socks5systemz | 033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763

General

Target

033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.exe
Size

2.7MB
MD5

9d638301c6a769cfc219502133716375
SHA1

468ed0ec527abaa3700341c911fed6ea09494ebd
SHA256

033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763
SHA512

be5f3d5e55369680a2c14ce7587c81e014b4af8b57d6c90fb70dcfb4e097da87c14801010f393f768978889c8f42a68bb882ac95e6bdb74a9777390fa8ff7dd9
SSDEEP

49152:C9Qz4VE+Y7rbEpPxZ0Qc9rXMzAb/xSGTvgR3AXijUrGPbQPeGSsOYR1wFn4:MQEVRbZ09r8zm/xhgR3AXijrEPL9R1x

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/3928-59-0x0000000000930000-0x00000000009D2000-memory.dmp	family_socks5systemz
behavioral2/memory/3928-82-0x0000000000930000-0x00000000009D2000-memory.dmp	family_socks5systemz
behavioral2/memory/3928-83-0x0000000000930000-0x00000000009D2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 2 IoCs

pid	Process
2500	033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp
3928	videoconverterbeta32.exe

Loads dropped DLL 1 IoCs

pid	Process
2500	033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	videoconverterbeta32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2500	033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp
2500	033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2500	033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 2500	1788	033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.exe	85
PID 1788 wrote to memory of 2500	1788	033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.exe	85
PID 1788 wrote to memory of 2500	1788	033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.exe	85
PID 2500 wrote to memory of 3928	2500	033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp	88
PID 2500 wrote to memory of 3928	2500	033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp	88
PID 2500 wrote to memory of 3928	2500	033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp	88

C:\Users\Admin\AppData\Local\Temp\033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.exe
"C:\Users\Admin\AppData\Local\Temp\033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\is-QG14J.tmp\033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QG14J.tmp\033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp" /SL5="$60236,2606622,56832,C:\Users\Admin\AppData\Local\Temp\033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Users\Admin\AppData\Local\Video Converter Beta\videoconverterbeta32.exe
    "C:\Users\Admin\AppData\Local\Video Converter Beta\videoconverterbeta32.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-M8TBI.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QG14J.tmp\033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp

Filesize
690KB

MD5
45146253707d5e78e04106da4c1563a0

SHA1
27e5d7ab37dfa04e45d7e7b0ea2824c99559a952

SHA256
2799a35d19ea8b0ca8e47a1f02d801e705cab1401777fd7446ca0094425c79e6

SHA512
2d9c02fbc9c1ba4d2bf7a8b214b32367a22fb0bc7c72e6bf341c37ef4f3e24dcdf62dc2bb7162c442de1267329814e7c8e941a81611a36659bdc8dcfe769be76

Download Submit
C:\Users\Admin\AppData\Local\Video Converter Beta\videoconverterbeta32.exe

Filesize
2.6MB

MD5
1fc9a549c692b6ad8fa2ba575f5c52c7

SHA1
031dce10ca29752d5d92f579c8b8c6804ce7eedf

SHA256
a6330510d8dd6f080dbae700ee4f9ae2d0fb47c80d1780f3905739a97f405479

SHA512
d3330256682298c464d15fe7aa3360c36d752e9e5f939a716608ebc945c48db2ba397622bd6a8e9463ed17ccd67fa8b43281e4531a4651187d45223031a6a91f

Download Submit
memory/1788-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1788-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1788-40-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2500-39-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2500-7-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3928-49-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/3928-66-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/3928-35-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/3928-41-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/3928-43-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/3928-46-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/3928-34-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/3928-52-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/3928-55-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/3928-59-0x0000000000930000-0x00000000009D2000-memory.dmp

Filesize
648KB

Download
memory/3928-60-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/3928-38-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/3928-69-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/3928-72-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/3928-75-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/3928-78-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/3928-81-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/3928-82-0x0000000000930000-0x00000000009D2000-memory.dmp

Filesize
648KB

Download
memory/3928-83-0x0000000000930000-0x00000000009D2000-memory.dmp

Filesize
648KB

Download
memory/3928-87-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/3928-90-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing