Malware Analysis Report

2024-11-15 04:58

Sample ID 240625-gakvcawekk
Target 4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598
SHA256 4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598
Tags
socks5systemz botnet discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598

Threat Level: Known bad

The file 4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598 was found to be: Known bad.

Malicious Activity Summary

socks5systemz botnet discovery

Detect Socks5Systemz Payload

Socks5Systemz

Unexpected DNS network traffic destination

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 05:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 05:36

Reported

2024-06-25 05:38

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 152.89.198.214 N/A N/A
Destination IP 91.211.247.248 N/A N/A
Destination IP 45.155.250.90 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-82LOG.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 912 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.exe C:\Users\Admin\AppData\Local\Temp\is-82LOG.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp
PID 912 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.exe C:\Users\Admin\AppData\Local\Temp\is-82LOG.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp
PID 912 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.exe C:\Users\Admin\AppData\Local\Temp\is-82LOG.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp
PID 1224 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\is-82LOG.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe
PID 1224 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\is-82LOG.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe
PID 1224 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\is-82LOG.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe
PID 1224 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\is-82LOG.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe
PID 1224 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\is-82LOG.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe
PID 1224 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\is-82LOG.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.exe

"C:\Users\Admin\AppData\Local\Temp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.exe"

C:\Users\Admin\AppData\Local\Temp\is-82LOG.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp

"C:\Users\Admin\AppData\Local\Temp\is-82LOG.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp" /SL5="$90030,4783442,54272,C:\Users\Admin\AppData\Local\Temp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.exe"

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe

"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe" -i

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe

"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe" -s

Network

Country Destination Domain Proto
SE 45.155.250.90:53 ccmbuda.net udp
US 8.8.8.8:53 90.250.155.45.in-addr.arpa udp
RU 152.89.198.214:53 ccmbuda.net udp
US 8.8.8.8:53 214.198.89.152.in-addr.arpa udp
US 8.8.8.8:53 193.142.123.92.in-addr.arpa udp
LT 91.211.247.248:53 ccmbuda.net udp
US 8.8.8.8:53 248.247.211.91.in-addr.arpa udp

Files

memory/912-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/912-2-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-82LOG.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp

MD5 b219991625762389d1374967430ffb23
SHA1 ede4adee67f54c986ff0d09341a72ddf1357365a
SHA256 643ecf01c733422903661640b4669a94b1993cef6018092a983028c7f5d96134
SHA512 25b675c5a1bf9d611ca3e6f53e77004286692a560422c26157dc0cf07845128983787f27660a859a44a926de022cc3ddf526e4b0288db1e90ed7e84d9d5412aa

memory/1224-10-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3VQ7G.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe

MD5 8174143f9cdf745a061f46919d7ccc15
SHA1 505d6da4aecba8920b4352e04c4ee43a2ab62d80
SHA256 dffcd5f2036ea62ed43ff4bc2906399b80bf350a680df830651fb99a9f6d403d
SHA512 ec030df186930c85e6d4498e9af6e69627f3d4d780c0f053d84c981193542c529896d0c014e59e622a061032d80f01d491b414edc4288619b3e2362d01dafd36

memory/1204-59-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/1204-60-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/1204-63-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/1204-64-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/2608-66-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/912-68-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1224-69-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/2608-70-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/2608-73-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/2608-76-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/2608-79-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/2608-82-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/2608-84-0x00000000009D0000-0x0000000000A72000-memory.dmp

memory/2608-87-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/2608-92-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/2608-95-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/2608-98-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/2608-101-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/2608-104-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/2608-107-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/2608-110-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/2608-113-0x0000000000400000-0x00000000006C8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 05:36

Reported

2024-06-25 05:38

Platform

win11-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 141.98.234.31 N/A N/A
Destination IP 152.89.198.214 N/A N/A
Destination IP 91.211.247.248 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GVJQN.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1496 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.exe C:\Users\Admin\AppData\Local\Temp\is-GVJQN.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp
PID 1496 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.exe C:\Users\Admin\AppData\Local\Temp\is-GVJQN.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp
PID 1496 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.exe C:\Users\Admin\AppData\Local\Temp\is-GVJQN.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp
PID 3652 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\is-GVJQN.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe
PID 3652 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\is-GVJQN.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe
PID 3652 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\is-GVJQN.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe
PID 3652 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\is-GVJQN.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe
PID 3652 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\is-GVJQN.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe
PID 3652 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\is-GVJQN.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.exe

"C:\Users\Admin\AppData\Local\Temp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.exe"

C:\Users\Admin\AppData\Local\Temp\is-GVJQN.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GVJQN.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp" /SL5="$7013C,4783442,54272,C:\Users\Admin\AppData\Local\Temp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.exe"

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe

"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe" -i

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe

"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe" -s

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
HK 141.98.234.31:53 aymqbvf.ru udp
US 8.8.8.8:53 31.234.98.141.in-addr.arpa udp
RU 152.89.198.214:53 aymqbvf.ru udp
US 8.8.8.8:53 214.198.89.152.in-addr.arpa udp
LT 91.211.247.248:53 aymqbvf.ru udp
US 8.8.8.8:53 248.247.211.91.in-addr.arpa udp

Files

memory/1496-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1496-2-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GVJQN.tmp\4376f7bec65b17df24f40bed5d0537d0b733b48e9c771b3d12fe8a918d7bb598.tmp

MD5 b219991625762389d1374967430ffb23
SHA1 ede4adee67f54c986ff0d09341a72ddf1357365a
SHA256 643ecf01c733422903661640b4669a94b1993cef6018092a983028c7f5d96134
SHA512 25b675c5a1bf9d611ca3e6f53e77004286692a560422c26157dc0cf07845128983787f27660a859a44a926de022cc3ddf526e4b0288db1e90ed7e84d9d5412aa

C:\Users\Admin\AppData\Local\Temp\is-UIC64.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/3652-16-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition.exe

MD5 8174143f9cdf745a061f46919d7ccc15
SHA1 505d6da4aecba8920b4352e04c4ee43a2ab62d80
SHA256 dffcd5f2036ea62ed43ff4bc2906399b80bf350a680df830651fb99a9f6d403d
SHA512 ec030df186930c85e6d4498e9af6e69627f3d4d780c0f053d84c981193542c529896d0c014e59e622a061032d80f01d491b414edc4288619b3e2362d01dafd36

memory/4680-59-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4680-60-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4680-63-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4680-65-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4324-67-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4324-69-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/1496-70-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3652-71-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/4324-72-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4324-75-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4324-76-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4324-79-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4324-82-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4324-85-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4324-87-0x00000000009B0000-0x0000000000A52000-memory.dmp

memory/4324-91-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4324-96-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4324-99-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4324-102-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4324-105-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4324-108-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4324-111-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4324-114-0x0000000000400000-0x00000000006C8000-memory.dmp

memory/4324-117-0x0000000000400000-0x00000000006C8000-memory.dmp