Malware Analysis Report

2025-06-15 23:21

Sample ID 241013-qchx7sserq
Target 4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N
SHA256 4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76
Tags
socks5systemz botnet discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76

Threat Level: Known bad

The file 4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N was found to be: Known bad.

Malicious Activity Summary

socks5systemz botnet discovery

Socks5Systemz

Detect Socks5Systemz Payload

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 13:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 13:06

Reported

2024-10-13 13:08

Platform

win7-20240708-en

Max time kernel

119s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-R7NHT.tmp\is-FOQ1E.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Super Play 3\superplay3_32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe C:\Users\Admin\AppData\Local\Temp\is-R7NHT.tmp\is-FOQ1E.tmp
PID 2204 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe C:\Users\Admin\AppData\Local\Temp\is-R7NHT.tmp\is-FOQ1E.tmp
PID 2204 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe C:\Users\Admin\AppData\Local\Temp\is-R7NHT.tmp\is-FOQ1E.tmp
PID 2204 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe C:\Users\Admin\AppData\Local\Temp\is-R7NHT.tmp\is-FOQ1E.tmp
PID 2204 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe C:\Users\Admin\AppData\Local\Temp\is-R7NHT.tmp\is-FOQ1E.tmp
PID 2204 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe C:\Users\Admin\AppData\Local\Temp\is-R7NHT.tmp\is-FOQ1E.tmp
PID 2204 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe C:\Users\Admin\AppData\Local\Temp\is-R7NHT.tmp\is-FOQ1E.tmp
PID 2516 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\is-R7NHT.tmp\is-FOQ1E.tmp C:\Users\Admin\AppData\Local\Super Play 3\superplay3_32.exe
PID 2516 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\is-R7NHT.tmp\is-FOQ1E.tmp C:\Users\Admin\AppData\Local\Super Play 3\superplay3_32.exe
PID 2516 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\is-R7NHT.tmp\is-FOQ1E.tmp C:\Users\Admin\AppData\Local\Super Play 3\superplay3_32.exe
PID 2516 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\is-R7NHT.tmp\is-FOQ1E.tmp C:\Users\Admin\AppData\Local\Super Play 3\superplay3_32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe

"C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe"

C:\Users\Admin\AppData\Local\Temp\is-R7NHT.tmp\is-FOQ1E.tmp

"C:\Users\Admin\AppData\Local\Temp\is-R7NHT.tmp\is-FOQ1E.tmp" /SL4 $40112 "C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe" 4138563 52224

C:\Users\Admin\AppData\Local\Super Play 3\superplay3_32.exe

"C:\Users\Admin\AppData\Local\Super Play 3\superplay3_32.exe" -i

Network

N/A

Files

memory/2204-0-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2204-2-0x0000000000401000-0x000000000040A000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-R7NHT.tmp\is-FOQ1E.tmp

MD5 5ec1c51da61b4f15b2f40339d7d1df7c
SHA1 bab46af9f3d1d78130d73951022b163720bc040f
SHA256 ae8d36e1edc71bcb37c4636e2c8b364698f0238039cb7e12571022a94fb66897
SHA512 b2b208e0b9d3508bf958dda89d16286921664833de9d237ec61cc9402f36ce380cc361dcf4b1373505af6e56254515c74f49d58a099c5da90f9052697342825e

memory/2516-9-0x0000000000400000-0x00000000004B0000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-AI7TO.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-AI7TO.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Super Play 3\superplay3_32.exe

MD5 7fbb1c1bb9004245e9dc3ad4bc3c2899
SHA1 a2c870ac95c986b8d29d30c5a9fb9010d05843b6
SHA256 33cd220a39bb10bf85ae5d279fd6e8cc4ba7185f0c45cb388e60876ed5973c96
SHA512 c89e32f66aa6b7a72f20e8a2f09ece39db4819e5bf13029d80612a674dc7b2dc1b1dd63a48656b30ba90b999d459bbedef047d080bd16e23b9f4eeb8538e5118

memory/1464-85-0x0000000000400000-0x000000000075D000-memory.dmp

memory/2516-83-0x0000000003A90000-0x0000000003DED000-memory.dmp

memory/1464-86-0x0000000000400000-0x000000000075D000-memory.dmp

memory/2516-89-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2204-90-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1464-92-0x0000000000400000-0x000000000075D000-memory.dmp

memory/1464-95-0x0000000000400000-0x000000000075D000-memory.dmp

memory/1464-98-0x0000000000400000-0x000000000075D000-memory.dmp

memory/1464-101-0x0000000000400000-0x000000000075D000-memory.dmp

memory/1464-104-0x0000000000400000-0x000000000075D000-memory.dmp

memory/1464-107-0x0000000000400000-0x000000000075D000-memory.dmp

memory/1464-108-0x0000000002F40000-0x0000000002FE2000-memory.dmp

memory/1464-114-0x0000000000400000-0x000000000075D000-memory.dmp

memory/1464-117-0x0000000000400000-0x000000000075D000-memory.dmp

memory/1464-120-0x0000000000400000-0x000000000075D000-memory.dmp

memory/1464-123-0x0000000000400000-0x000000000075D000-memory.dmp

memory/1464-126-0x0000000000400000-0x000000000075D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-13 13:06

Reported

2024-10-13 13:08

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-J4AVT.tmp\is-RSKC8.tmp N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-J4AVT.tmp\is-RSKC8.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Super Play 3\superplay3_32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe

"C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe"

C:\Users\Admin\AppData\Local\Temp\is-J4AVT.tmp\is-RSKC8.tmp

"C:\Users\Admin\AppData\Local\Temp\is-J4AVT.tmp\is-RSKC8.tmp" /SL4 $90050 "C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe" 4138563 52224

C:\Users\Admin\AppData\Local\Super Play 3\superplay3_32.exe

"C:\Users\Admin\AppData\Local\Super Play 3\superplay3_32.exe" -i

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

memory/3952-2-0x0000000000401000-0x000000000040A000-memory.dmp

memory/3952-0-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-J4AVT.tmp\is-RSKC8.tmp

MD5 5ec1c51da61b4f15b2f40339d7d1df7c
SHA1 bab46af9f3d1d78130d73951022b163720bc040f
SHA256 ae8d36e1edc71bcb37c4636e2c8b364698f0238039cb7e12571022a94fb66897
SHA512 b2b208e0b9d3508bf958dda89d16286921664833de9d237ec61cc9402f36ce380cc361dcf4b1373505af6e56254515c74f49d58a099c5da90f9052697342825e

memory/2640-10-0x0000000000400000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-TBRIH.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Super Play 3\superplay3_32.exe

MD5 7fbb1c1bb9004245e9dc3ad4bc3c2899
SHA1 a2c870ac95c986b8d29d30c5a9fb9010d05843b6
SHA256 33cd220a39bb10bf85ae5d279fd6e8cc4ba7185f0c45cb388e60876ed5973c96
SHA512 c89e32f66aa6b7a72f20e8a2f09ece39db4819e5bf13029d80612a674dc7b2dc1b1dd63a48656b30ba90b999d459bbedef047d080bd16e23b9f4eeb8538e5118

memory/4512-79-0x0000000000400000-0x000000000075D000-memory.dmp

memory/4512-80-0x0000000000400000-0x000000000075D000-memory.dmp

memory/4512-83-0x0000000000400000-0x000000000075D000-memory.dmp

memory/2640-84-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3952-85-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4512-88-0x0000000000400000-0x000000000075D000-memory.dmp

memory/4512-87-0x0000000000400000-0x000000000075D000-memory.dmp

memory/4512-91-0x0000000000400000-0x000000000075D000-memory.dmp

memory/4512-94-0x0000000000400000-0x000000000075D000-memory.dmp

memory/4512-97-0x0000000000400000-0x000000000075D000-memory.dmp

memory/4512-100-0x0000000000400000-0x000000000075D000-memory.dmp

memory/4512-103-0x0000000000400000-0x000000000075D000-memory.dmp

memory/4512-104-0x0000000000A20000-0x0000000000AC2000-memory.dmp

memory/4512-110-0x0000000000400000-0x000000000075D000-memory.dmp

memory/4512-111-0x0000000000400000-0x000000000075D000-memory.dmp

memory/4512-114-0x0000000000400000-0x000000000075D000-memory.dmp

memory/4512-115-0x0000000000400000-0x000000000075D000-memory.dmp

memory/4512-118-0x0000000000400000-0x000000000075D000-memory.dmp

memory/4512-121-0x0000000000400000-0x000000000075D000-memory.dmp

memory/4512-124-0x0000000000400000-0x000000000075D000-memory.dmp