socks5systemz | 175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba

General

Target

175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.exe
Size

5.6MB
MD5

16fa6edcfbdcda17d4ccb2075a06ac10
SHA1

cc2e6c3952e53c3958bbbf3dbe341b7a48f9ce51
SHA256

175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba
SHA512

a8707b71635b8027bf46145988e471fbc063ed1161996100914061ea82c210585574bdfc4a6ccb08f6f0e57399217d6e8f08a0da2778a2b34468f93db76606bb
SSDEEP

98304:CQBXbTRcEDTsJ0FOXrW3zTNXUs7ANLIm5+jKTBp1Kh6mGF95jtIrwk4n/OF1lOxs:DFPm00Wb7ApIMAKZQQ3tIrwk8UP6KjQ0

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral1/memory/748-87-0x0000000000960000-0x0000000000A02000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
764	175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.tmp
3436	pionaudioplayer32_64.exe
748	pionaudioplayer32_64.exe

Loads dropped DLL 1 IoCs

pid	Process
764	175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248
Destination IP	152.89.198.214
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
764	175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 764	744	175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.exe	82
PID 744 wrote to memory of 764	744	175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.exe	82
PID 744 wrote to memory of 764	744	175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.exe	82
PID 764 wrote to memory of 3436	764	175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.tmp	83
PID 764 wrote to memory of 3436	764	175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.tmp	83
PID 764 wrote to memory of 3436	764	175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.tmp	83
PID 764 wrote to memory of 748	764	175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.tmp	84
PID 764 wrote to memory of 748	764	175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.tmp	84
PID 764 wrote to memory of 748	764	175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.tmp	84

C:\Users\Admin\AppData\Local\Temp\175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.exe
"C:\Users\Admin\AppData\Local\Temp\175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:744
- C:\Users\Admin\AppData\Local\Temp\is-3V67D.tmp\175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3V67D.tmp\175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.tmp" /SL5="$501C6,5662893,54272,C:\Users\Admin\AppData\Local\Temp\175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Users\Admin\AppData\Local\Pion Audio Player\pionaudioplayer32_64.exe
    "C:\Users\Admin\AppData\Local\Pion Audio Player\pionaudioplayer32_64.exe" -i
    3⤵
    - Executes dropped EXE
    PID:3436
- - C:\Users\Admin\AppData\Local\Pion Audio Player\pionaudioplayer32_64.exe
    "C:\Users\Admin\AppData\Local\Pion Audio Player\pionaudioplayer32_64.exe" -s
    3⤵
    - Executes dropped EXE
    PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Pion Audio Player\pionaudioplayer32_64.exe

Filesize
4.1MB

MD5
f4eefd35219d9e65a64855d9f94dd5b9

SHA1
3af379db15f7f15f72722e1ecf24c415f6cebc82

SHA256
cbe3057b43fe861ba718b5033798f87a4299c2e4b7711948e0f1a6e0906041c8

SHA512
504bda7777fe20c366673443ab7bcbc9fea26270dfe99f3522745598518043cd55dbaed341ae747d3e3f26b8d03ead25b9e2409d4cfd518502bac5277e48984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3V67D.tmp\175ce404485f45360381c4878ed313d23991519513f5fac54f747ad16dd94aba.tmp

Filesize
680KB

MD5
3db35bbd1102c6e1e2c4741de8e35885

SHA1
c6cf06cef7398cb37208de71b2272c81b0097720

SHA256
e5183e6cc3aa5136a77e51d80ee4a3dca62c9f030b38a9446c80dd1b8d9d1666

SHA512
37134467c71c020fb17f0506443d85280ad03662410ca82d32deb276bf91bf27c411083fd2a9f85d60ecc08f6e7508a9d0ff64c7062cb30748364d6d2403aebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VSAME.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/744-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/744-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/744-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/748-89-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/748-94-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/748-115-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/748-112-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/748-67-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/748-68-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/748-109-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/748-106-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/748-71-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/748-74-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/748-75-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/748-78-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/748-81-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/748-84-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/748-87-0x0000000000960000-0x0000000000A02000-memory.dmp

Filesize
648KB

Download
memory/748-103-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/748-100-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/748-97-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/764-16-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/764-70-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3436-61-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/3436-59-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/3436-64-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/3436-60-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing