socks5systemz | 3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b

General

Target

3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b.exe
Size

6.7MB
MD5

45c5c737a738f01c4b08bbaa771fa02b
SHA1

067a9e35cdd45ff31536203ac7e98ca682f97e1c
SHA256

3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b
SHA512

3459b1f371d9cb1970251270e3285cbb7591b5e54ef489334ca0a122f24024507da99334d474081421d9810ed2b1acbc4a9d4ec2a657d82c4b6e3696890f537c
SSDEEP

98304:qiCQN7R5prsGljcxb+Fja/E05q/M/CUodfvI0CyLNjAY+iTWfkSZ9QwGvZ/u9dkD:/Ce75sGljcqjc5q/MxppZ6xvZ29di

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral1/memory/4408-84-0x00000000009F0000-0x0000000000A92000-memory.dmp	family_socks5systemz
behavioral1/memory/4408-108-0x00000000009F0000-0x0000000000A92000-memory.dmp	family_socks5systemz
behavioral1/memory/4408-109-0x00000000009F0000-0x0000000000A92000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
400	is-7RNCT.tmp
2964	mp3cdripperbeta32_64.exe
4408	mp3cdripperbeta32_64.exe

Loads dropped DLL 1 IoCs

pid	Process
400	is-7RNCT.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-7RNCT.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mp3cdripperbeta32_64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mp3cdripperbeta32_64.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 400	2632	3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b.exe	84
PID 2632 wrote to memory of 400	2632	3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b.exe	84
PID 2632 wrote to memory of 400	2632	3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b.exe	84
PID 400 wrote to memory of 2964	400	is-7RNCT.tmp	88
PID 400 wrote to memory of 2964	400	is-7RNCT.tmp	88
PID 400 wrote to memory of 2964	400	is-7RNCT.tmp	88
PID 400 wrote to memory of 4408	400	is-7RNCT.tmp	89
PID 400 wrote to memory of 4408	400	is-7RNCT.tmp	89
PID 400 wrote to memory of 4408	400	is-7RNCT.tmp	89

C:\Users\Admin\AppData\Local\Temp\3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b.exe
"C:\Users\Admin\AppData\Local\Temp\3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Local\Temp\is-JUC98.tmp\is-7RNCT.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JUC98.tmp\is-7RNCT.tmp" /SL4 $602CE "C:\Users\Admin\AppData\Local\Temp\3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b.exe" 6735210 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe
    "C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2964
- - C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe
    "C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe" -s
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe

Filesize
3.1MB

MD5
538be7e5b91d8e72f0b65d7f25340a18

SHA1
43b324d412c70dec1f4551552f66990c093351a6

SHA256
54e9c3657ec6435e94dfb9ffe9646c3f460254eee05cd9cd61cb15fdeb4b277c

SHA512
ef6b3c823994d3e1d063c4f8fa43fd395b84173f4e9e9f7b973b7af19cbba222798aaca330ca54941e80c655b36a341f12e44b620e6ba196f8f04e75d49fecbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JUC98.tmp\is-7RNCT.tmp

Filesize
642KB

MD5
6580f6f26daf83c5e4d3e3b28e2f70f6

SHA1
5bc35126a341e038b96923db25c3f5424a631c5e

SHA256
e241bd09fc67344895f45de4fb9f147d618a8a5bcec360c83882675e75ebd672

SHA512
8f042bbbaec8f0a7cb31cfa44ed0e3d72100e3f3473f442e06ffc7f90322da4cb54979ba51365033cba927b801225d339e64b3b31c3b57483b76bd006908dd36

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UTGK1.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/400-67-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/400-15-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2632-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2632-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2632-66-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-57-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/2964-58-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/2964-60-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/2964-61-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4408-72-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4408-87-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4408-68-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4408-71-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4408-64-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4408-75-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4408-78-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4408-81-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4408-84-0x00000000009F0000-0x0000000000A92000-memory.dmp

Filesize
648KB

Download
memory/4408-65-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4408-92-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4408-95-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4408-98-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4408-101-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4408-104-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4408-107-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4408-108-0x00000000009F0000-0x0000000000A92000-memory.dmp

Filesize
648KB

Download
memory/4408-109-0x00000000009F0000-0x0000000000A92000-memory.dmp

Filesize
648KB

Download
memory/4408-113-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4408-116-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing