socks5systemz | 1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90

General

Target

1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe
Size

6.5MB
MD5

a5658b9be5f63bc06ed873a224a1dbd2
SHA1

be4250ccfd624b1891f81a762ae1e5344967f6f8
SHA256

1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90
SHA512

7a95a6dcc0e4daf5ede215ffd422aadbc39a6380367441a57c0cd202834ee1ab17fadb6147b6174a70358dc86e78901526fec52254cc8ab43b20edc578551e09
SSDEEP

98304:Si/kncfKYpJis3cRxbK5bXboIxomjHBVBDJravjH5o+ueMz4ED9KgWKVy36hko:X/ccXJ5cHAAIeWHZD0jiz4ElVyKh5

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3216-80-0x0000000000970000-0x0000000000A12000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
4420	is-83FC4.tmp
3408	mp3cdripperbeta32_64.exe
3216	mp3cdripperbeta32_64.exe

Loads dropped DLL 1 IoCs

pid	Process
4420	is-83FC4.tmp

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-83FC4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mp3cdripperbeta32_64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mp3cdripperbeta32_64.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 4420	5020	1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe	71
PID 5020 wrote to memory of 4420	5020	1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe	71
PID 5020 wrote to memory of 4420	5020	1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe	71
PID 4420 wrote to memory of 3408	4420	is-83FC4.tmp	72
PID 4420 wrote to memory of 3408	4420	is-83FC4.tmp	72
PID 4420 wrote to memory of 3408	4420	is-83FC4.tmp	72
PID 4420 wrote to memory of 3216	4420	is-83FC4.tmp	73
PID 4420 wrote to memory of 3216	4420	is-83FC4.tmp	73
PID 4420 wrote to memory of 3216	4420	is-83FC4.tmp	73

C:\Users\Admin\AppData\Local\Temp\1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe
"C:\Users\Admin\AppData\Local\Temp\1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\is-GUCDR.tmp\is-83FC4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GUCDR.tmp\is-83FC4.tmp" /SL4 $70208 "C:\Users\Admin\AppData\Local\Temp\1c17c076ebcedf83f7065086438d9452a571aae77332ac46b227481ddcd00a90.exe" 6547505 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe
    "C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3408
- - C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe
    "C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe" -s
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe

Filesize
2.8MB

MD5
9d42c34f78adbff280d7c3a070504e0b

SHA1
8410e7bd3a4d74f6da8e8bad054774c659a3529e

SHA256
7e386dfa171a09b30f962de7d71526fe6ebcc5387a7fb900960c2f0d5d936540

SHA512
12da6575b9ebf6c2f0bb07b7909998b98453ac228fd343546411a9124cb1c19d4778536c90949e231ad5e71f33bce8ef5686cfcd5969fbe7d843b80fbd4a3d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GUCDR.tmp\is-83FC4.tmp

Filesize
642KB

MD5
6580f6f26daf83c5e4d3e3b28e2f70f6

SHA1
5bc35126a341e038b96923db25c3f5424a631c5e

SHA256
e241bd09fc67344895f45de4fb9f147d618a8a5bcec360c83882675e75ebd672

SHA512
8f042bbbaec8f0a7cb31cfa44ed0e3d72100e3f3473f442e06ffc7f90322da4cb54979ba51365033cba927b801225d339e64b3b31c3b57483b76bd006908dd36

Download Submit
\Users\Admin\AppData\Local\Temp\is-PID82.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/3216-96-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3216-99-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3216-124-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3216-121-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3216-118-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3216-114-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3216-111-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3216-108-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3216-65-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3216-68-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3216-71-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3216-74-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3216-77-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3216-80-0x0000000000970000-0x0000000000A12000-memory.dmp

Filesize
648KB

Download
memory/3216-82-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3216-87-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3216-90-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3216-93-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3216-105-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3216-102-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3408-60-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3408-58-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3408-57-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/4420-12-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4420-64-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/5020-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5020-63-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5020-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing