socks5systemz | 5ee907cd468e9d572557e7b8326cd1c577edb733117fa47949fde2989d32144f

General

Target

install.exe
Size

3.4MB
MD5

7a2ac5711382c571a1adc3f296cf10dd
SHA1

101ea008e9556045ca374e7304680e164bcbeda8
SHA256

5ee907cd468e9d572557e7b8326cd1c577edb733117fa47949fde2989d32144f
SHA512

7d7a710b66dc015428e230182761094aa16cd5e48f459aa6e1a64bcdefbbcf5a37118a04bd79ba81f97b69ec8d0c75c9ba5cf8ed2cbae7389fdfb02dd28907a6
SSDEEP

98304:8heNC4sw6mh6TRKVilQsf4f6IBgCnKQJLCnYPNY:zNCvihGRKVilV4CGnKiOnYO

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2344-75-0x0000000000900000-0x00000000009A2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 2 IoCs

pid	Process
4996	install.tmp
2344	ceastream32.exe

Loads dropped DLL 1 IoCs

pid	Process
4996	install.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ceastream32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 4996	2428	install.exe	75
PID 2428 wrote to memory of 4996	2428	install.exe	75
PID 2428 wrote to memory of 4996	2428	install.exe	75
PID 4996 wrote to memory of 2344	4996	install.tmp	76
PID 4996 wrote to memory of 2344	4996	install.tmp	76
PID 4996 wrote to memory of 2344	4996	install.tmp	76

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\is-H3T7P.tmp\install.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-H3T7P.tmp\install.tmp" /SL5="$501FC,3332875,54272,C:\Users\Admin\AppData\Local\Temp\install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Users\Admin\AppData\Local\CEA Stream\ceastream32.exe
    "C:\Users\Admin\AppData\Local\CEA Stream\ceastream32.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CEA Stream\ceastream32.exe

Filesize
2.3MB

MD5
c047ad4d8c572b294e72cbf3d227035e

SHA1
04bed7e9ab63e29744885ab1f030a49ec6bfd447

SHA256
0ff018b80cdb7529e03a73ba9940248728341f81aabd6ca7ca23c0a8f8fe4c43

SHA512
34341c93ed698c0e55183a979c772d4aa8fd32fb2671de10d50a7e8855b3a9aa2b953071e16ae05538e13a4f6f268623d02d4e3266152b76a2063b6cac22ae1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H3T7P.tmp\install.tmp

Filesize
680KB

MD5
fcb9a039e355dca5927a620396662e9d

SHA1
ebd8951e470635332cbf43afaf277e6eeaa1aaaf

SHA256
7e94a78d2279d7b9760b5c720c4cab64cfe4384ec6ea6f4e39e1a65609890976

SHA512
653b0fe17c4074a3c5e8058873b4a2ce7dcb2738f6f2e28dd00ca089214a8554b3782a1f152288cef96dd4027bf31b1d5672a906ccc21e4ceae14a43fa4d020d

Download Submit
\Users\Admin\AppData\Local\Temp\is-TMHAV.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/2344-65-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2344-87-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2344-103-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2344-52-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2344-53-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2344-100-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2344-96-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2344-59-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2344-62-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2344-93-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2344-68-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2344-71-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2344-74-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2344-75-0x0000000000900000-0x00000000009A2000-memory.dmp

Filesize
648KB

Download
memory/2344-81-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2344-84-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2344-90-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2428-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2428-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2428-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4996-10-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4996-55-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing