Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows11-21h2_x64 -
resource
win11-20240729-en -
resource tags
arch:x64arch:x86image:win11-20240729-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/08/2024, 10:20
Static task
static1
Behavioral task
behavioral1
Sample
72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral2
Sample
72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.exe
Resource
win11-20240729-en
General
-
Target
72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.exe
-
Size
4.0MB
-
MD5
8a2da55b1183ba0cdb5b86aa6108f974
-
SHA1
a6fc4b26d00f91440b1369dd2d7137224383b243
-
SHA256
72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d
-
SHA512
eeffb0b87ded3d0d3ae776bb0683f6bf860b94cf3d85b2b9c1417cf990fc7ad1bda9cef844bca8e607e0109f344100304f0e870fa51602e36696cf003fe83316
-
SSDEEP
98304:NW6OIIU3/3AtTUBoxwsx5DQLKox4PZSmaEDjizt+qWnmjfYWXohdi:c6OrKAtTgotxR0Kox4x6E3irWmjfYwSk
Malware Config
Signatures
-
Detect Socks5Systemz Payload 1 IoCs
resource yara_rule behavioral2/memory/232-79-0x0000000000B70000-0x0000000000C12000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
pid Process 3452 72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.tmp 3636 ac3filter.exe 232 ac3filter.exe -
Loads dropped DLL 1 IoCs
pid Process 3452 72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 45.155.250.90 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac3filter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac3filter.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3452 72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.tmp 3452 72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3452 72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 488 wrote to memory of 3452 488 72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.exe 82 PID 488 wrote to memory of 3452 488 72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.exe 82 PID 488 wrote to memory of 3452 488 72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.exe 82 PID 3452 wrote to memory of 3636 3452 72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.tmp 83 PID 3452 wrote to memory of 3636 3452 72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.tmp 83 PID 3452 wrote to memory of 3636 3452 72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.tmp 83 PID 3452 wrote to memory of 232 3452 72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.tmp 84 PID 3452 wrote to memory of 232 3452 72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.tmp 84 PID 3452 wrote to memory of 232 3452 72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.tmp 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.exe"C:\Users\Admin\AppData\Local\Temp\72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Users\Admin\AppData\Local\Temp\is-JPLU5.tmp\72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.tmp"C:\Users\Admin\AppData\Local\Temp\is-JPLU5.tmp\72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.tmp" /SL5="$502A6,3947907,54272,C:\Users\Admin\AppData\Local\Temp\72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Users\Admin\AppData\Local\AC3Filter\ac3filter.exe"C:\Users\Admin\AppData\Local\AC3Filter\ac3filter.exe" -i3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3636
-
-
C:\Users\Admin\AppData\Local\AC3Filter\ac3filter.exe"C:\Users\Admin\AppData\Local\AC3Filter\ac3filter.exe" -s3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:232
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.4MB
MD5904a8cc14f2c82e8672cd82990fbfa71
SHA1111e9fbbb2ef0a56b59df698727c48fc054efb82
SHA256f066a0888bc5ad3b8c91cdbc16ebd5046327149b8baa735226b118d9be0b32b5
SHA5121f7d8484df0cfa8e7ee887398df81e5d1bc92f029330c1ba34fd29f2e6d6c0a33a3133f436ad303442c33320d2ed1eb76157a9d37795451fd238396cc38c4645
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-JPLU5.tmp\72a85d7d7a3d2e53d28457ca00e99625c0070e8c0c6869d0c6db5e9776381d2d.tmp
Filesize692KB
MD5b26f241a82d0fe33b717d9b11f784b6f
SHA1f21b6bb700e33fda7413fd383f200b99af7af5d0
SHA25656e6db8c3a0ce885cf731ce797c34e4a4d04380e23ad0fc1f77676b2f8dfa3ce
SHA512d35f972621f853c0b0650c6b3240a2632a564bdd05215010c40cae7092d1407d557dc32a65359acd843d1c64ba635ae273d764d26fa6948623be40834425379a