socks5systemz | ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d

General

Target

ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.exe
Size

5.0MB
MD5

02ffa1ceea65c01b6b3f19e2f369ca9f
SHA1

d68175d389768429d8944a20233ffa4c9e4ecf66
SHA256

ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d
SHA512

ec34ab18d698b6f28cff873c4e64d3a7d01f644ffc34c7a9ada0e1cd1e1e0cc078769d3f1fa285cc266165761887a98517a43afb3d795f200a2424a9ebdfc316
SSDEEP

98304:CrlEwpu6AaDyD6TB6EGvYcihxgfx+ST98KzNjWg0fSeYQxLFa:Ens646TBZBDyICzdWW9Q/a

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/580-85-0x0000000002710000-0x00000000027B2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
1680	ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.tmp
1796	djpromix.exe
580	djpromix.exe

Loads dropped DLL 1 IoCs

pid	Process
1680	ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1680	ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 1680	2760	ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.exe	78
PID 2760 wrote to memory of 1680	2760	ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.exe	78
PID 2760 wrote to memory of 1680	2760	ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.exe	78
PID 1680 wrote to memory of 1796	1680	ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.tmp	79
PID 1680 wrote to memory of 1796	1680	ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.tmp	79
PID 1680 wrote to memory of 1796	1680	ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.tmp	79
PID 1680 wrote to memory of 580	1680	ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.tmp	80
PID 1680 wrote to memory of 580	1680	ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.tmp	80
PID 1680 wrote to memory of 580	1680	ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.tmp	80

C:\Users\Admin\AppData\Local\Temp\ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.exe
"C:\Users\Admin\AppData\Local\Temp\ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\is-QL5EM.tmp\ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QL5EM.tmp\ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.tmp" /SL5="$502F8,5041388,54272,C:\Users\Admin\AppData\Local\Temp\ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Users\Admin\AppData\Local\DJ Pro Mix\djpromix.exe
    "C:\Users\Admin\AppData\Local\DJ Pro Mix\djpromix.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1796
- - C:\Users\Admin\AppData\Local\DJ Pro Mix\djpromix.exe
    "C:\Users\Admin\AppData\Local\DJ Pro Mix\djpromix.exe" -s
    3⤵
    - Executes dropped EXE
    PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DJ Pro Mix\djpromix.exe

Filesize
3.7MB

MD5
34db4c69dd223732d5525f0e3365b1bf

SHA1
9d64e89858f1479f8b199f77fd779dddc2da8705

SHA256
5b08f80b34415cd0a3181c9d31719ceb58d61ef645b6bc9215b77dc29ca4b48e

SHA512
4c02df2377072d42d5075df97b1623f550be6f5ea8ef5e71ffd46205866610629cea55da13966fe780ffd5b4f5746b837f88e8c0fbe79b586e1696bacd804a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O5PM3.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QL5EM.tmp\ef4865609eae84f39ed1c845428a7e6617f446f8eea36be82ecf50f6226e495d.tmp

Filesize
680KB

MD5
5be2e5b272a277f7cbd2270c9d88072a

SHA1
066fa4dfa4920e42fa8ed3a3a7b2d2672b2637ba

SHA256
a14b5ee688dc1281408be842188cf19c5d9bc84f18275745a76539b86fabdee8

SHA512
0a61906bbf0a00889ef0f4b457259c8b11f8d41f32689ae39d96fe7bd440c6e0dee753278f78ece74dbfc88df41ee72dcd37a2fab6ae550f1baac86c0e268d34

Download Submit
memory/580-97-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/580-80-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/580-115-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/580-112-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/580-109-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/580-106-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/580-103-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/580-68-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/580-100-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/580-94-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/580-71-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/580-74-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/580-77-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/580-89-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/580-83-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/580-85-0x0000000002710000-0x00000000027B2000-memory.dmp

Filesize
648KB

Download
memory/1680-13-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1680-70-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1796-63-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/1796-65-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/1796-61-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/1796-59-0x0000000000400000-0x00000000007BC000-memory.dmp

Filesize
3.7MB

Download
memory/2760-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2760-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2760-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing