socks5systemz | 17c98b33f87befc913c8d67314190cd05597717c49090b50d8c8a04f6ad22e2f

General

Target

17c98b33f87befc913c8d67314190cd05597717c49090b50d8c8a04f6ad22e2f.exe
Size

3.8MB
MD5

2ec886d8770da09928682590d15d7404
SHA1

56e22d3d0272c3cbc4abb8ed2e5c2507f70eac5c
SHA256

17c98b33f87befc913c8d67314190cd05597717c49090b50d8c8a04f6ad22e2f
SHA512

454570cab426425c0ef8804e8b27cb9aebac490c6c087aff116a690430b2e12e0f74b7ac9573fed6e0ad9d4a2ba7d07b802843728102735000a99095a585b103
SSDEEP

98304:xdogpKn3xqbthT3457Gj822hIY/h77nnxan4PiJ9xx9bpmBeE:DogpS3EhUwwh/Bg8o9dbpmBeE

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral1/memory/272-108-0x0000000002E60000-0x0000000002F02000-memory.dmp	family_socks5systemz
behavioral1/memory/272-131-0x0000000002E60000-0x0000000002F02000-memory.dmp	family_socks5systemz
behavioral1/memory/272-132-0x0000000002E60000-0x0000000002F02000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 2 IoCs

pid	Process
2988	is-OEOJC.tmp
272	superplay3_3264.exe

Loads dropped DLL 5 IoCs

pid	Process
2656	17c98b33f87befc913c8d67314190cd05597717c49090b50d8c8a04f6ad22e2f.exe
2988	is-OEOJC.tmp
2988	is-OEOJC.tmp
2988	is-OEOJC.tmp
2988	is-OEOJC.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17c98b33f87befc913c8d67314190cd05597717c49090b50d8c8a04f6ad22e2f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-OEOJC.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	superplay3_3264.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2988	2656	17c98b33f87befc913c8d67314190cd05597717c49090b50d8c8a04f6ad22e2f.exe	28
PID 2656 wrote to memory of 2988	2656	17c98b33f87befc913c8d67314190cd05597717c49090b50d8c8a04f6ad22e2f.exe	28
PID 2656 wrote to memory of 2988	2656	17c98b33f87befc913c8d67314190cd05597717c49090b50d8c8a04f6ad22e2f.exe	28
PID 2656 wrote to memory of 2988	2656	17c98b33f87befc913c8d67314190cd05597717c49090b50d8c8a04f6ad22e2f.exe	28
PID 2656 wrote to memory of 2988	2656	17c98b33f87befc913c8d67314190cd05597717c49090b50d8c8a04f6ad22e2f.exe	28
PID 2656 wrote to memory of 2988	2656	17c98b33f87befc913c8d67314190cd05597717c49090b50d8c8a04f6ad22e2f.exe	28
PID 2656 wrote to memory of 2988	2656	17c98b33f87befc913c8d67314190cd05597717c49090b50d8c8a04f6ad22e2f.exe	28
PID 2988 wrote to memory of 272	2988	is-OEOJC.tmp	29
PID 2988 wrote to memory of 272	2988	is-OEOJC.tmp	29
PID 2988 wrote to memory of 272	2988	is-OEOJC.tmp	29
PID 2988 wrote to memory of 272	2988	is-OEOJC.tmp	29

C:\Users\Admin\AppData\Local\Temp\17c98b33f87befc913c8d67314190cd05597717c49090b50d8c8a04f6ad22e2f.exe
"C:\Users\Admin\AppData\Local\Temp\17c98b33f87befc913c8d67314190cd05597717c49090b50d8c8a04f6ad22e2f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\is-3CI83.tmp\is-OEOJC.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3CI83.tmp\is-OEOJC.tmp" /SL4 $40150 "C:\Users\Admin\AppData\Local\Temp\17c98b33f87befc913c8d67314190cd05597717c49090b50d8c8a04f6ad22e2f.exe" 3756095 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Super Play 3\superplay3_3264.exe
    "C:\Users\Admin\AppData\Local\Super Play 3\superplay3_3264.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Super Play 3\superplay3_3264.exe

Filesize
3.4MB

MD5
1b46202194d6a15fd291e373466c9988

SHA1
83350a463d48844070ac5bdffb8869f7da951a30

SHA256
a0f318d0200872b4d54fd56ad7baab9ed2b11cf0a1a4cd3034874e5d9c086cf0

SHA512
6cb37a56cf15d5b67b5983e296c0f83318f1bf06a37409860472ee87094991e96a35601fd2560d66121fe59310c0c34f09c051535845e219c8248bb40ee13e69

Download Submit
\Users\Admin\AppData\Local\Temp\is-2TF00.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-2TF00.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-3CI83.tmp\is-OEOJC.tmp

Filesize
647KB

MD5
5ec1c51da61b4f15b2f40339d7d1df7c

SHA1
bab46af9f3d1d78130d73951022b163720bc040f

SHA256
ae8d36e1edc71bcb37c4636e2c8b364698f0238039cb7e12571022a94fb66897

SHA512
b2b208e0b9d3508bf958dda89d16286921664833de9d237ec61cc9402f36ce380cc361dcf4b1373505af6e56254515c74f49d58a099c5da90f9052697342825e

Download Submit
memory/272-98-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/272-124-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/272-139-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/272-85-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/272-136-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/272-86-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/272-132-0x0000000002E60000-0x0000000002F02000-memory.dmp

Filesize
648KB

Download
memory/272-131-0x0000000002E60000-0x0000000002F02000-memory.dmp

Filesize
648KB

Download
memory/272-92-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/272-95-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/272-130-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/272-101-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/272-104-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/272-107-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/272-108-0x0000000002E60000-0x0000000002F02000-memory.dmp

Filesize
648KB

Download
memory/272-114-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/272-117-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/272-127-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/272-121-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/2656-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2656-90-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2656-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2988-9-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2988-118-0x0000000004120000-0x0000000004491000-memory.dmp

Filesize
3.4MB

Download
memory/2988-89-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2988-83-0x0000000004120000-0x0000000004491000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing