Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/08/2024, 20:17
Static task
static1
Behavioral task
behavioral1
Sample
09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.exe
Resource
win11-20240802-en
General
-
Target
09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.exe
-
Size
3.8MB
-
MD5
48a8503cdfc8bc40daa6a57b023daaa5
-
SHA1
b3e57e97d6846c21d14d0a8ff54d9c08fbd8fb33
-
SHA256
09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf
-
SHA512
14d738a6b387cf06dee1c6cb0fcddba92ec7622ec2f460bb1cc2ea3da01b3e2201814c1eeba7fb310c0e47eae5cd1a42ed35c8d3a48e3caaa8231c6a3c2bcdc2
-
SSDEEP
98304:Nd3olS2xU5S17ss/YvvKoPRkiBN429KIwTlPSGk8QbE3dK:j3Y2GNY/k2K/TlU8QA4
Malware Config
Signatures
-
Detect Socks5Systemz Payload 1 IoCs
resource yara_rule behavioral2/memory/2288-79-0x0000000000BA0000-0x0000000000C42000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
pid Process 4736 09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.tmp 2020 ac3filter32_64.exe 2288 ac3filter32_64.exe -
Loads dropped DLL 1 IoCs
pid Process 4736 09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 141.98.234.31 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac3filter32_64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac3filter32_64.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4736 09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.tmp 4736 09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4736 09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4820 wrote to memory of 4736 4820 09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.exe 81 PID 4820 wrote to memory of 4736 4820 09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.exe 81 PID 4820 wrote to memory of 4736 4820 09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.exe 81 PID 4736 wrote to memory of 2020 4736 09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.tmp 82 PID 4736 wrote to memory of 2020 4736 09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.tmp 82 PID 4736 wrote to memory of 2020 4736 09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.tmp 82 PID 4736 wrote to memory of 2288 4736 09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.tmp 83 PID 4736 wrote to memory of 2288 4736 09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.tmp 83 PID 4736 wrote to memory of 2288 4736 09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.tmp 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.exe"C:\Users\Admin\AppData\Local\Temp\09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\is-FNE8P.tmp\09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.tmp"C:\Users\Admin\AppData\Local\Temp\is-FNE8P.tmp\09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.tmp" /SL5="$802D0,3740494,54272,C:\Users\Admin\AppData\Local\Temp\09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32_64.exe"C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32_64.exe" -i3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2020
-
-
C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32_64.exe"C:\Users\Admin\AppData\Local\AC3Filter\ac3filter32_64.exe" -s3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2288
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD51b6fc0635012a62a6e4f6516779adbc6
SHA1918ea639a97f8f7550e6c6194db32349b5de7e47
SHA2569694c12c072960399bb3ec9162f37398710aeda03e169972d6cd5166ecb71149
SHA5127c65d5133c6b5778014b10d8c3184f3c3331e9a358d66d4dd52b18b4f50ee81cdd1e27623c933ffb1ef636f02aa197b6cee3625e89727b5fb5150bdd4f8fbd86
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-FNE8P.tmp\09898f95032e451238e4936a95cc2b8797418478e558dd4bae1da566ba751bcf.tmp
Filesize692KB
MD5849bb5c3439284a175f581ec281ca92e
SHA18bd0737eac1a74de4d62d66911ca7ed9f61cbc0f
SHA25633a8f60e50240aecdbedc45922032025376ecccc0c1acbd44c82f12985e82206
SHA512ac7bd629b6ed2595c6af4ef0737d7d801c8c35ebb4638ec2c19569511157a1543a6fa91d1a15708810865ece1cfb27367480754a7debf716d322d1eb59c5f625