socks5systemz | 195582dd9528a153db2f2241de38fadab61bb6f5ff2293e7f80c2b1b6e3382dd

General

Target

SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exe
Size

3.0MB
MD5

182d581f0026e36956889629da2364fb
SHA1

2ad1d1db745d7d824bee64a4b6dae817c36fab28
SHA256

195582dd9528a153db2f2241de38fadab61bb6f5ff2293e7f80c2b1b6e3382dd
SHA512

54a5d87034f620a25d2face02326cd6a766b6892937ec4936b52e99ce77c18e79aa7471d906bb91b451c37b05afdc010beb54e95d04d4aaf36fcafd1084c1234
SSDEEP

49152:e9Bq1jMKjJ5/SvVQ8Ng9ZstGaEzANs3adnzTdawy4DcHQLyWe/1tvCnnKmBdAtiq:4Aj9jWthNHscNKadn9awy0LoNCKmQiq

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/4152-60-0x0000000000950000-0x00000000009F2000-memory.dmp	family_socks5systemz
behavioral2/memory/4152-83-0x0000000000950000-0x00000000009F2000-memory.dmp	family_socks5systemz
behavioral2/memory/4152-84-0x0000000000950000-0x00000000009F2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 2 IoCs

pid	Process
4824	SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.tmp
4152	gerdaplay3se32.exe

Loads dropped DLL 1 IoCs

pid	Process
4824	SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gerdaplay3se32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4824	SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.tmp
4824	SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4824	SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 4824	4924	SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exe	82
PID 4924 wrote to memory of 4824	4924	SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exe	82
PID 4924 wrote to memory of 4824	4924	SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exe	82
PID 4824 wrote to memory of 4152	4824	SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.tmp	83
PID 4824 wrote to memory of 4152	4824	SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.tmp	83
PID 4824 wrote to memory of 4152	4824	SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.tmp	83

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Users\Admin\AppData\Local\Temp\is-0D9CJ.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0D9CJ.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.tmp" /SL5="$50214,2894809,56832,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Users\Admin\AppData\Local\Gerda Play3 SE\gerdaplay3se32.exe
    "C:\Users\Admin\AppData\Local\Gerda Play3 SE\gerdaplay3se32.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Gerda Play3 SE\gerdaplay3se32.exe

Filesize
2.5MB

MD5
28d705b971b1a55c003f13f608ebf7a8

SHA1
5cb98dc59362d1b7e8de168a5b3796842c797345

SHA256
d241e4d756f8cfb1d84cda428904b5451807b98c35e81f731c20ff04b023275f

SHA512
7eceb20f95feeef6d0bf51ea91007f12dfe4f1e5e79e2b0c403b6af86acb1c0f841d92202eb713fa24c8afd999f1540d953b6ee9f742407a4aab2409e1fc56fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0D9CJ.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.tmp

Filesize
692KB

MD5
81990a291c8322e03b2d5f469e8cb125

SHA1
9e2b21d325be56a760eb05e3a57eba6e74fbc14f

SHA256
b5227a0821b50a1d20f72c8a5df525a6783f50f7ec895619b4a40cfa67256e8f

SHA512
73c1663ea0cd93370cf9d11adcb0476b0584e230aa4226c9b260553955606d2572316450136be5c3056a210311d1216a9d0e15f1bb1e89fb29608353cf573b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C89NI.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/4152-50-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4152-73-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4152-91-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4152-35-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4152-36-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4152-39-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4152-88-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4152-84-0x0000000000950000-0x00000000009F2000-memory.dmp

Filesize
648KB

Download
memory/4152-43-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4152-44-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4152-47-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4152-83-0x0000000000950000-0x00000000009F2000-memory.dmp

Filesize
648KB

Download
memory/4152-53-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4152-56-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4152-59-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4152-60-0x0000000000950000-0x00000000009F2000-memory.dmp

Filesize
648KB

Download
memory/4152-66-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4152-67-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4152-70-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4152-82-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4152-76-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4152-79-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4824-6-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4824-40-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4924-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4924-41-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4924-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing