socks5systemz | 9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14

General

Target

9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.exe
Size

4.5MB
MD5

ef2e9311ba56ecebdfa3fbe6fa0bf777
SHA1

5c77287e8f3b2d5cde20ac17eaec5ffa2f10f47e
SHA256

9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14
SHA512

33fbecd1c86ff146400b81d1561c36459be7bd37e7bd684c2c0caf2bcb1ec19e6df55a165059c88a3c1a5e663f97d4a19e0f058cbd97b9eedfcf59035c9f5290
SSDEEP

98304:mLDS2WmKwsdhwQWj3h6yUk+o0Cr3qFWLN2Igclrhy:EDOXhwjslkk86FU2Igx

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

diulroe.info

http://diulroe.info/search/?q=67e28dd8655bf57a4609f84c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa48e8889b5e4fa9281ae978ff71ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ff614c2e69d9d3b

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2412-82-0x0000000000880000-0x0000000000922000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
3744	9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.tmp
4296	freeaudioextractor32.exe
2412	freeaudioextractor32.exe

Loads dropped DLL 1 IoCs

pid	Process
3744	9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3744	9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 3744	4360	9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.exe	75
PID 4360 wrote to memory of 3744	4360	9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.exe	75
PID 4360 wrote to memory of 3744	4360	9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.exe	75
PID 3744 wrote to memory of 4296	3744	9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.tmp	76
PID 3744 wrote to memory of 4296	3744	9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.tmp	76
PID 3744 wrote to memory of 4296	3744	9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.tmp	76
PID 3744 wrote to memory of 2412	3744	9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.tmp	77
PID 3744 wrote to memory of 2412	3744	9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.tmp	77
PID 3744 wrote to memory of 2412	3744	9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.tmp	77

C:\Users\Admin\AppData\Local\Temp\9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.exe
"C:\Users\Admin\AppData\Local\Temp\9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Users\Admin\AppData\Local\Temp\is-B6VBF.tmp\9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-B6VBF.tmp\9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.tmp" /SL5="$70214,4467998,54272,C:\Users\Admin\AppData\Local\Temp\9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe
    "C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe" -i
    3⤵
    - Executes dropped EXE
    PID:4296
- - C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe
    "C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Free Audio Extractor\freeaudioextractor32.exe

Filesize
2.7MB

MD5
c074c774129800002479a16143957cda

SHA1
d56ebc5e51c10aec0838cc2a7acb743fd6571429

SHA256
fe4d897e0810317cc08ee71679f90a2f762f0a70d3edfdc7b98f71822b2be41a

SHA512
aefd1f77e87eeb847b8610fa77338a450df966520862b77dbd120d7a08170947fe146d18bac81988d573f53fd597d9ef2e4e0fa16074fe672a364b114afd91c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B6VBF.tmp\9f61b727bfae34cedbba83d62afd2af2ce8663a97081f4b51c8da2b1610e3e14.tmp

Filesize
680KB

MD5
69e62e920ea701ca2ae646b718e7a1be

SHA1
b28ffdc19d54c7e2685936e901ff52be78ad41ce

SHA256
30f599a550139bded22aeed4e5194df4c528935f315bb8a1d5da852b3f5e9eb5

SHA512
9e3fbb6787ecdb07e33dd2c5234b1282aeb1fe43a0d34554f78162ba15342a9f133f3c6d8841e47e4977955e11f9064df4f94e319eb913234316a532624f8d47

Download Submit
\Users\Admin\AppData\Local\Temp\is-OPNMS.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/2412-100-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2412-103-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2412-130-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2412-125-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2412-122-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2412-119-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2412-116-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2412-113-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2412-69-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2412-72-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2412-75-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2412-78-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2412-81-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2412-82-0x0000000000880000-0x0000000000922000-memory.dmp

Filesize
648KB

Download
memory/2412-86-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2412-91-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2412-94-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2412-97-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2412-110-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2412-106-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/3744-10-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3744-68-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4296-64-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4296-60-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4296-59-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/4360-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4360-67-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4360-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing