Malware Analysis Report

2024-11-15 04:58

Sample ID 240625-qc3ydavbqm
Target 6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9
SHA256 6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9
Tags
socks5systemz botnet discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9

Threat Level: Known bad

The file 6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9 was found to be: Known bad.

Malicious Activity Summary

socks5systemz botnet discovery

Detect Socks5Systemz Payload

Socks5Systemz

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 13:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 13:07

Reported

2024-06-25 13:10

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 141.98.234.31 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SK0D4.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4104 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.exe C:\Users\Admin\AppData\Local\Temp\is-SK0D4.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp
PID 4104 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.exe C:\Users\Admin\AppData\Local\Temp\is-SK0D4.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp
PID 4104 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.exe C:\Users\Admin\AppData\Local\Temp\is-SK0D4.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp
PID 4936 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\is-SK0D4.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 4936 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\is-SK0D4.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 4936 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\is-SK0D4.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 4936 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\is-SK0D4.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 4936 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\is-SK0D4.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 4936 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\is-SK0D4.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.exe

"C:\Users\Admin\AppData\Local\Temp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.exe"

C:\Users\Admin\AppData\Local\Temp\is-SK0D4.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SK0D4.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp" /SL5="$800E0,4893059,54272,C:\Users\Admin\AppData\Local\Temp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.exe"

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe

"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe" -i

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe

"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe" -s

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
HK 141.98.234.31:53 ccbnguf.net udp
TR 94.156.8.80:80 ccbnguf.net tcp
NL 89.105.201.183:2023 tcp
US 8.8.8.8:53 80.8.156.94.in-addr.arpa udp
US 8.8.8.8:53 31.234.98.141.in-addr.arpa udp
US 8.8.8.8:53 183.201.105.89.in-addr.arpa udp

Files

memory/4104-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4104-3-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SK0D4.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp

MD5 2620d1ee4c2ea193c4cc310d985e2288
SHA1 de6aed97e1aa90a602c746be1d8aba249773c884
SHA256 6912e9b9c05e86753dabadc66c64118563ec7fb8905aa943abe288e08dc5524a
SHA512 cf39eee2e27d6f944cffda162ff7285d4aa0fd9c70a923426c6e227497f9650c225634d75212a06cb30aa36041b77b0ff10df34ca6560edfea56bbfed46ded2b

memory/4936-12-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8F0O3.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe

MD5 996b2aae3843b80bf9254c2094a988bb
SHA1 6fad18dc60840cc28825cb142aa2d2f45d139a9c
SHA256 0e30d081254cf6f9f8dcbfb77466becdb12665b9821e028a6e5a9904ab6f18bf
SHA512 6763d963a7e5bf3c0e7ab3fbfc9141916ed627b2c2fcdaac4e1e2eaa94078f612f29b54e732ceff32d08eb713aa02251129adedca04780178b9fc45e3f98587e

memory/3932-59-0x0000000000400000-0x0000000000705000-memory.dmp

memory/3932-63-0x0000000000400000-0x0000000000705000-memory.dmp

memory/3932-65-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4388-67-0x0000000000400000-0x0000000000705000-memory.dmp

memory/3932-60-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4104-69-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4936-70-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/4388-71-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4388-74-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4388-77-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4388-80-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4388-83-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4388-86-0x0000000000960000-0x0000000000A02000-memory.dmp

memory/4388-88-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4388-93-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4388-96-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4388-99-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4388-102-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4388-105-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4388-108-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4388-110-0x0000000000960000-0x0000000000A02000-memory.dmp

memory/4388-109-0x0000000000960000-0x0000000000A02000-memory.dmp

memory/4388-114-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4388-117-0x0000000000400000-0x0000000000705000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 13:07

Reported

2024-06-25 13:10

Platform

win11-20240508-en

Max time kernel

141s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 141.98.234.31 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJ6T9.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3820 wrote to memory of 124 N/A C:\Users\Admin\AppData\Local\Temp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.exe C:\Users\Admin\AppData\Local\Temp\is-SJ6T9.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp
PID 3820 wrote to memory of 124 N/A C:\Users\Admin\AppData\Local\Temp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.exe C:\Users\Admin\AppData\Local\Temp\is-SJ6T9.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp
PID 3820 wrote to memory of 124 N/A C:\Users\Admin\AppData\Local\Temp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.exe C:\Users\Admin\AppData\Local\Temp\is-SJ6T9.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp
PID 124 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\is-SJ6T9.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 124 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\is-SJ6T9.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 124 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\is-SJ6T9.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 124 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\is-SJ6T9.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 124 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\is-SJ6T9.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe
PID 124 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\is-SJ6T9.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.exe

"C:\Users\Admin\AppData\Local\Temp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.exe"

C:\Users\Admin\AppData\Local\Temp\is-SJ6T9.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SJ6T9.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp" /SL5="$60102,4893059,54272,C:\Users\Admin\AppData\Local\Temp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.exe"

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe

"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe" -i

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe

"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe" -s

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp
HK 141.98.234.31:53 ddehewj.info udp
TR 94.156.8.80:80 ddehewj.info tcp
NL 89.105.201.183:2023 tcp
US 8.8.8.8:53 183.201.105.89.in-addr.arpa udp
US 8.8.8.8:53 31.234.98.141.in-addr.arpa udp

Files

memory/3820-2-0x0000000000401000-0x000000000040B000-memory.dmp

memory/3820-0-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SJ6T9.tmp\6f47a85be9fd6a3dba1393c571fce6b7fa1d8d80355fd0604673bb26e8cc0bd9.tmp

MD5 2620d1ee4c2ea193c4cc310d985e2288
SHA1 de6aed97e1aa90a602c746be1d8aba249773c884
SHA256 6912e9b9c05e86753dabadc66c64118563ec7fb8905aa943abe288e08dc5524a
SHA512 cf39eee2e27d6f944cffda162ff7285d4aa0fd9c70a923426c6e227497f9650c225634d75212a06cb30aa36041b77b0ff10df34ca6560edfea56bbfed46ded2b

memory/124-16-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-95R0E.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe

MD5 996b2aae3843b80bf9254c2094a988bb
SHA1 6fad18dc60840cc28825cb142aa2d2f45d139a9c
SHA256 0e30d081254cf6f9f8dcbfb77466becdb12665b9821e028a6e5a9904ab6f18bf
SHA512 6763d963a7e5bf3c0e7ab3fbfc9141916ed627b2c2fcdaac4e1e2eaa94078f612f29b54e732ceff32d08eb713aa02251129adedca04780178b9fc45e3f98587e

memory/3200-59-0x0000000000400000-0x0000000000705000-memory.dmp

memory/3200-60-0x0000000000400000-0x0000000000705000-memory.dmp

memory/3200-63-0x0000000000400000-0x0000000000705000-memory.dmp

memory/3200-65-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4304-68-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4304-69-0x0000000000400000-0x0000000000705000-memory.dmp

memory/3820-70-0x0000000000400000-0x0000000000414000-memory.dmp

memory/124-71-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/4304-72-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4304-75-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4304-76-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4304-79-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4304-82-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4304-85-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4304-87-0x0000000000AA0000-0x0000000000B42000-memory.dmp

memory/4304-91-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4304-96-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4304-99-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4304-102-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4304-105-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4304-108-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4304-111-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4304-113-0x0000000000AA0000-0x0000000000B42000-memory.dmp

memory/4304-112-0x0000000000AA0000-0x0000000000B42000-memory.dmp

memory/4304-117-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4304-120-0x0000000000400000-0x0000000000705000-memory.dmp