socks5systemz | 7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7

General

Target

7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.exe
Size

5.2MB
MD5

be93baa9013c02fafdab665e9f49a12e
SHA1

63ba9081015417d500a981da12ab2827c0553d5a
SHA256

7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7
SHA512

2f142bee27656f73ce9a04cf6e703cd2c135044a06c11a12fc66414b74ca6396508401bff9fc4e8f3d820ef145c63f83c0221c90db9b3ca5dc2e29c03b524c08
SSDEEP

98304:CY0jURv5c5eP+e29vB2LChIgiWjRYrlJ5jHkRhQXU6zSfPWV7WcLpGJJgQxsKh:ojUtvmn9vB2LChfiWjRYrv5jERiMWZB8

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2640-85-0x0000000000A50000-0x0000000000AF2000-memory.dmp	family_socks5systemz
behavioral1/memory/2640-108-0x0000000000A50000-0x0000000000AF2000-memory.dmp	family_socks5systemz
behavioral1/memory/2640-109-0x0000000000A50000-0x0000000000AF2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
632	7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.tmp
5116	audioshell.exe
2640	audioshell.exe

Loads dropped DLL 1 IoCs

pid	Process
632	7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
632	7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 632	4176	7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.exe	83
PID 4176 wrote to memory of 632	4176	7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.exe	83
PID 4176 wrote to memory of 632	4176	7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.exe	83
PID 632 wrote to memory of 5116	632	7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.tmp	85
PID 632 wrote to memory of 5116	632	7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.tmp	85
PID 632 wrote to memory of 5116	632	7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.tmp	85
PID 632 wrote to memory of 2640	632	7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.tmp	86
PID 632 wrote to memory of 2640	632	7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.tmp	86
PID 632 wrote to memory of 2640	632	7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.tmp	86

C:\Users\Admin\AppData\Local\Temp\7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.exe
"C:\Users\Admin\AppData\Local\Temp\7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Users\Admin\AppData\Local\Temp\is-9EIJN.tmp\7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9EIJN.tmp\7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.tmp" /SL5="$C0048,5204821,54272,C:\Users\Admin\AppData\Local\Temp\7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Users\Admin\AppData\Local\Audio Shell\audioshell.exe
    "C:\Users\Admin\AppData\Local\Audio Shell\audioshell.exe" -i
    3⤵
    - Executes dropped EXE
    PID:5116
- - C:\Users\Admin\AppData\Local\Audio Shell\audioshell.exe
    "C:\Users\Admin\AppData\Local\Audio Shell\audioshell.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Audio Shell\audioshell.exe

Filesize
3.9MB

MD5
fd9fd0131cdec52d70cd04568319ff45

SHA1
e95a3d18bbe5668a7af8e9d422ee8ead4e9b20eb

SHA256
37ffcf0fd484c4225d0ab779b48e6303d4e2d5b573078f1e2724031b8356fbdb

SHA512
d9db12a49223522940786ba13de911b984163ef9042369c5b2369ca26aed6b5e4599008911e0d3a3b9aca96442eb0bd696b7904c21407e0365f1950aab587a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9EIJN.tmp\7dbdb27b68d114532a9dbd9013202b3a70206e619ba9618d954c4c14822200c7.tmp

Filesize
680KB

MD5
988df08d3a4bc7669c80bc468920b130

SHA1
cbb107a7d82bfd34738cba52f2dd765e21598c1d

SHA256
eeeadd9a840af983cfbcc630683690c097558f379d43184f7d03498b6ac59e93

SHA512
dd91d39138a3d8608f26f57e60d0563ba04ef5a00aedb048651e3ba8ecc8d5ffd5b826a391f7a44071e25fb190354f4436056f07ef16eae5768beaa06dc359f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ILUU2.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/632-69-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/632-12-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2640-95-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2640-104-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2640-116-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2640-113-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2640-109-0x0000000000A50000-0x0000000000AF2000-memory.dmp

Filesize
648KB

Download
memory/2640-67-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2640-108-0x0000000000A50000-0x0000000000AF2000-memory.dmp

Filesize
648KB

Download
memory/2640-107-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2640-70-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2640-73-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2640-76-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2640-79-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2640-82-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2640-85-0x0000000000A50000-0x0000000000AF2000-memory.dmp

Filesize
648KB

Download
memory/2640-89-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2640-92-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2640-101-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2640-98-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/4176-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4176-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4176-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5116-61-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/5116-64-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/5116-63-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/5116-60-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing