Analysis

  • max time kernel
    141s
  • max time network
    141s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/08/2024, 09:28

General

  • Target

    46e9c880dbe01f9535de75eb471bb8cae457535b41281c137fd6f6f6d26443c4.exe

  • Size

    4.1MB

  • MD5

    c7f15dec0ce20297917dd32d93a9475e

  • SHA1

    0b85b3184dcdde9bf85bae96559d333c31a9b23c

  • SHA256

    46e9c880dbe01f9535de75eb471bb8cae457535b41281c137fd6f6f6d26443c4

  • SHA512

    51d8c09882f32341949907a3abce5390d8b3c94a58111e1b6baa6bbdc51b18c517ab01d4ed11e5780dd5851720ed2690fadf7c783017ffa4c4bd770c194424f3

  • SSDEEP

    98304:NqBx45myShWu09Cu0BT2frM2O48iL6V73V4RC+QIiGPWLH474X63w0Ido:xrSW7UT2fUTVzRzbLH474XUw0Iy

Malware Config

Signatures

  • Detect Socks5Systemz Payload 3 IoCs
  • Socks5Systemz

    Socks5Systemz is a botnet written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46e9c880dbe01f9535de75eb471bb8cae457535b41281c137fd6f6f6d26443c4.exe
    "C:\Users\Admin\AppData\Local\Temp\46e9c880dbe01f9535de75eb471bb8cae457535b41281c137fd6f6f6d26443c4.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3280
    • C:\Users\Admin\AppData\Local\Temp\is-54PRH.tmp\46e9c880dbe01f9535de75eb471bb8cae457535b41281c137fd6f6f6d26443c4.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-54PRH.tmp\46e9c880dbe01f9535de75eb471bb8cae457535b41281c137fd6f6f6d26443c4.tmp" /SL5="$6017A,4044185,54272,C:\Users\Admin\AppData\Local\Temp\46e9c880dbe01f9535de75eb471bb8cae457535b41281c137fd6f6f6d26443c4.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3244
      • C:\Users\Admin\AppData\Local\Jeengle\jeengle.exe
        "C:\Users\Admin\AppData\Local\Jeengle\jeengle.exe" -i
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3468
      • C:\Users\Admin\AppData\Local\Jeengle\jeengle.exe
        "C:\Users\Admin\AppData\Local\Jeengle\jeengle.exe" -s
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3936

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Jeengle\jeengle.exe

          Filesize

          4.3MB

          MD5

          7dae4040a16107cb651c6325430f3e54

          SHA1

          7b131ebb014c47ae8bf77cebc070db6d5448a796

          SHA256

          beff90ff30c419996f07f81a352ef387b16965ea68e27cf37c16503b9cee26de

          SHA512

          6b577a1b86c91f122e90a3dcac0081bf8b2821eb4fd0212cc6408b76b173e9a133a46d5f6bd93875e8a23a584a3609842516bbddcca84c2db868316b64431857

        • C:\Users\Admin\AppData\Local\Temp\is-54PRH.tmp\46e9c880dbe01f9535de75eb471bb8cae457535b41281c137fd6f6f6d26443c4.tmp

          Filesize

          692KB

          MD5

          f2401276f4e0f70c3aa6106d682479c5

          SHA1

          65bc28f6da79ad6c101b63efd11fa1660d944fb8

          SHA256

          b739f981bcb90a93b3f5bed7d9d9b2a816b9917dd24a4e612930383514bb4c8b

          SHA512

          0bce116b84c04fdd7c083e4275bbca41ceb8a453c54a09748d620e87b3d168076920b2c1c87f5b1d3c92b53a6b827c44ddaf5a532aafd0d421675c7bda5cacc9

        • C:\Users\Admin\AppData\Local\Temp\is-HRM6O.tmp\_isetup\_iscrypt.dll

          Filesize

          2KB

          MD5

          a69559718ab506675e907fe49deb71e9

          SHA1

          bc8f404ffdb1960b50c12ff9413c893b56f2e36f

          SHA256

          2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

          SHA512

          e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

        • memory/3244-10-0x0000000000400000-0x00000000004BD000-memory.dmp

          Filesize

          756KB

        • memory/3244-62-0x0000000000400000-0x00000000004BD000-memory.dmp

          Filesize

          756KB

        • memory/3280-61-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

        • memory/3280-2-0x0000000000401000-0x000000000040B000-memory.dmp

          Filesize

          40KB

        • memory/3280-1-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

        • memory/3468-52-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3468-54-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3468-55-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3468-56-0x0000000000400000-0x0000000000480000-memory.dmp

          Filesize

          512KB

        • memory/3936-67-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3936-80-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3936-63-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3936-66-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3936-60-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3936-70-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3936-73-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3936-76-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3936-79-0x0000000000B80000-0x0000000000C22000-memory.dmp

          Filesize

          648KB

        • memory/3936-59-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3936-86-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3936-89-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3936-92-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3936-95-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3936-98-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3936-101-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3936-102-0x0000000000B80000-0x0000000000C22000-memory.dmp

          Filesize

          648KB

        • memory/3936-103-0x0000000000B80000-0x0000000000C22000-memory.dmp

          Filesize

          648KB

        • memory/3936-107-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB

        • memory/3936-110-0x0000000000400000-0x0000000000849000-memory.dmp

          Filesize

          4.3MB