Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 13:09
Static task
static1
Behavioral task
behavioral1
Sample
4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe
Resource
win10v2004-20241007-en
General
-
Target
4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe
-
Size
4.2MB
-
MD5
420f952f477040d92849d783d5face90
-
SHA1
f0ef03621a666c853b6fa65f40177ed36b0d9952
-
SHA256
4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76
-
SHA512
3597a957651fb7f1ec0adae92f8469516a59f97804d9836a9e8d066ea416e5920a4d0043296d719e32f491a084b35509c2170f68e0e072d90809c732b5ac6b2c
-
SSDEEP
98304:xdVb6cetWDp2GTLhw1eZ1pUVAjk16RUt99HRfH6wbpmBeE:DZ66bLa6Ra6REXHRfH6wbpmBeE
Malware Config
Signatures
-
Detect Socks5Systemz Payload 3 IoCs
resource yara_rule behavioral2/memory/3896-104-0x00000000009D0000-0x0000000000A72000-memory.dmp family_socks5systemz behavioral2/memory/3896-127-0x00000000009D0000-0x0000000000A72000-memory.dmp family_socks5systemz behavioral2/memory/3896-128-0x00000000009D0000-0x0000000000A72000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 2 IoCs
pid Process 752 is-K35BS.tmp 3896 superplay3_32.exe -
Loads dropped DLL 1 IoCs
pid Process 752 is-K35BS.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 141.98.234.31 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language is-K35BS.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language superplay3_32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1404 wrote to memory of 752 1404 4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe 83 PID 1404 wrote to memory of 752 1404 4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe 83 PID 1404 wrote to memory of 752 1404 4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe 83 PID 752 wrote to memory of 3896 752 is-K35BS.tmp 87 PID 752 wrote to memory of 3896 752 is-K35BS.tmp 87 PID 752 wrote to memory of 3896 752 is-K35BS.tmp 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe"C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\is-V3OQJ.tmp\is-K35BS.tmp"C:\Users\Admin\AppData\Local\Temp\is-V3OQJ.tmp\is-K35BS.tmp" /SL4 $A004C "C:\Users\Admin\AppData\Local\Temp\4f2148a8d571ae94c2071e2e7c282d9b24154489419c1b044b3bc3a7f4367c76N.exe" 4138563 522242⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Users\Admin\AppData\Local\Super Play 3\superplay3_32.exe"C:\Users\Admin\AppData\Local\Super Play 3\superplay3_32.exe" -i3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3896
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD57fbb1c1bb9004245e9dc3ad4bc3c2899
SHA1a2c870ac95c986b8d29d30c5a9fb9010d05843b6
SHA25633cd220a39bb10bf85ae5d279fd6e8cc4ba7185f0c45cb388e60876ed5973c96
SHA512c89e32f66aa6b7a72f20e8a2f09ece39db4819e5bf13029d80612a674dc7b2dc1b1dd63a48656b30ba90b999d459bbedef047d080bd16e23b9f4eeb8538e5118
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
647KB
MD55ec1c51da61b4f15b2f40339d7d1df7c
SHA1bab46af9f3d1d78130d73951022b163720bc040f
SHA256ae8d36e1edc71bcb37c4636e2c8b364698f0238039cb7e12571022a94fb66897
SHA512b2b208e0b9d3508bf958dda89d16286921664833de9d237ec61cc9402f36ce380cc361dcf4b1373505af6e56254515c74f49d58a099c5da90f9052697342825e