Analysis
-
max time kernel
143s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 14:07
Static task
static1
Behavioral task
behavioral1
Sample
crt.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
crt.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
crt.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
crt.exe
Resource
win11-20240419-en
General
-
Target
crt.exe
-
Size
5.1MB
-
MD5
101f00585e773ec198e3e0721f0d582d
-
SHA1
c1ca25c1f6e709f61596d2be1843a629b171dd59
-
SHA256
6185fdacf0b903ea8bb2eee380a0c60e314ad7da93c7833b188c796f3f97b5be
-
SHA512
15c06517403fd1d492b40f3c8a60c392dc6a6087e8b9610e022906b977dc45b9087ed3e7b2091ff8522b766c9f441da2797bb70fb7942400f699a9717402c556
-
SSDEEP
98304:mkwXtlj7PeddJb7xJvyRgG6P7rTpc91us3KLCZTf9X8oK878t:2Laddz1ymG6P7rtcCSKLCZD93C
Malware Config
Extracted
socks5systemz
bheuiyo.com
http://bheuiyo.com/search/?q=67e28dd86554fa2a495aa4197c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a071ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a6e8dfd15c5ec96
http://bheuiyo.com/search/?q=67e28dd86554fa2a495aa4197c27d78406abdd88be4b12eab517aa5c96bd86e9938745885a8bbc896c58e713bc90c91836b5281fc235a925ed3e03d6bd974a95129070b616e96cc92be20ea778c255bbe258b90d3b4eed3233d1626a8ff810c9ec979e3ece6c
Signatures
-
Detect Socks5Systemz Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2604-93-0x00000000023C0000-0x0000000002462000-memory.dmp family_socks5systemz behavioral1/memory/2604-115-0x00000000023C0000-0x0000000002462000-memory.dmp family_socks5systemz behavioral1/memory/2604-116-0x00000000023C0000-0x0000000002462000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
Processes:
crt.tmpmp3ripfreeedition32.exemp3ripfreeedition32.exepid process 2144 crt.tmp 2596 mp3ripfreeedition32.exe 2604 mp3ripfreeedition32.exe -
Loads dropped DLL 5 IoCs
Processes:
crt.execrt.tmppid process 2792 crt.exe 2144 crt.tmp 2144 crt.tmp 2144 crt.tmp 2144 crt.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 91.211.247.248 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
crt.tmppid process 2144 crt.tmp -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
crt.execrt.tmpdescription pid process target process PID 2792 wrote to memory of 2144 2792 crt.exe crt.tmp PID 2792 wrote to memory of 2144 2792 crt.exe crt.tmp PID 2792 wrote to memory of 2144 2792 crt.exe crt.tmp PID 2792 wrote to memory of 2144 2792 crt.exe crt.tmp PID 2792 wrote to memory of 2144 2792 crt.exe crt.tmp PID 2792 wrote to memory of 2144 2792 crt.exe crt.tmp PID 2792 wrote to memory of 2144 2792 crt.exe crt.tmp PID 2144 wrote to memory of 2596 2144 crt.tmp mp3ripfreeedition32.exe PID 2144 wrote to memory of 2596 2144 crt.tmp mp3ripfreeedition32.exe PID 2144 wrote to memory of 2596 2144 crt.tmp mp3ripfreeedition32.exe PID 2144 wrote to memory of 2596 2144 crt.tmp mp3ripfreeedition32.exe PID 2144 wrote to memory of 2604 2144 crt.tmp mp3ripfreeedition32.exe PID 2144 wrote to memory of 2604 2144 crt.tmp mp3ripfreeedition32.exe PID 2144 wrote to memory of 2604 2144 crt.tmp mp3ripfreeedition32.exe PID 2144 wrote to memory of 2604 2144 crt.tmp mp3ripfreeedition32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\crt.exe"C:\Users\Admin\AppData\Local\Temp\crt.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\is-HRILE.tmp\crt.tmp"C:\Users\Admin\AppData\Local\Temp\is-HRILE.tmp\crt.tmp" /SL5="$500F8,5052624,54272,C:\Users\Admin\AppData\Local\Temp\crt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe" -i3⤵
- Executes dropped EXE
PID:2596
-
-
C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe" -s3⤵
- Executes dropped EXE
PID:2604
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD59e75cd003585ff2f172a841d41ed6d75
SHA19d551f43cfeb84d1a585d53d2bdde8e17be436bc
SHA256c576f2f3581928de1e62be3e4efff1b5c5415e89c3bdc0cd5536ce41a781c370
SHA512817c32c8943325d27723274425c4fa5c3fb7f36c52a2c85f8038e956033edf96b5d9340df3238865b706fffd8094b1ba3e940bcc17e2feae24d1b15fe2fac67c
-
Filesize
680KB
MD59a46eeaa9fb1370478ba7108b30aab2b
SHA1045f0a44dd0f4710013a390da2865a2fac04389e
SHA25671693251b98a555e6e01fcabf559218ad137f5de772218631147c3d87fc31820
SHA51289ee61a63303ee11d77596e80e0abec6ede6c1fbba1b6bc6ee50991da335426b4fb0cc7d7a90c3c33d56dda222592a3090e771b9fcaef2f6e5951b78467fef66
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3