Malware Analysis Report

2025-08-11 07:23

Sample ID 240802-q7wgsaxcnq
Target 0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca
SHA256 0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca
Tags
socks5systemz botnet discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca

Threat Level: Known bad

The file 0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca was found to be: Known bad.

Malicious Activity Summary

socks5systemz botnet discovery

Socks5Systemz

Detect Socks5Systemz Payload

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Checks installed software on the system

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-02 13:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-02 13:54

Reported

2024-08-02 13:57

Platform

win10v2004-20240730-en

Max time kernel

142s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 141.98.234.31 N/A N/A

Checks installed software on the system

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-2O83E.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2O83E.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4640 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.exe C:\Users\Admin\AppData\Local\Temp\is-2O83E.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp
PID 4640 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.exe C:\Users\Admin\AppData\Local\Temp\is-2O83E.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp
PID 4640 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.exe C:\Users\Admin\AppData\Local\Temp\is-2O83E.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp
PID 888 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\is-2O83E.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe
PID 888 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\is-2O83E.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe
PID 888 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\is-2O83E.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe
PID 888 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\is-2O83E.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe
PID 888 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\is-2O83E.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe
PID 888 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\is-2O83E.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.exe

"C:\Users\Admin\AppData\Local\Temp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.exe"

C:\Users\Admin\AppData\Local\Temp\is-2O83E.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp

"C:\Users\Admin\AppData\Local\Temp\is-2O83E.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp" /SL5="$A0070,3868084,54272,C:\Users\Admin\AppData\Local\Temp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.exe"

C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe

"C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe" -i

C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe

"C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe" -s

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 40.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
HK 141.98.234.31:53 burcjuw.com udp
US 8.8.8.8:53 31.234.98.141.in-addr.arpa udp
CH 185.196.8.214:80 burcjuw.com tcp
NL 89.105.201.183:2023 tcp
US 8.8.8.8:53 183.201.105.89.in-addr.arpa udp
US 8.8.8.8:53 214.8.196.185.in-addr.arpa udp

Files

memory/4640-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4640-2-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-2O83E.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp

MD5 5ebe11e6392fab730e54dcb5c25aa498
SHA1 77d0199f1952ba98dc140c568ed0961dec98e77a
SHA256 dca15a70be4ddce976a38be4a643336de4a55a4156c33726da14d1108393171f
SHA512 0d81221530d7fa78a59abcb43784f1be39102da72d320ce97c6f56416d5f41bcf902f7bb2df93278d51125caaf6336cf8bd2dbfd9cdf9cb973e4d13c148d82e4

memory/888-16-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VH8IL.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe

MD5 cb679e0b550b3fdd8e510047e254a661
SHA1 d5625c912195642f80851fad83aa9b883ecafd5c
SHA256 5cfd9ac97432cb1bb64803749f842ecc421b8114125672a64c0d91f2943d82e0
SHA512 bf6345aa08e8e19dddd6b56d4c498f4337284537a4d18c54f105ae34716d6e5f1167288111a240d7c2e7f22d3b9aba5d861ce0e9806666f1f2660381a79693d5

memory/824-52-0x0000000000400000-0x000000000085D000-memory.dmp

memory/824-53-0x0000000000400000-0x000000000085D000-memory.dmp

memory/824-56-0x0000000000400000-0x000000000085D000-memory.dmp

memory/824-57-0x0000000000400000-0x000000000085D000-memory.dmp

memory/4640-60-0x0000000000400000-0x0000000000414000-memory.dmp

memory/888-61-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1000-62-0x0000000000400000-0x000000000085D000-memory.dmp

memory/1000-65-0x0000000000400000-0x000000000085D000-memory.dmp

memory/1000-68-0x0000000000400000-0x000000000085D000-memory.dmp

memory/1000-71-0x0000000000400000-0x000000000085D000-memory.dmp

memory/1000-74-0x0000000000400000-0x000000000085D000-memory.dmp

memory/1000-77-0x0000000000AD0000-0x0000000000B72000-memory.dmp

memory/1000-81-0x0000000000400000-0x000000000085D000-memory.dmp

memory/1000-84-0x0000000000400000-0x000000000085D000-memory.dmp

memory/1000-87-0x0000000000400000-0x000000000085D000-memory.dmp

memory/1000-90-0x0000000000400000-0x000000000085D000-memory.dmp

memory/1000-93-0x0000000000400000-0x000000000085D000-memory.dmp

memory/1000-96-0x0000000000400000-0x000000000085D000-memory.dmp

memory/1000-99-0x0000000000400000-0x000000000085D000-memory.dmp

memory/1000-100-0x0000000000AD0000-0x0000000000B72000-memory.dmp

memory/1000-101-0x0000000000AD0000-0x0000000000B72000-memory.dmp

memory/1000-105-0x0000000000400000-0x000000000085D000-memory.dmp

memory/1000-108-0x0000000000400000-0x000000000085D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-02 13:54

Reported

2024-08-02 13:57

Platform

win11-20240730-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 141.98.234.31 N/A N/A

Checks installed software on the system

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-BL65L.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BL65L.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3692 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.exe C:\Users\Admin\AppData\Local\Temp\is-BL65L.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp
PID 3692 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.exe C:\Users\Admin\AppData\Local\Temp\is-BL65L.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp
PID 3692 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.exe C:\Users\Admin\AppData\Local\Temp\is-BL65L.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp
PID 4212 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\is-BL65L.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe
PID 4212 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\is-BL65L.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe
PID 4212 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\is-BL65L.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe
PID 4212 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\is-BL65L.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe
PID 4212 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\is-BL65L.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe
PID 4212 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\is-BL65L.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.exe

"C:\Users\Admin\AppData\Local\Temp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.exe"

C:\Users\Admin\AppData\Local\Temp\is-BL65L.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BL65L.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp" /SL5="$C0206,3868084,54272,C:\Users\Admin\AppData\Local\Temp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.exe"

C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe

"C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe" -i

C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe

"C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe" -s

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
HK 141.98.234.31:53 dilguil.info udp
CH 185.196.8.214:80 dilguil.info tcp
NL 89.105.201.183:2023 tcp

Files

memory/3692-1-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3692-2-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BL65L.tmp\0b4c8d5b4c4506c0c43d974ca5ccb59942db38a629342e650d7e3f89d1ea9dca.tmp

MD5 5ebe11e6392fab730e54dcb5c25aa498
SHA1 77d0199f1952ba98dc140c568ed0961dec98e77a
SHA256 dca15a70be4ddce976a38be4a643336de4a55a4156c33726da14d1108393171f
SHA512 0d81221530d7fa78a59abcb43784f1be39102da72d320ce97c6f56416d5f41bcf902f7bb2df93278d51125caaf6336cf8bd2dbfd9cdf9cb973e4d13c148d82e4

memory/4212-10-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-95QD2.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32.exe

MD5 cb679e0b550b3fdd8e510047e254a661
SHA1 d5625c912195642f80851fad83aa9b883ecafd5c
SHA256 5cfd9ac97432cb1bb64803749f842ecc421b8114125672a64c0d91f2943d82e0
SHA512 bf6345aa08e8e19dddd6b56d4c498f4337284537a4d18c54f105ae34716d6e5f1167288111a240d7c2e7f22d3b9aba5d861ce0e9806666f1f2660381a79693d5

memory/2532-52-0x0000000000400000-0x000000000085D000-memory.dmp

memory/2532-56-0x0000000000400000-0x000000000085D000-memory.dmp

memory/2532-54-0x0000000000400000-0x000000000085D000-memory.dmp

memory/2268-59-0x0000000000400000-0x000000000085D000-memory.dmp

memory/2268-60-0x0000000000400000-0x000000000085D000-memory.dmp

memory/3692-61-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4212-62-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2268-63-0x0000000000400000-0x000000000085D000-memory.dmp

memory/2268-65-0x0000000000400000-0x000000000085D000-memory.dmp

memory/2268-67-0x0000000000400000-0x000000000085D000-memory.dmp

memory/2268-70-0x0000000000400000-0x000000000085D000-memory.dmp

memory/2268-73-0x0000000000400000-0x000000000085D000-memory.dmp

memory/2268-76-0x0000000000400000-0x000000000085D000-memory.dmp

memory/2268-77-0x0000000000B70000-0x0000000000C12000-memory.dmp

memory/2268-81-0x0000000000400000-0x000000000085D000-memory.dmp

memory/2268-87-0x0000000000400000-0x000000000085D000-memory.dmp

memory/2268-90-0x0000000000400000-0x000000000085D000-memory.dmp

memory/2268-93-0x0000000000400000-0x000000000085D000-memory.dmp

memory/2268-96-0x0000000000400000-0x000000000085D000-memory.dmp

memory/2268-99-0x0000000000400000-0x000000000085D000-memory.dmp

memory/2268-102-0x0000000000400000-0x000000000085D000-memory.dmp

memory/2268-103-0x0000000000B70000-0x0000000000C12000-memory.dmp

memory/2268-104-0x0000000000B70000-0x0000000000C12000-memory.dmp

memory/2268-108-0x0000000000400000-0x000000000085D000-memory.dmp

memory/2268-111-0x0000000000400000-0x000000000085D000-memory.dmp