Analysis
-
max time kernel
155s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 14:11
Static task
static1
Behavioral task
behavioral1
Sample
appFile.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
appFile.exe
Resource
win10v2004-20241007-en
General
-
Target
appFile.exe
-
Size
820.8MB
-
MD5
f0deb098e981d57a337c2eeb0391af38
-
SHA1
731d91e3e09d3dc66e4a110ab8a403b4c7cd60c6
-
SHA256
e48bd580db2bda7c3db0565a44ad11ed75e1cbf72c955aa446e01976900dd6df
-
SHA512
869af0c641f3323226224e32475c00cb3319171ceda2e249964089eb4c262b646d7f0443bdd5366836b3130cdec3a34ac40468272acedf371842916c90a16566
-
SSDEEP
786432:DYCgVIfeQI8jPbZIbZ+6EUmtl0IUJ+Jnc9qDYSVs8eSD4yU6yF1hu/jjz:iVIxIUzZMZ+6EH0IUn8ekFyF1g/Pz
Malware Config
Signatures
-
Detect Socks5Systemz Payload 1 IoCs
resource yara_rule behavioral1/memory/2216-157-0x0000000002FF0000-0x0000000003092000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 1588 9JJFzDoFMM0bi3grOzTA4nAd.exe 2996 is-LG6UF.tmp 2216 jennysoftvideoeditor32.exe -
Loads dropped DLL 6 IoCs
pid Process 2776 appFile.exe 1588 9JJFzDoFMM0bi3grOzTA4nAd.exe 2996 is-LG6UF.tmp 2996 is-LG6UF.tmp 2996 is-LG6UF.tmp 2996 is-LG6UF.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language appFile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9JJFzDoFMM0bi3grOzTA4nAd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language is-LG6UF.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jennysoftvideoeditor32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2776 appFile.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2776 wrote to memory of 1588 2776 appFile.exe 30 PID 2776 wrote to memory of 1588 2776 appFile.exe 30 PID 2776 wrote to memory of 1588 2776 appFile.exe 30 PID 2776 wrote to memory of 1588 2776 appFile.exe 30 PID 2776 wrote to memory of 1588 2776 appFile.exe 30 PID 2776 wrote to memory of 1588 2776 appFile.exe 30 PID 2776 wrote to memory of 1588 2776 appFile.exe 30 PID 1588 wrote to memory of 2996 1588 9JJFzDoFMM0bi3grOzTA4nAd.exe 31 PID 1588 wrote to memory of 2996 1588 9JJFzDoFMM0bi3grOzTA4nAd.exe 31 PID 1588 wrote to memory of 2996 1588 9JJFzDoFMM0bi3grOzTA4nAd.exe 31 PID 1588 wrote to memory of 2996 1588 9JJFzDoFMM0bi3grOzTA4nAd.exe 31 PID 1588 wrote to memory of 2996 1588 9JJFzDoFMM0bi3grOzTA4nAd.exe 31 PID 1588 wrote to memory of 2996 1588 9JJFzDoFMM0bi3grOzTA4nAd.exe 31 PID 1588 wrote to memory of 2996 1588 9JJFzDoFMM0bi3grOzTA4nAd.exe 31 PID 2996 wrote to memory of 2216 2996 is-LG6UF.tmp 32 PID 2996 wrote to memory of 2216 2996 is-LG6UF.tmp 32 PID 2996 wrote to memory of 2216 2996 is-LG6UF.tmp 32 PID 2996 wrote to memory of 2216 2996 is-LG6UF.tmp 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\appFile.exe"C:\Users\Admin\AppData\Local\Temp\appFile.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\x0COCW6GWUAE2PTOBwEZ\9JJFzDoFMM0bi3grOzTA4nAd.exeC:\Users\Admin\AppData\Local\Temp\x0COCW6GWUAE2PTOBwEZ\9JJFzDoFMM0bi3grOzTA4nAd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\is-J401B.tmp\is-LG6UF.tmp"C:\Users\Admin\AppData\Local\Temp\is-J401B.tmp\is-LG6UF.tmp" /SL4 $40108 "C:\Users\Admin\AppData\Local\Temp\x0COCW6GWUAE2PTOBwEZ\9JJFzDoFMM0bi3grOzTA4nAd.exe" 7622144 522243⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Jennysoft Video Editor\jennysoftvideoeditor32.exe"C:\Users\Admin\AppData\Local\Jennysoft Video Editor\jennysoftvideoeditor32.exe" -i4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.3MB
MD510c9c82818543db3ebead29f108bd6f6
SHA1847fecb4c57ad69e5693d450d5f27bd849639943
SHA256255b29ef1d13c40b6fae7951b7ca41b7f91ebf789ba52951f800990d2ac9e034
SHA5128c475c738da819b584bc6f2afbc1200741300aa6bfd96b88b31014eec7576086c95e44cf9ac76295ea7deac79baf6bbbadf177a67eea28ef74902b73703ab311
-
Filesize
647KB
MD51fa266e1f8f7d0fc062b14ab5b7c1b9b
SHA1ede5ec8afe07221583cb33318a9932e925b89e59
SHA256abbb1a8feb63dd2b85b97a8e089d69999876c3531a68a6636a3336d9bcf3dbcb
SHA5129bc95d9a26e18b585c13c69de3d3e9d41939cd7cfa5d5c07a863c5baf3f7696df9a0cc6d6264735695c849408b74e28b8749aa3bd93631ac397b7877d674341d
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
7.5MB
MD532a50eddc21b5e55c7a98ac0190895b7
SHA12540ac77136dd02b07ba3b593a44cc7bbff1ec1a
SHA25620ae4dd835ad5eef5792b6821a380c4b3ca94767752a7d1f088e7e16bc3224b1
SHA5121ca4af319fde67d57b124893324783410ca43f7ecd5bc150aaf9a77c67f16bb7d46157d37f431db7f25dd455807edb0c28a0eb0441ecd271ec65a4acbcf7d2c0