Analysis
-
max time kernel
111s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 01:18
Static task
static1
Behavioral task
behavioral1
Sample
3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.exe
Resource
win10v2004-20240802-en
General
-
Target
3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.exe
-
Size
3.0MB
-
MD5
6976c2f4eb0fc3e23386810a612a85e0
-
SHA1
16083d6b107d37c5167317c73b4a88529053dbfc
-
SHA256
3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539b
-
SHA512
d20f2c0c8ae1c7c036db38942be69b3deeffd596163c56350f5d7cb61577fa06e9625ac87c20e4bd24bdf6d39815b93b81e7dce9f1399c0282e0c4cec7f30303
-
SSDEEP
49152:C9MrGktlzGTbi813f23CG5Pckw8rx/0osmuwz55MXEc1xhT/+tzSHRGm6:MMrz/zUzNfZG5dhrx/1Vu8M0CV/L2
Malware Config
Signatures
-
Detect Socks5Systemz Payload 1 IoCs
resource yara_rule behavioral1/memory/2928-65-0x0000000002DF0000-0x0000000002E92000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 2 IoCs
pid Process 3028 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.tmp 2928 regeivideoeditor3264.exe -
Loads dropped DLL 5 IoCs
pid Process 2480 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.exe 3028 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.tmp 3028 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.tmp 3028 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.tmp 3028 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regeivideoeditor3264.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3028 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.tmp 3028 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3028 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.tmp -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2480 wrote to memory of 3028 2480 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.exe 30 PID 2480 wrote to memory of 3028 2480 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.exe 30 PID 2480 wrote to memory of 3028 2480 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.exe 30 PID 2480 wrote to memory of 3028 2480 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.exe 30 PID 2480 wrote to memory of 3028 2480 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.exe 30 PID 2480 wrote to memory of 3028 2480 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.exe 30 PID 2480 wrote to memory of 3028 2480 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.exe 30 PID 3028 wrote to memory of 2928 3028 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.tmp 31 PID 3028 wrote to memory of 2928 3028 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.tmp 31 PID 3028 wrote to memory of 2928 3028 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.tmp 31 PID 3028 wrote to memory of 2928 3028 3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.tmp 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.exe"C:\Users\Admin\AppData\Local\Temp\3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\is-03OO7.tmp\3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.tmp"C:\Users\Admin\AppData\Local\Temp\is-03OO7.tmp\3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.tmp" /SL5="$30146,2850352,56832,C:\Users\Admin\AppData\Local\Temp\3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Regei Video Editor\regeivideoeditor3264.exe"C:\Users\Admin\AppData\Local\Regei Video Editor\regeivideoeditor3264.exe" -i3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2928
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5f19525adf4e701118e96a905823ddc7c
SHA12529c437b4e295c3846d48eeb4ed08c2c79160ed
SHA256fe12cd01bab7421694b8eb247d55f4a6b1b611639826049fefe8cce94b4e23b0
SHA512dddf28ba31ac9ff34fbb16b6b2042bfca0e5afea79ec2df13e85fe367b5e3352c50c1067c7ebe9477fedbe176bca4774887f60692d64414c244d9bcc41154fbf
-
\Users\Admin\AppData\Local\Temp\is-03OO7.tmp\3f812e3776bc2a73ff2bdeeb8aca47d0b726db8172a83f3d7c0c80c1dd1f539bN.tmp
Filesize691KB
MD520a3b5c3654326aeba3ef9aa73d752af
SHA18b7c8f4e66f5458f2776d40e5ee326a5fbe6c30c
SHA256575975ee6c165a1711079030e4486abbabcb136d378513b1f43507ba73e24441
SHA512cfa548a973ccf81e6c092749cc67c2ea8c6137aa62a92c07ea4369ad7ae8cadbe47eda8343c49771bd4172d0a1794a8148db79a08d0e6eac0ce321c6e7acdbed
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3