Malware Analysis Report

2024-11-15 04:58

Sample ID 240625-wlgz6athrf
Target ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e
SHA256 ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e
Tags
socks5systemz botnet discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e

Threat Level: Known bad

The file ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e was found to be: Known bad.

Malicious Activity Summary

socks5systemz botnet discovery

Detect Socks5Systemz Payload

Socks5Systemz

Loads dropped DLL

Executes dropped EXE

Unexpected DNS network traffic destination

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 18:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 18:00

Reported

2024-06-25 18:02

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 91.211.247.248 N/A N/A
Destination IP 91.211.247.248 N/A N/A
Destination IP 152.89.198.214 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-UKV1L.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.exe C:\Users\Admin\AppData\Local\Temp\is-UKV1L.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp
PID 2796 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.exe C:\Users\Admin\AppData\Local\Temp\is-UKV1L.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp
PID 2796 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.exe C:\Users\Admin\AppData\Local\Temp\is-UKV1L.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp
PID 1244 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\is-UKV1L.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe
PID 1244 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\is-UKV1L.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe
PID 1244 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\is-UKV1L.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe
PID 1244 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\is-UKV1L.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe
PID 1244 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\is-UKV1L.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe
PID 1244 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\is-UKV1L.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.exe

"C:\Users\Admin\AppData\Local\Temp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.exe"

C:\Users\Admin\AppData\Local\Temp\is-UKV1L.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp

"C:\Users\Admin\AppData\Local\Temp\is-UKV1L.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp" /SL5="$501C6,5136792,54272,C:\Users\Admin\AppData\Local\Temp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.exe"

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe

"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe" -i

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe

"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe" -s

Network

Country Destination Domain Proto
LT 91.211.247.248:53 bwptvoi.com udp
US 8.8.8.8:53 248.247.211.91.in-addr.arpa udp
RU 152.89.198.214:53 bwptvoi.com udp
US 8.8.8.8:53 214.198.89.152.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
LT 91.211.247.248:53 bwptvoi.com udp

Files

memory/2796-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2796-3-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UKV1L.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp

MD5 ae871319d0d4d3476a2ee92baee3bcb4
SHA1 71d7efc96eea4bef5a234f257a2d4185a078acfb
SHA256 2565484ec7cfe4452ba2012b2a4587a9028f0983ac6502ecfbb20e6e9bcd4f28
SHA512 7a40d2d15a576bf336677d32d385bdf197a4ee7139fa07d5f7009435d6967b09d54a83b3e2d33e7e99f0bde2e5e0263efa6d1d0c057a666422abd6d3dcfb02c2

memory/1244-16-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-RDVGT.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe

MD5 a84617568394f531d69584d4f0713ee2
SHA1 cfff24a7009f728718ce3e481884306a8eae3d8c
SHA256 b182479179554c9e36dedca69e53458d3e12c6c0e91b02369bff51d9330e2f75
SHA512 33ea099b56798e7b5df11681268843b0cfe60cc9973462457026de8995a1cc5aae75a7619e3a32ea105f85e4dc9e7344df3875a2abc01596decb13a2e2a8a0a7

memory/1212-59-0x0000000000400000-0x000000000074E000-memory.dmp

memory/1212-60-0x0000000000400000-0x000000000074E000-memory.dmp

memory/1212-63-0x0000000000400000-0x000000000074E000-memory.dmp

memory/1212-64-0x0000000000400000-0x000000000074E000-memory.dmp

memory/1428-66-0x0000000000400000-0x000000000074E000-memory.dmp

memory/2796-68-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1244-69-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/1428-70-0x0000000000400000-0x000000000074E000-memory.dmp

memory/1428-73-0x0000000000400000-0x000000000074E000-memory.dmp

memory/1428-76-0x0000000000400000-0x000000000074E000-memory.dmp

memory/1428-79-0x0000000000400000-0x000000000074E000-memory.dmp

memory/1428-82-0x0000000000400000-0x000000000074E000-memory.dmp

memory/1428-85-0x0000000000950000-0x00000000009F2000-memory.dmp

memory/1428-87-0x0000000000400000-0x000000000074E000-memory.dmp

memory/1428-92-0x0000000000400000-0x000000000074E000-memory.dmp

memory/1428-95-0x0000000000400000-0x000000000074E000-memory.dmp

memory/1428-98-0x0000000000400000-0x000000000074E000-memory.dmp

memory/1428-101-0x0000000000400000-0x000000000074E000-memory.dmp

memory/1428-104-0x0000000000400000-0x000000000074E000-memory.dmp

memory/1428-107-0x0000000000400000-0x000000000074E000-memory.dmp

memory/1428-110-0x0000000000400000-0x000000000074E000-memory.dmp

memory/1428-113-0x0000000000400000-0x000000000074E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 18:00

Reported

2024-06-25 18:02

Platform

win11-20240508-en

Max time kernel

141s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 91.211.247.248 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4D833.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.exe C:\Users\Admin\AppData\Local\Temp\is-4D833.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp
PID 5032 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.exe C:\Users\Admin\AppData\Local\Temp\is-4D833.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp
PID 5032 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.exe C:\Users\Admin\AppData\Local\Temp\is-4D833.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp
PID 3476 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\is-4D833.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe
PID 3476 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\is-4D833.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe
PID 3476 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\is-4D833.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe
PID 3476 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\is-4D833.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe
PID 3476 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\is-4D833.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe
PID 3476 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\is-4D833.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.exe

"C:\Users\Admin\AppData\Local\Temp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.exe"

C:\Users\Admin\AppData\Local\Temp\is-4D833.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4D833.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp" /SL5="$A0070,5136792,54272,C:\Users\Admin\AppData\Local\Temp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.exe"

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe

"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe" -i

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe

"C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe" -s

Network

Country Destination Domain Proto
LT 91.211.247.248:53 dlfbwyy.info udp
TR 94.156.8.80:80 dlfbwyy.info tcp
NL 89.105.201.183:2023 tcp
US 8.8.8.8:53 80.8.156.94.in-addr.arpa udp
US 8.8.8.8:53 183.201.105.89.in-addr.arpa udp

Files

memory/5032-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5032-3-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-4D833.tmp\ad7fe7912d1b7a9cf91c94cde647e9f3bf1e6c1de871df17218e94096fcdd40e.tmp

MD5 ae871319d0d4d3476a2ee92baee3bcb4
SHA1 71d7efc96eea4bef5a234f257a2d4185a078acfb
SHA256 2565484ec7cfe4452ba2012b2a4587a9028f0983ac6502ecfbb20e6e9bcd4f28
SHA512 7a40d2d15a576bf336677d32d385bdf197a4ee7139fa07d5f7009435d6967b09d54a83b3e2d33e7e99f0bde2e5e0263efa6d1d0c057a666422abd6d3dcfb02c2

C:\Users\Admin\AppData\Local\Temp\is-HRO6F.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/3476-16-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\MP3 RIP Free Edition\mp3ripfreeedition32_64.exe

MD5 a84617568394f531d69584d4f0713ee2
SHA1 cfff24a7009f728718ce3e481884306a8eae3d8c
SHA256 b182479179554c9e36dedca69e53458d3e12c6c0e91b02369bff51d9330e2f75
SHA512 33ea099b56798e7b5df11681268843b0cfe60cc9973462457026de8995a1cc5aae75a7619e3a32ea105f85e4dc9e7344df3875a2abc01596decb13a2e2a8a0a7

memory/2256-59-0x0000000000400000-0x000000000074E000-memory.dmp

memory/2256-60-0x0000000000400000-0x000000000074E000-memory.dmp

memory/2256-65-0x0000000000400000-0x000000000074E000-memory.dmp

memory/2256-64-0x0000000000400000-0x000000000047E000-memory.dmp

memory/4660-68-0x0000000000400000-0x000000000074E000-memory.dmp

memory/5032-69-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3476-70-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/4660-71-0x0000000000400000-0x000000000074E000-memory.dmp

memory/4660-74-0x0000000000400000-0x000000000074E000-memory.dmp

memory/4660-75-0x0000000000400000-0x000000000074E000-memory.dmp

memory/4660-78-0x0000000000400000-0x000000000074E000-memory.dmp

memory/4660-81-0x0000000000400000-0x000000000074E000-memory.dmp

memory/4660-84-0x0000000000400000-0x000000000074E000-memory.dmp

memory/4660-87-0x0000000000AA0000-0x0000000000B42000-memory.dmp

memory/4660-88-0x0000000000400000-0x000000000074E000-memory.dmp

memory/4660-94-0x0000000000400000-0x000000000074E000-memory.dmp

memory/4660-97-0x0000000000400000-0x000000000074E000-memory.dmp

memory/4660-100-0x0000000000400000-0x000000000074E000-memory.dmp

memory/4660-103-0x0000000000400000-0x000000000074E000-memory.dmp

memory/4660-106-0x0000000000400000-0x000000000074E000-memory.dmp

memory/4660-109-0x0000000000400000-0x000000000074E000-memory.dmp

memory/4660-110-0x0000000000AA0000-0x0000000000B42000-memory.dmp

memory/4660-111-0x0000000000AA0000-0x0000000000B42000-memory.dmp

memory/4660-115-0x0000000000400000-0x000000000074E000-memory.dmp

memory/4660-118-0x0000000000400000-0x000000000074E000-memory.dmp