socks5systemz | 2046d240ddf0aeca0d9e9bd3346807bd5209397877f273fae9cf6e4bbb34a560

General

Target

a25de2538bd5a59746da0afe352adb20N.exe
Size

5.0MB
MD5

a25de2538bd5a59746da0afe352adb20
SHA1

f48d92b78877470d6470c42a101a367bbe235794
SHA256

2046d240ddf0aeca0d9e9bd3346807bd5209397877f273fae9cf6e4bbb34a560
SHA512

23ac1c2c88ef186b97953e3a3751d4b7b93e29479b611016ab24c6857ca9ea94b3577a93f7cbaceda857f44936d0bc8c88240c81241d0666763d567148bfedf3
SSDEEP

98304:CJVvuD4V1Z9ahCdSBHjYVLLVoC2eGzPreJFwEUHNJEi6S47vYZdPsQxi/:eAgrahC4WVAJzqJFmfEinMvYHkQq

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2972-93-0x00000000026C0000-0x0000000002762000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Executes dropped EXE 3 IoCs

Processes:

a25de2538bd5a59746da0afe352adb20N.tmpcleopatra32.execleopatra32.exe

pid process

2780 a25de2538bd5a59746da0afe352adb20N.tmp
2148 cleopatra32.exe
2972 cleopatra32.exe

pid	process
2780	a25de2538bd5a59746da0afe352adb20N.tmp
2148	cleopatra32.exe
2972	cleopatra32.exe

Loads dropped DLL 5 IoCs

Processes:

a25de2538bd5a59746da0afe352adb20N.exea25de2538bd5a59746da0afe352adb20N.tmp

pid	process
2704	a25de2538bd5a59746da0afe352adb20N.exe
2780	a25de2538bd5a59746da0afe352adb20N.tmp
2780	a25de2538bd5a59746da0afe352adb20N.tmp
2780	a25de2538bd5a59746da0afe352adb20N.tmp
2780	a25de2538bd5a59746da0afe352adb20N.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a25de2538bd5a59746da0afe352adb20N.exea25de2538bd5a59746da0afe352adb20N.tmpcleopatra32.execleopatra32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a25de2538bd5a59746da0afe352adb20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a25de2538bd5a59746da0afe352adb20N.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cleopatra32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cleopatra32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

a25de2538bd5a59746da0afe352adb20N.tmp

pid process

2780 a25de2538bd5a59746da0afe352adb20N.tmp

pid	process
2780	a25de2538bd5a59746da0afe352adb20N.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a25de2538bd5a59746da0afe352adb20N.exea25de2538bd5a59746da0afe352adb20N.tmp

description	pid	process	target process
PID 2704 wrote to memory of 2780	2704	a25de2538bd5a59746da0afe352adb20N.exe	a25de2538bd5a59746da0afe352adb20N.tmp
PID 2704 wrote to memory of 2780	2704	a25de2538bd5a59746da0afe352adb20N.exe	a25de2538bd5a59746da0afe352adb20N.tmp
PID 2704 wrote to memory of 2780	2704	a25de2538bd5a59746da0afe352adb20N.exe	a25de2538bd5a59746da0afe352adb20N.tmp
PID 2704 wrote to memory of 2780	2704	a25de2538bd5a59746da0afe352adb20N.exe	a25de2538bd5a59746da0afe352adb20N.tmp
PID 2704 wrote to memory of 2780	2704	a25de2538bd5a59746da0afe352adb20N.exe	a25de2538bd5a59746da0afe352adb20N.tmp
PID 2704 wrote to memory of 2780	2704	a25de2538bd5a59746da0afe352adb20N.exe	a25de2538bd5a59746da0afe352adb20N.tmp
PID 2704 wrote to memory of 2780	2704	a25de2538bd5a59746da0afe352adb20N.exe	a25de2538bd5a59746da0afe352adb20N.tmp
PID 2780 wrote to memory of 2148	2780	a25de2538bd5a59746da0afe352adb20N.tmp	cleopatra32.exe
PID 2780 wrote to memory of 2148	2780	a25de2538bd5a59746da0afe352adb20N.tmp	cleopatra32.exe
PID 2780 wrote to memory of 2148	2780	a25de2538bd5a59746da0afe352adb20N.tmp	cleopatra32.exe
PID 2780 wrote to memory of 2148	2780	a25de2538bd5a59746da0afe352adb20N.tmp	cleopatra32.exe
PID 2780 wrote to memory of 2972	2780	a25de2538bd5a59746da0afe352adb20N.tmp	cleopatra32.exe
PID 2780 wrote to memory of 2972	2780	a25de2538bd5a59746da0afe352adb20N.tmp	cleopatra32.exe
PID 2780 wrote to memory of 2972	2780	a25de2538bd5a59746da0afe352adb20N.tmp	cleopatra32.exe
PID 2780 wrote to memory of 2972	2780	a25de2538bd5a59746da0afe352adb20N.tmp	cleopatra32.exe

C:\Users\Admin\AppData\Local\Temp\a25de2538bd5a59746da0afe352adb20N.exe
"C:\Users\Admin\AppData\Local\Temp\a25de2538bd5a59746da0afe352adb20N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\is-3A4N8.tmp\a25de2538bd5a59746da0afe352adb20N.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3A4N8.tmp\a25de2538bd5a59746da0afe352adb20N.tmp" /SL5="$50150,4972648,54272,C:\Users\Admin\AppData\Local\Temp\a25de2538bd5a59746da0afe352adb20N.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2780

C:\Users\Admin\AppData\Local\Cleopatra\cleopatra32.exe
"C:\Users\Admin\AppData\Local\Cleopatra\cleopatra32.exe" -i
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148

C:\Users\Admin\AppData\Local\Cleopatra\cleopatra32.exe
"C:\Users\Admin\AppData\Local\Cleopatra\cleopatra32.exe" -s
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Cleopatra\cleopatra32.exe

Filesize
3.5MB

MD5
dc930c982b4b5471dc491bd2352f770e

SHA1
7d8256a38747a79e8de6b1459c97e21fa54f7345

SHA256
20a2d6a274872d9ca8cd47a779356a93ccb11c15a70209df591ee73417cc1557

SHA512
acf238704e19c40d671f13443a81ee3a850e049ec43dd0f01c27d0a8777e478ffb7db184e9da19e1c371c768303fef68bfd45e75b34be4efdea4df0369843cfc

Download Submit
\Users\Admin\AppData\Local\Temp\is-3A4N8.tmp\a25de2538bd5a59746da0afe352adb20N.tmp

Filesize
680KB

MD5
9bef8ba411b0afc07e76da4d36ec15d6

SHA1
6bfc7b89330be138a9d7c3e05e20c21aa0e7ec36

SHA256
52172fcbdbdbc8a8c7bd85fce9cda0202b686b9f7d746d5324513c10d99afa79

SHA512
1cfed5014a589791240de8cd98584751dcd3b2de6c437ae2a79c0a73e13c501f64810526e4f2fdb5747d27d2afaf36e341f3c8a51631cc7271890148d4f34d04

Download Submit
\Users\Admin\AppData\Local\Temp\is-BS7PE.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-BS7PE.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2148-65-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2148-70-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2148-66-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2704-74-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2704-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2704-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2780-77-0x0000000005EF0000-0x0000000006274000-memory.dmp

Filesize
3.5MB

Download
memory/2780-9-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2780-64-0x0000000005EF0000-0x0000000006274000-memory.dmp

Filesize
3.5MB

Download
memory/2780-75-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2972-80-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2972-76-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2972-72-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2972-83-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2972-86-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2972-89-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2972-92-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2972-93-0x00000000026C0000-0x0000000002762000-memory.dmp

Filesize
648KB

Download
memory/2972-99-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2972-102-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2972-105-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2972-108-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2972-111-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads