socks5systemz | 6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43

General

Target

6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.exe
Size

5.0MB
MD5

35b92d030e262bef50485db59c86b7c3
SHA1

6f781c15ddc5881ae447fa95713ee1675d911695
SHA256

6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43
SHA512

99afcb79411d8796c8d57dad73b64a181436cba4a6493fbb6633a1fb1ca2d5b412b7fd1b615d7daf6484167985e191ca024e552eea4e8a352714d89c9f98f7a0
SSDEEP

98304:CChJV3EdXD/IGm3j9yK3mUs6SjvNb1+7r80Hc/w+2dQxeE:Lh33EdXD/43j9yK37Z24r8rD2dQF

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3612-85-0x0000000002580000-0x0000000002622000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2540	6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.tmp
2168	playpadmediaplayer.exe
3612	playpadmediaplayer.exe

Loads dropped DLL 1 IoCs

pid	Process
2540	6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2540	6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 2540	4744	6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.exe	78
PID 4744 wrote to memory of 2540	4744	6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.exe	78
PID 4744 wrote to memory of 2540	4744	6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.exe	78
PID 2540 wrote to memory of 2168	2540	6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.tmp	79
PID 2540 wrote to memory of 2168	2540	6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.tmp	79
PID 2540 wrote to memory of 2168	2540	6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.tmp	79
PID 2540 wrote to memory of 3612	2540	6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.tmp	80
PID 2540 wrote to memory of 3612	2540	6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.tmp	80
PID 2540 wrote to memory of 3612	2540	6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.tmp	80

C:\Users\Admin\AppData\Local\Temp\6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.exe
"C:\Users\Admin\AppData\Local\Temp\6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\is-3OKMA.tmp\6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3OKMA.tmp\6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.tmp" /SL5="$6023C,4964786,54272,C:\Users\Admin\AppData\Local\Temp\6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Local\PlayPad Media Player\playpadmediaplayer.exe
    "C:\Users\Admin\AppData\Local\PlayPad Media Player\playpadmediaplayer.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2168
- - C:\Users\Admin\AppData\Local\PlayPad Media Player\playpadmediaplayer.exe
    "C:\Users\Admin\AppData\Local\PlayPad Media Player\playpadmediaplayer.exe" -s
    3⤵
    - Executes dropped EXE
    PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PlayPad Media Player\playpadmediaplayer.exe

Filesize
3.7MB

MD5
276978ad74e352e5e8603f77b87a6af2

SHA1
5a6f7d8974f4087069680d867926ccb017a22d14

SHA256
c72f3607f5659d42ec720f40bfb6a39dd6842564935b5554ccce811e016959ff

SHA512
027b68f450d4fc6b19bac39bf8da8762a8e06a32c3688e30ea2f50a72c22f19a4e0b126ded70bc22ffa8bec58dfd41c71f91d877db4f2a3387be7501150333fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3OKMA.tmp\6a50e80e12190c101015a6be216e9a76ac8687ad0ba1b5cfb66dcb6d36442e43.tmp

Filesize
680KB

MD5
524137d28ae971e15c538e096dd46657

SHA1
bd795a9007b3d9cb71f87d6208d1a68d63b5b84e

SHA256
a407389e9b69b8051bc927eb77e815adee175247d905554cb1f25694157dc8b7

SHA512
b0da8c4453e4943c53bec6799b85320eb847c117a38e601ff1c73382e5bfa665e3d423ece69951cecd112c1ed9dca7250924860377ccd422c53f890d90ee4ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GJP9I.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/2168-62-0x0000000000400000-0x00000000007AB000-memory.dmp

Filesize
3.7MB

Download
memory/2168-60-0x0000000000400000-0x00000000007AB000-memory.dmp

Filesize
3.7MB

Download
memory/2168-63-0x0000000000400000-0x00000000007AB000-memory.dmp

Filesize
3.7MB

Download
memory/2540-69-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2540-12-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3612-70-0x0000000000400000-0x00000000007AB000-memory.dmp

Filesize
3.7MB

Download
memory/3612-85-0x0000000002580000-0x0000000002622000-memory.dmp

Filesize
648KB

Download
memory/3612-114-0x0000000000400000-0x00000000007AB000-memory.dmp

Filesize
3.7MB

Download
memory/3612-111-0x0000000000400000-0x00000000007AB000-memory.dmp

Filesize
3.7MB

Download
memory/3612-108-0x0000000000400000-0x00000000007AB000-memory.dmp

Filesize
3.7MB

Download
memory/3612-73-0x0000000000400000-0x00000000007AB000-memory.dmp

Filesize
3.7MB

Download
memory/3612-76-0x0000000000400000-0x00000000007AB000-memory.dmp

Filesize
3.7MB

Download
memory/3612-79-0x0000000000400000-0x00000000007AB000-memory.dmp

Filesize
3.7MB

Download
memory/3612-82-0x0000000000400000-0x00000000007AB000-memory.dmp

Filesize
3.7MB

Download
memory/3612-67-0x0000000000400000-0x00000000007AB000-memory.dmp

Filesize
3.7MB

Download
memory/3612-88-0x0000000000400000-0x00000000007AB000-memory.dmp

Filesize
3.7MB

Download
memory/3612-93-0x0000000000400000-0x00000000007AB000-memory.dmp

Filesize
3.7MB

Download
memory/3612-96-0x0000000000400000-0x00000000007AB000-memory.dmp

Filesize
3.7MB

Download
memory/3612-99-0x0000000000400000-0x00000000007AB000-memory.dmp

Filesize
3.7MB

Download
memory/3612-102-0x0000000000400000-0x00000000007AB000-memory.dmp

Filesize
3.7MB

Download
memory/3612-105-0x0000000000400000-0x00000000007AB000-memory.dmp

Filesize
3.7MB

Download
memory/4744-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4744-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4744-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing