temp\ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Local\Winypux\winypux32.exe"C:\Users\Admin\AppData\Local\Winypux\winypux32.exe" -i3⤵
- Executes dropped EXE
PID:3712
-
-
C:\Users\Admin\AppData\Local\Winypux\winypux32.exe"C:\Users\Admin\AppData\Local\Winypux\winypux32.exe" -s3⤵
- Executes dropped EXE
PID:1920
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-OK23H.tmp\ff1d2878dc4c358df8e59c7c72790c96a09cdfca78b7646742cd9430908fb242.tmp
Filesize680KB
MD5849f967acbe0490ae11c6a70a6ffe6a0
SHA1d3d2e9e9f80f7ca0b75eb79e884294c931171c5f
SHA25645eb917ca974c2c3d5d1e24a24dd168b21b24a7476b3f39e16fb20d5737e1a97
SHA512f2539e785d2068f6acda58146a93d5b4533642f35b496288e1ea5186a7a0391e6d4f9ace65a446c6656008cf1398d3820d3d2bc80b13182750bd3ab055dea7d1
-
Filesize
3.1MB
MD53c8a20326cbf995ded542fafe682c672
SHA19527cb7630c9dfb556034df533d0985e72728aa0
SHA256d25421ccea99d03ea10ccb92a7bd9700d01609e000d407016d3ed101a1f81e3f
SHA51272716c1cb08c09da22717254018117b6424d3c5feb87cba026adeb75201c1681783fea4e3c8842ebe29106e6e86fcea1baf035db02dfa9e3095c7f49cc79e81f