Malware Analysis Report

2024-11-15 04:58

Sample ID 240625-m4gyfawapb
Target fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c
SHA256 fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c
Tags
socks5systemz botnet discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c

Threat Level: Known bad

The file fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c was found to be: Known bad.

Malicious Activity Summary

socks5systemz botnet discovery

Socks5Systemz

Detect Socks5Systemz Payload

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 11:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 11:00

Reported

2024-06-25 11:03

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 45.155.250.90 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9A6CT.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.exe C:\Users\Admin\AppData\Local\Temp\is-9A6CT.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp
PID 2860 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.exe C:\Users\Admin\AppData\Local\Temp\is-9A6CT.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp
PID 2860 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.exe C:\Users\Admin\AppData\Local\Temp\is-9A6CT.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp
PID 3364 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\is-9A6CT.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 3364 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\is-9A6CT.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 3364 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\is-9A6CT.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 3364 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\is-9A6CT.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 3364 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\is-9A6CT.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 3364 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\is-9A6CT.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.exe

"C:\Users\Admin\AppData\Local\Temp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.exe"

C:\Users\Admin\AppData\Local\Temp\is-9A6CT.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9A6CT.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp" /SL5="$501CA,5091457,54272,C:\Users\Admin\AppData\Local\Temp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.exe"

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe

"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe" -i

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe

"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe" -s

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
SE 45.155.250.90:53 ccdjjwo.net udp
TR 94.156.8.80:80 ccdjjwo.net tcp
NL 79.132.128.125:2023 tcp
US 8.8.8.8:53 80.8.156.94.in-addr.arpa udp
US 8.8.8.8:53 125.128.132.79.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/2860-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2860-3-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-9A6CT.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp

MD5 32d424af04d29f2313b999c29b0f74e0
SHA1 9b2bc33ee273592fd2fc562f4a6e2b8e9fa9843e
SHA256 cb5e4eaff4b283ccfe18095f3d22d100b9816a195295e69d7dd291d03cc6cee9
SHA512 ea0eb300cc439053d42143c8f5bf32fecbb31dedb811857cdd33c43668696e4f1daa0d57350c8b75f8792c5bd930634e8aa78cce8921605ccb878811c168cecd

memory/3364-10-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-U24Q4.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe

MD5 c1d017d322f193865efe2f5b40b7fadb
SHA1 1de5b69a2cd1ede32aa272925b37f6c402b4b258
SHA256 823f7870250ec1da98363b84d6005e39dcd76fdbb1cbac7f1afa6233347535fe
SHA512 72269dd9ae863b2324047624aec216e6dbecaf5fc28b40bf5c7a165fde5abc36b46b80725bb6e2b25077994c1636dc75d235ac3d38dbb9e88f2bc1a3300098ff

memory/1448-59-0x0000000000400000-0x000000000073B000-memory.dmp

memory/1448-60-0x0000000000400000-0x000000000073B000-memory.dmp

memory/1448-63-0x0000000000400000-0x000000000073B000-memory.dmp

memory/2860-67-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3364-68-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/1112-69-0x0000000000400000-0x000000000073B000-memory.dmp

memory/1112-72-0x0000000000400000-0x000000000073B000-memory.dmp

memory/1112-75-0x0000000000400000-0x000000000073B000-memory.dmp

memory/1112-78-0x0000000000400000-0x000000000073B000-memory.dmp

memory/1112-81-0x0000000000400000-0x000000000073B000-memory.dmp

memory/1112-84-0x0000000000850000-0x00000000008F2000-memory.dmp

memory/1112-86-0x0000000000400000-0x000000000073B000-memory.dmp

memory/1112-91-0x0000000000400000-0x000000000073B000-memory.dmp

memory/1112-94-0x0000000000400000-0x000000000073B000-memory.dmp

memory/1112-97-0x0000000000400000-0x000000000073B000-memory.dmp

memory/1112-100-0x0000000000400000-0x000000000073B000-memory.dmp

memory/1112-103-0x0000000000400000-0x000000000073B000-memory.dmp

memory/1112-106-0x0000000000400000-0x000000000073B000-memory.dmp

memory/1112-107-0x0000000000850000-0x00000000008F2000-memory.dmp

memory/1112-108-0x0000000000850000-0x00000000008F2000-memory.dmp

memory/1112-112-0x0000000000400000-0x000000000073B000-memory.dmp

memory/1112-115-0x0000000000400000-0x000000000073B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 11:00

Reported

2024-06-25 11:03

Platform

win11-20240508-en

Max time kernel

141s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 141.98.234.31 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DOIEN.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 744 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.exe C:\Users\Admin\AppData\Local\Temp\is-DOIEN.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp
PID 744 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.exe C:\Users\Admin\AppData\Local\Temp\is-DOIEN.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp
PID 744 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.exe C:\Users\Admin\AppData\Local\Temp\is-DOIEN.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp
PID 400 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\is-DOIEN.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 400 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\is-DOIEN.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 400 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\is-DOIEN.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 400 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\is-DOIEN.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 400 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\is-DOIEN.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 400 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\is-DOIEN.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.exe

"C:\Users\Admin\AppData\Local\Temp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.exe"

C:\Users\Admin\AppData\Local\Temp\is-DOIEN.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DOIEN.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp" /SL5="$800D8,5091457,54272,C:\Users\Admin\AppData\Local\Temp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.exe"

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe

"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe" -i

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe

"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe" -s

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
HK 141.98.234.31:53 csfuchp.net udp
TR 94.156.8.80:80 csfuchp.net tcp
NL 89.105.201.183:2023 tcp
US 8.8.8.8:53 183.201.105.89.in-addr.arpa udp

Files

memory/744-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/744-2-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DOIEN.tmp\fb981dd888d7af3c3de5a71c900074f48799882148fa7a8e6145f7ec52d0f61c.tmp

MD5 32d424af04d29f2313b999c29b0f74e0
SHA1 9b2bc33ee273592fd2fc562f4a6e2b8e9fa9843e
SHA256 cb5e4eaff4b283ccfe18095f3d22d100b9816a195295e69d7dd291d03cc6cee9
SHA512 ea0eb300cc439053d42143c8f5bf32fecbb31dedb811857cdd33c43668696e4f1daa0d57350c8b75f8792c5bd930634e8aa78cce8921605ccb878811c168cecd

C:\Users\Admin\AppData\Local\Temp\is-BDEU5.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/400-16-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe

MD5 c1d017d322f193865efe2f5b40b7fadb
SHA1 1de5b69a2cd1ede32aa272925b37f6c402b4b258
SHA256 823f7870250ec1da98363b84d6005e39dcd76fdbb1cbac7f1afa6233347535fe
SHA512 72269dd9ae863b2324047624aec216e6dbecaf5fc28b40bf5c7a165fde5abc36b46b80725bb6e2b25077994c1636dc75d235ac3d38dbb9e88f2bc1a3300098ff

memory/568-59-0x0000000000400000-0x000000000073B000-memory.dmp

memory/568-60-0x0000000000400000-0x000000000073B000-memory.dmp

memory/568-63-0x0000000000400000-0x000000000073B000-memory.dmp

memory/568-65-0x0000000000400000-0x000000000073B000-memory.dmp

memory/276-67-0x0000000000400000-0x000000000073B000-memory.dmp

memory/276-69-0x0000000000400000-0x000000000073B000-memory.dmp

memory/744-70-0x0000000000400000-0x0000000000414000-memory.dmp

memory/400-71-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/276-72-0x0000000000400000-0x000000000073B000-memory.dmp

memory/276-75-0x0000000000400000-0x000000000073B000-memory.dmp

memory/276-76-0x0000000000400000-0x000000000073B000-memory.dmp

memory/276-79-0x0000000000400000-0x000000000073B000-memory.dmp

memory/276-82-0x0000000000400000-0x000000000073B000-memory.dmp

memory/276-85-0x0000000000400000-0x000000000073B000-memory.dmp

memory/276-88-0x0000000000A90000-0x0000000000B32000-memory.dmp

memory/276-91-0x0000000000400000-0x000000000073B000-memory.dmp

memory/276-96-0x0000000000400000-0x000000000073B000-memory.dmp

memory/276-99-0x0000000000400000-0x000000000073B000-memory.dmp

memory/276-102-0x0000000000400000-0x000000000073B000-memory.dmp

memory/276-105-0x0000000000400000-0x000000000073B000-memory.dmp

memory/276-108-0x0000000000400000-0x000000000073B000-memory.dmp

memory/276-111-0x0000000000400000-0x000000000073B000-memory.dmp

memory/276-112-0x0000000000A90000-0x0000000000B32000-memory.dmp

memory/276-113-0x0000000000A90000-0x0000000000B32000-memory.dmp

memory/276-117-0x0000000000400000-0x000000000073B000-memory.dmp

memory/276-120-0x0000000000400000-0x000000000073B000-memory.dmp