Analysis
-
max time kernel
143s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 14:07
Static task
static1
Behavioral task
behavioral1
Sample
crt.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
crt.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
crt.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
crt.exe
Resource
win11-20240419-en
General
-
Target
crt.exe
-
Size
5.1MB
-
MD5
101f00585e773ec198e3e0721f0d582d
-
SHA1
c1ca25c1f6e709f61596d2be1843a629b171dd59
-
SHA256
6185fdacf0b903ea8bb2eee380a0c60e314ad7da93c7833b188c796f3f97b5be
-
SHA512
15c06517403fd1d492b40f3c8a60c392dc6a6087e8b9610e022906b977dc45b9087ed3e7b2091ff8522b766c9f441da2797bb70fb7942400f699a9717402c556
-
SSDEEP
98304:mkwXtlj7PeddJb7xJvyRgG6P7rTpc91us3KLCZTf9X8oK878t:2Laddz1ymG6P7rtcCSKLCZD93C
Malware Config
Extracted
socks5systemz
eberzge.ua
http://eberzge.ua/search/?q=67e28dd86e09a721465dff1c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa44e8889b5e4fa9281ae978f771ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ff612c2eb909939
http://eberzge.ua/search/?q=67e28dd86e09a721465dff1c7c27d78406abdd88be4b12eab517aa5c96bd86e590834596148ab2865b77f80ebad9cc0f7cb63037ed2ab423a4324383ba915d911ec07bb606a0708727e40ea678c45abbe74ffb0e2807e12571c17f3e83fe16c1e696983fc86c94
Signatures
-
Detect Socks5Systemz Payload 3 IoCs
Processes:
resource yara_rule behavioral3/memory/1124-86-0x00000000009C0000-0x0000000000A62000-memory.dmp family_socks5systemz behavioral3/memory/1124-109-0x00000000009C0000-0x0000000000A62000-memory.dmp family_socks5systemz behavioral3/memory/1124-110-0x00000000009C0000-0x0000000000A62000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
Processes:
crt.tmpmp3ripfreeedition32.exemp3ripfreeedition32.exepid process 3812 crt.tmp 3192 mp3ripfreeedition32.exe 1124 mp3ripfreeedition32.exe -
Loads dropped DLL 1 IoCs
Processes:
crt.tmppid process 3812 crt.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 152.89.198.214 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
crt.tmppid process 3812 crt.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
crt.execrt.tmpdescription pid process target process PID 3776 wrote to memory of 3812 3776 crt.exe crt.tmp PID 3776 wrote to memory of 3812 3776 crt.exe crt.tmp PID 3776 wrote to memory of 3812 3776 crt.exe crt.tmp PID 3812 wrote to memory of 3192 3812 crt.tmp mp3ripfreeedition32.exe PID 3812 wrote to memory of 3192 3812 crt.tmp mp3ripfreeedition32.exe PID 3812 wrote to memory of 3192 3812 crt.tmp mp3ripfreeedition32.exe PID 3812 wrote to memory of 1124 3812 crt.tmp mp3ripfreeedition32.exe PID 3812 wrote to memory of 1124 3812 crt.tmp mp3ripfreeedition32.exe PID 3812 wrote to memory of 1124 3812 crt.tmp mp3ripfreeedition32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\crt.exe"C:\Users\Admin\AppData\Local\Temp\crt.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Users\Admin\AppData\Local\Temp\is-IQTDS.tmp\crt.tmp"C:\Users\Admin\AppData\Local\Temp\is-IQTDS.tmp\crt.tmp" /SL5="$8020A,5052624,54272,C:\Users\Admin\AppData\Local\Temp\crt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe" -i3⤵
- Executes dropped EXE
PID:3192
-
-
C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32.exe" -s3⤵
- Executes dropped EXE
PID:1124
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD59e75cd003585ff2f172a841d41ed6d75
SHA19d551f43cfeb84d1a585d53d2bdde8e17be436bc
SHA256c576f2f3581928de1e62be3e4efff1b5c5415e89c3bdc0cd5536ce41a781c370
SHA512817c32c8943325d27723274425c4fa5c3fb7f36c52a2c85f8038e956033edf96b5d9340df3238865b706fffd8094b1ba3e940bcc17e2feae24d1b15fe2fac67c
-
Filesize
680KB
MD59a46eeaa9fb1370478ba7108b30aab2b
SHA1045f0a44dd0f4710013a390da2865a2fac04389e
SHA25671693251b98a555e6e01fcabf559218ad137f5de772218631147c3d87fc31820
SHA51289ee61a63303ee11d77596e80e0abec6ede6c1fbba1b6bc6ee50991da335426b4fb0cc7d7a90c3c33d56dda222592a3090e771b9fcaef2f6e5951b78467fef66
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63