Analysis Overview
SHA256
171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5
Threat Level: Known bad
The file 171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.exe was found to be: Known bad.
Malicious Activity Summary
Socks5Systemz
Detect Socks5Systemz Payload
Loads dropped DLL
Unexpected DNS network traffic destination
Executes dropped EXE
Checks installed software on the system
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-02 12:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-02 12:37
Reported
2024-08-02 12:39
Platform
win7-20240705-en
Max time kernel
143s
Max time network
132s
Command Line
Signatures
Detect Socks5Systemz Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Socks5Systemz
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-B25IE.tmp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Direct MIDI to MP3 Converter\midi2mp3converter32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Direct MIDI to MP3 Converter\midi2mp3converter32.exe | N/A |
Loads dropped DLL
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 91.211.247.248 | N/A | N/A |
Checks installed software on the system
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-B25IE.tmp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Direct MIDI to MP3 Converter\midi2mp3converter32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Direct MIDI to MP3 Converter\midi2mp3converter32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-B25IE.tmp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-B25IE.tmp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-B25IE.tmp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.exe
"C:\Users\Admin\AppData\Local\Temp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.exe"
C:\Users\Admin\AppData\Local\Temp\is-B25IE.tmp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B25IE.tmp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.tmp" /SL5="$301CE,3904543,54272,C:\Users\Admin\AppData\Local\Temp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.exe"
C:\Users\Admin\AppData\Local\Direct MIDI to MP3 Converter\midi2mp3converter32.exe
"C:\Users\Admin\AppData\Local\Direct MIDI to MP3 Converter\midi2mp3converter32.exe" -i
C:\Users\Admin\AppData\Local\Direct MIDI to MP3 Converter\midi2mp3converter32.exe
"C:\Users\Admin\AppData\Local\Direct MIDI to MP3 Converter\midi2mp3converter32.exe" -s
Network
| Country | Destination | Domain | Proto |
| LT | 91.211.247.248:53 | bgvnjmw.com | udp |
| CH | 185.196.8.214:80 | bgvnjmw.com | tcp |
| NL | 45.156.23.96:2023 | tcp |
Files
memory/2204-0-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2204-2-0x0000000000401000-0x000000000040B000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-B25IE.tmp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.tmp
| MD5 | 1eb3e9399c5013c37a44cdf5a17ceaf6 |
| SHA1 | 1c3cd272348e09cea6d1da0a498c0fcbc2d5beac |
| SHA256 | 2b44cd29d7e79d1d559cd91eafb9a02510d2f56773af076fdbf5196168ed8522 |
| SHA512 | e3b93bd750db1cef9c2ca214ca79381539b415da661b8dd0f0a972b2b2f894093a310da7cb5db3c917dd5d94cac8a0e6de40608cb37b1c0e70a85c205c7651f6 |
memory/1852-11-0x0000000000400000-0x00000000004BD000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-RH2EI.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-RH2EI.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Direct MIDI to MP3 Converter\midi2mp3converter32.exe
| MD5 | 1a76118efa2992dbaf89857615863843 |
| SHA1 | 43f8dba80a5cebf9572e7015d6c7360da684d96c |
| SHA256 | 0900c00864992f3b2d95527d0f7d80c9281466bf6a1f8dd54df39ecc024c1e6f |
| SHA512 | e5e051bb9d55502e244664ea06c7cba5f10c30e30955e6b218af6854bbd3fe25e3f529bf66b6baca6fcdf61bd7b598eaebd5f1a3abe6a57aa87922cb88cfa3d8 |
memory/1852-56-0x00000000040D0000-0x000000000451F000-memory.dmp
memory/2736-57-0x0000000000400000-0x000000000084F000-memory.dmp
memory/2736-58-0x0000000000400000-0x000000000084F000-memory.dmp
memory/2736-62-0x0000000000400000-0x000000000084F000-memory.dmp
memory/2184-64-0x0000000000400000-0x000000000084F000-memory.dmp
memory/2204-66-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1852-67-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2184-68-0x0000000000400000-0x000000000084F000-memory.dmp
memory/2184-71-0x0000000000400000-0x000000000084F000-memory.dmp
memory/1852-72-0x00000000040D0000-0x000000000451F000-memory.dmp
memory/2184-75-0x0000000000400000-0x000000000084F000-memory.dmp
memory/2184-78-0x0000000000400000-0x000000000084F000-memory.dmp
memory/2184-81-0x0000000000400000-0x000000000084F000-memory.dmp
memory/2184-84-0x0000000000400000-0x000000000084F000-memory.dmp
memory/2184-85-0x0000000002570000-0x0000000002612000-memory.dmp
memory/2184-91-0x0000000000400000-0x000000000084F000-memory.dmp
memory/2184-94-0x0000000000400000-0x000000000084F000-memory.dmp
memory/2184-97-0x0000000000400000-0x000000000084F000-memory.dmp
memory/2184-100-0x0000000000400000-0x000000000084F000-memory.dmp
memory/2184-103-0x0000000000400000-0x000000000084F000-memory.dmp
memory/2184-106-0x0000000000400000-0x000000000084F000-memory.dmp
memory/2184-108-0x0000000002570000-0x0000000002612000-memory.dmp
memory/2184-107-0x0000000002570000-0x0000000002612000-memory.dmp
memory/2184-112-0x0000000000400000-0x000000000084F000-memory.dmp
memory/2184-115-0x0000000000400000-0x000000000084F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-02 12:37
Reported
2024-08-02 12:39
Platform
win10v2004-20240730-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detect Socks5Systemz Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Socks5Systemz
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-POGUA.tmp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Direct MIDI to MP3 Converter\midi2mp3converter32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Direct MIDI to MP3 Converter\midi2mp3converter32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-POGUA.tmp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.tmp | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 45.155.250.90 | N/A | N/A |
Checks installed software on the system
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-POGUA.tmp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Direct MIDI to MP3 Converter\midi2mp3converter32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Direct MIDI to MP3 Converter\midi2mp3converter32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-POGUA.tmp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-POGUA.tmp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-POGUA.tmp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.exe
"C:\Users\Admin\AppData\Local\Temp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.exe"
C:\Users\Admin\AppData\Local\Temp\is-POGUA.tmp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-POGUA.tmp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.tmp" /SL5="$A0062,3904543,54272,C:\Users\Admin\AppData\Local\Temp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.exe"
C:\Users\Admin\AppData\Local\Direct MIDI to MP3 Converter\midi2mp3converter32.exe
"C:\Users\Admin\AppData\Local\Direct MIDI to MP3 Converter\midi2mp3converter32.exe" -i
C:\Users\Admin\AppData\Local\Direct MIDI to MP3 Converter\midi2mp3converter32.exe
"C:\Users\Admin\AppData\Local\Direct MIDI to MP3 Converter\midi2mp3converter32.exe" -s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| SE | 45.155.250.90:53 | ceoubya.net | udp |
| CH | 185.196.8.214:80 | ceoubya.net | tcp |
| US | 8.8.8.8:53 | 90.250.155.45.in-addr.arpa | udp |
| NL | 45.156.23.96:2023 | tcp | |
| US | 8.8.8.8:53 | 96.23.156.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.8.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3320-0-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3320-2-0x0000000000401000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-POGUA.tmp\171e930a212458e875dac9af2f01b9c080fc3147c7596870e543bc7c7fa6f8a5.tmp
| MD5 | 1eb3e9399c5013c37a44cdf5a17ceaf6 |
| SHA1 | 1c3cd272348e09cea6d1da0a498c0fcbc2d5beac |
| SHA256 | 2b44cd29d7e79d1d559cd91eafb9a02510d2f56773af076fdbf5196168ed8522 |
| SHA512 | e3b93bd750db1cef9c2ca214ca79381539b415da661b8dd0f0a972b2b2f894093a310da7cb5db3c917dd5d94cac8a0e6de40608cb37b1c0e70a85c205c7651f6 |
C:\Users\Admin\AppData\Local\Temp\is-J21CM.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/4284-16-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Users\Admin\AppData\Local\Direct MIDI to MP3 Converter\midi2mp3converter32.exe
| MD5 | 1a76118efa2992dbaf89857615863843 |
| SHA1 | 43f8dba80a5cebf9572e7015d6c7360da684d96c |
| SHA256 | 0900c00864992f3b2d95527d0f7d80c9281466bf6a1f8dd54df39ecc024c1e6f |
| SHA512 | e5e051bb9d55502e244664ea06c7cba5f10c30e30955e6b218af6854bbd3fe25e3f529bf66b6baca6fcdf61bd7b598eaebd5f1a3abe6a57aa87922cb88cfa3d8 |
memory/3988-52-0x0000000000400000-0x000000000084F000-memory.dmp
memory/3988-53-0x0000000000400000-0x000000000084F000-memory.dmp
memory/3988-56-0x0000000000400000-0x000000000084F000-memory.dmp
memory/3988-54-0x0000000000400000-0x000000000084F000-memory.dmp
memory/5032-59-0x0000000000400000-0x000000000084F000-memory.dmp
memory/3320-60-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4284-61-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/5032-62-0x0000000000400000-0x000000000084F000-memory.dmp
memory/5032-65-0x0000000000400000-0x000000000084F000-memory.dmp
memory/5032-68-0x0000000000400000-0x000000000084F000-memory.dmp
memory/5032-71-0x0000000000400000-0x000000000084F000-memory.dmp
memory/5032-74-0x0000000000400000-0x000000000084F000-memory.dmp
memory/5032-77-0x0000000000B90000-0x0000000000C32000-memory.dmp
memory/5032-81-0x0000000000400000-0x000000000084F000-memory.dmp
memory/5032-84-0x0000000000400000-0x000000000084F000-memory.dmp
memory/5032-87-0x0000000000400000-0x000000000084F000-memory.dmp
memory/5032-90-0x0000000000400000-0x000000000084F000-memory.dmp
memory/5032-93-0x0000000000400000-0x000000000084F000-memory.dmp
memory/5032-96-0x0000000000400000-0x000000000084F000-memory.dmp
memory/5032-99-0x0000000000400000-0x000000000084F000-memory.dmp
memory/5032-100-0x0000000000B90000-0x0000000000C32000-memory.dmp
memory/5032-101-0x0000000000B90000-0x0000000000C32000-memory.dmp
memory/5032-105-0x0000000000400000-0x000000000084F000-memory.dmp
memory/5032-108-0x0000000000400000-0x000000000084F000-memory.dmp