socks5systemz | 1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90

General

Target

1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe
Size

6.5MB
MD5

a5658b9be5f63bc06ed873a224a1dbd2
SHA1

be4250ccfd624b1891f81a762ae1e5344967f6f8
SHA256

1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90
SHA512

7a95a6dcc0e4daf5ede215ffd422aadbc39a6380367441a57c0cd202834ee1ab17fadb6147b6174a70358dc86e78901526fec52254cc8ab43b20edc578551e09
SSDEEP

98304:Si/kncfKYpJis3cRxbK5bXboIxomjHBVBDJravjH5o+ueMz4ED9KgWKVy36hko:X/ccXJ5cHAAIeWHZD0jiz4ElVyKh5

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1140-97-0x0000000002B40000-0x0000000002BE2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2792	is-4TTQF.tmp
2308	mp3cdripperbeta32_64.exe
1140	mp3cdripperbeta32_64.exe

Loads dropped DLL 10 IoCs

pid	Process
2596	1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe
2792	is-4TTQF.tmp
2792	is-4TTQF.tmp
2792	is-4TTQF.tmp
2792	is-4TTQF.tmp
2308	mp3cdripperbeta32_64.exe
2308	mp3cdripperbeta32_64.exe
2792	is-4TTQF.tmp
1140	mp3cdripperbeta32_64.exe
1140	mp3cdripperbeta32_64.exe

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248
Destination IP	141.98.234.31

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-4TTQF.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mp3cdripperbeta32_64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mp3cdripperbeta32_64.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2792	2596	1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe	30
PID 2596 wrote to memory of 2792	2596	1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe	30
PID 2596 wrote to memory of 2792	2596	1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe	30
PID 2596 wrote to memory of 2792	2596	1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe	30
PID 2596 wrote to memory of 2792	2596	1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe	30
PID 2596 wrote to memory of 2792	2596	1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe	30
PID 2596 wrote to memory of 2792	2596	1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe	30
PID 2792 wrote to memory of 2308	2792	is-4TTQF.tmp	31
PID 2792 wrote to memory of 2308	2792	is-4TTQF.tmp	31
PID 2792 wrote to memory of 2308	2792	is-4TTQF.tmp	31
PID 2792 wrote to memory of 2308	2792	is-4TTQF.tmp	31
PID 2792 wrote to memory of 2308	2792	is-4TTQF.tmp	31
PID 2792 wrote to memory of 2308	2792	is-4TTQF.tmp	31
PID 2792 wrote to memory of 2308	2792	is-4TTQF.tmp	31
PID 2792 wrote to memory of 1140	2792	is-4TTQF.tmp	32
PID 2792 wrote to memory of 1140	2792	is-4TTQF.tmp	32
PID 2792 wrote to memory of 1140	2792	is-4TTQF.tmp	32
PID 2792 wrote to memory of 1140	2792	is-4TTQF.tmp	32
PID 2792 wrote to memory of 1140	2792	is-4TTQF.tmp	32
PID 2792 wrote to memory of 1140	2792	is-4TTQF.tmp	32
PID 2792 wrote to memory of 1140	2792	is-4TTQF.tmp	32

C:\Users\Admin\AppData\Local\Temp\1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe
"C:\Users\Admin\AppData\Local\Temp\1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Local\Temp\is-K23ET.tmp\is-4TTQF.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-K23ET.tmp\is-4TTQF.tmp" /SL4 $30146 "C:\Users\Admin\AppData\Local\Temp\1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe" 6547505 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe
    "C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe" -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2308
- - C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe
    "C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe" -s
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe

Filesize
2.8MB

MD5
9d42c34f78adbff280d7c3a070504e0b

SHA1
8410e7bd3a4d74f6da8e8bad054774c659a3529e

SHA256
7e386dfa171a09b30f962de7d71526fe6ebcc5387a7fb900960c2f0d5d936540

SHA512
12da6575b9ebf6c2f0bb07b7909998b98453ac228fd343546411a9124cb1c19d4778536c90949e231ad5e71f33bce8ef5686cfcd5969fbe7d843b80fbd4a3d51

Download Submit
\Users\Admin\AppData\Local\Temp\is-4PGR4.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-4PGR4.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-K23ET.tmp\is-4TTQF.tmp

Filesize
642KB

MD5
6580f6f26daf83c5e4d3e3b28e2f70f6

SHA1
5bc35126a341e038b96923db25c3f5424a631c5e

SHA256
e241bd09fc67344895f45de4fb9f147d618a8a5bcec360c83882675e75ebd672

SHA512
8f042bbbaec8f0a7cb31cfa44ed0e3d72100e3f3473f442e06ffc7f90322da4cb54979ba51365033cba927b801225d339e64b3b31c3b57483b76bd006908dd36

Download Submit
memory/1140-112-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-118-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-140-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-137-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-134-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-131-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-127-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-75-0x0000000000B20000-0x0000000000DFD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-74-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-124-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-121-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-79-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-82-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-83-0x0000000000B20000-0x0000000000DFD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-84-0x0000000000B20000-0x0000000000DFD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-87-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-90-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-93-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-96-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-97-0x0000000002B40000-0x0000000002BE2000-memory.dmp

Filesize
648KB

Download
memory/1140-103-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-106-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-109-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1140-115-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/2308-69-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/2308-66-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/2308-64-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/2308-65-0x0000000000D00000-0x0000000000FDD000-memory.dmp

Filesize
2.9MB

Download
memory/2596-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2596-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2596-77-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2792-78-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2792-63-0x00000000040E0000-0x00000000043BD000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing