socks5systemz | 8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938

General

Target

8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.exe
Size

5.3MB
MD5

8c09e5c95d0a1033392e82797514c6d0
SHA1

58172e2bb02224c95cd57f3ccbe3b036acc8e9a7
SHA256

8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938
SHA512

26015f11e43919f99e1726d2a8505b351bc340282ccfa0d7af7fd70fef0850983270ec35281a5d64fb0150baa55a74caaa13c3ffa70da477d2ba25410b1c4053
SSDEEP

98304:CP+YQ5g0TNk4Onfet+FBjlY+itRmgkRkp/BXrrGc4oXAvch/dttqUdzQxwv:4ugCSfe8FV0RmjEFrrGPoXASvdzQo

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/196-85-0x0000000000BA0000-0x0000000000C42000-memory.dmp	family_socks5systemz
behavioral2/memory/196-127-0x0000000000BA0000-0x0000000000C42000-memory.dmp	family_socks5systemz
behavioral2/memory/196-128-0x0000000000BA0000-0x0000000000C42000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
4680	8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.tmp
628	bcodecpack32_64.exe
196	bcodecpack32_64.exe

Loads dropped DLL 1 IoCs

pid	Process
4680	8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4680	8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 4680	3652	8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.exe	73
PID 3652 wrote to memory of 4680	3652	8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.exe	73
PID 3652 wrote to memory of 4680	3652	8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.exe	73
PID 4680 wrote to memory of 628	4680	8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.tmp	74
PID 4680 wrote to memory of 628	4680	8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.tmp	74
PID 4680 wrote to memory of 628	4680	8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.tmp	74
PID 4680 wrote to memory of 196	4680	8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.tmp	75
PID 4680 wrote to memory of 196	4680	8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.tmp	75
PID 4680 wrote to memory of 196	4680	8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.tmp	75

C:\Users\Admin\AppData\Local\Temp\8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.exe
"C:\Users\Admin\AppData\Local\Temp\8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Users\Admin\AppData\Local\Temp\is-B76S7.tmp\8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-B76S7.tmp\8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.tmp" /SL5="$50206,5261233,54272,C:\Users\Admin\AppData\Local\Temp\8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Users\Admin\AppData\Local\B-Codec Pack\bcodecpack32_64.exe
    "C:\Users\Admin\AppData\Local\B-Codec Pack\bcodecpack32_64.exe" -i
    3⤵
    - Executes dropped EXE
    PID:628
- - C:\Users\Admin\AppData\Local\B-Codec Pack\bcodecpack32_64.exe
    "C:\Users\Admin\AppData\Local\B-Codec Pack\bcodecpack32_64.exe" -s
    3⤵
    - Executes dropped EXE
    PID:196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\B-Codec Pack\bcodecpack32_64.exe

Filesize
4.2MB

MD5
acedc0b8c1b6f4b12c1dad88f546ea2d

SHA1
34025e7b65240b001c2d98c3cc3c1a6636b6f50c

SHA256
cac083bd48fc0a6ff2b4e4873f74986d3ab528f48a04f55a13c224683fc3f029

SHA512
773c6c0f765d7909a483f50d0cbf283b9cbc0808de45026d774022bd7db30a15b0cf1b7a2655ba6dee67094b54add0b6400c52e42a15280c3fc86c6e5b32057d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B76S7.tmp\8fd56f4e394e2cca93d705c02285b74df15dba96eaf59a91c8b43dc54a4a3938.tmp

Filesize
680KB

MD5
703cb502b5a6891f932893a9d0edd765

SHA1
8ef3ee42ebd103f69bf90a4b009534ee4e7146a6

SHA256
01f146817990f83f18ed7224653b85f36de1fdfc63cb438ec0e6b97dbbc83185

SHA512
ce867e24aa19360982f92d2ed39cabb4ef862af6d197b8066c16e3aebb5b3471806382572e2c33bf3b922b6cca84d2a1575582847d11debbae7062b396ce3102

Download Submit
\Users\Admin\AppData\Local\Temp\is-7RV3D.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/196-107-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-92-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-128-0x0000000000BA0000-0x0000000000C42000-memory.dmp

Filesize
648KB

Download
memory/196-127-0x0000000000BA0000-0x0000000000C42000-memory.dmp

Filesize
648KB

Download
memory/196-126-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-123-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-67-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-120-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-117-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-70-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-73-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-76-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-79-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-82-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-114-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-104-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-111-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-95-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-98-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-101-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-87-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/196-85-0x0000000000BA0000-0x0000000000C42000-memory.dmp

Filesize
648KB

Download
memory/628-64-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/628-61-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/628-60-0x0000000000400000-0x0000000000829000-memory.dmp

Filesize
4.2MB

Download
memory/3652-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3652-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3652-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4680-12-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4680-69-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing