socks5systemz | ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11

General

Target

ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.exe
Size

5.1MB
MD5

cf00c83a68ee9108f32cbf084b225404
SHA1

722633eb9793d8a629c76dc497b0ae2c9807676d
SHA256

ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11
SHA512

a4ff2800a53b2740a37013b006c40d7e253a7a8a0efa1f527dda56f213b08a337f90e0f01f7ee5d86b217aace7a1dec7f054c56d3fae55a792237721ed4d1245
SSDEEP

98304:CCGTIeuarSo3xO/ZL0T7MGdrQlKhe/q2FiCQU4ctKwL5BG1d8iXeBZQxg:LGTIYR3cKPhaKgViCwcdBGsiXiZQC

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3848-85-0x0000000000980000-0x0000000000A21000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
3572	ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.tmp
424	totalrecorderfree32_64.exe
3848	totalrecorderfree32_64.exe

Loads dropped DLL 1 IoCs

pid	Process
3572	ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31
Destination IP	91.211.247.248
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3572	ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 3572	4372	ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.exe	77
PID 4372 wrote to memory of 3572	4372	ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.exe	77
PID 4372 wrote to memory of 3572	4372	ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.exe	77
PID 3572 wrote to memory of 424	3572	ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.tmp	78
PID 3572 wrote to memory of 424	3572	ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.tmp	78
PID 3572 wrote to memory of 424	3572	ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.tmp	78
PID 3572 wrote to memory of 3848	3572	ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.tmp	79
PID 3572 wrote to memory of 3848	3572	ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.tmp	79
PID 3572 wrote to memory of 3848	3572	ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.tmp	79

C:\Users\Admin\AppData\Local\Temp\ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.exe
"C:\Users\Admin\AppData\Local\Temp\ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Users\Admin\AppData\Local\Temp\is-5522T.tmp\ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5522T.tmp\ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.tmp" /SL5="$60060,5112432,54272,C:\Users\Admin\AppData\Local\Temp\ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Users\Admin\AppData\Local\Total Recorder Free\totalrecorderfree32_64.exe
    "C:\Users\Admin\AppData\Local\Total Recorder Free\totalrecorderfree32_64.exe" -i
    3⤵
    - Executes dropped EXE
    PID:424
- - C:\Users\Admin\AppData\Local\Total Recorder Free\totalrecorderfree32_64.exe
    "C:\Users\Admin\AppData\Local\Total Recorder Free\totalrecorderfree32_64.exe" -s
    3⤵
    - Executes dropped EXE
    PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-5522T.tmp\ce34435bf933ee44e1976fee196b78fb8ef1abd6dc1a7159016b8417e3b0cc11.tmp

Filesize
680KB

MD5
32f6596e136f3f8cfa1fbfd85acef958

SHA1
44411edb185b448613ac7dcfc24a6e2c0da382a3

SHA256
cd40719fec44d56ec09eeabfd56896f6bc80d4cd982f042068baca42141b4713

SHA512
e75005af4acd5ec4f53d584da8fbb2a72358af818dd6643e7eb5b862b3be582ed9cc8c8fb205b04ac2356da87826ab088c0ec658ee890a7605fd32be9b01d626

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JFE6G.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Total Recorder Free\totalrecorderfree32_64.exe

Filesize
3.3MB

MD5
d367059924889eea5391183656962d93

SHA1
20835707cf60f85fd15c03765e20ab1e4df79a8d

SHA256
8d6669cd366c05f4c5b28e867abf61964023b9f138c8e8d1ca761ed32a2a5e6c

SHA512
54e6ee38e4b59ce49649db2f181a8c57fd995f92d07de73e08580610517f3a7ccdd1f54a277456b7cc11d245e7ff029bdcc8d36f9a67b74e28da4e8dd8713d32

Download Submit
memory/424-59-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/424-63-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/424-64-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/424-60-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/3572-16-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3572-70-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3848-71-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/3848-85-0x0000000000980000-0x0000000000A21000-memory.dmp

Filesize
644KB

Download
memory/3848-66-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/3848-116-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/3848-113-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/3848-110-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/3848-74-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/3848-75-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/3848-78-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/3848-81-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/3848-84-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/3848-68-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/3848-90-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/3848-95-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/3848-98-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/3848-101-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/3848-104-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/3848-107-0x0000000000400000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/4372-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4372-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4372-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing