socks5systemz | e4727ed26433461e68b547c1d2e047d7605d0c082902e3fbfd7a38ee7831b615

General

Target

file.exe
Size

4.3MB
MD5

d0497c686d2c2a1221e1fff895d3a492
SHA1

8d574f285330bf03681b2b3886fb928021a50e5d
SHA256

e4727ed26433461e68b547c1d2e047d7605d0c082902e3fbfd7a38ee7831b615
SHA512

087d5d8bb3b7e96dcbfdeda24f12c34e73e76e43a9da444eeb5f25d80a3d1211a190680924caaa3e2095a740fbd4e4559921ea1f26de2bcdc0c92b824447a250
SSDEEP

98304:uayfum4WlLzhlw7m7UPwoq5KE+UCHr+x+Y7p9jElo2XBj:BRaLR7UIoTj+DlJEVj

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2332-108-0x0000000002980000-0x0000000002A22000-memory.dmp	family_socks5systemz
behavioral1/memory/2332-132-0x0000000002980000-0x0000000002A22000-memory.dmp	family_socks5systemz
behavioral1/memory/2332-131-0x0000000002980000-0x0000000002A22000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 2 IoCs

pid	Process
1508	is-R6GQH.tmp
2332	vexvideoextensions.exe

Loads dropped DLL 5 IoCs

pid	Process
2700	file.exe
1508	is-R6GQH.tmp
1508	is-R6GQH.tmp
1508	is-R6GQH.tmp
1508	is-R6GQH.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-R6GQH.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vexvideoextensions.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1508	2700	file.exe	30
PID 2700 wrote to memory of 1508	2700	file.exe	30
PID 2700 wrote to memory of 1508	2700	file.exe	30
PID 2700 wrote to memory of 1508	2700	file.exe	30
PID 2700 wrote to memory of 1508	2700	file.exe	30
PID 2700 wrote to memory of 1508	2700	file.exe	30
PID 2700 wrote to memory of 1508	2700	file.exe	30
PID 1508 wrote to memory of 2332	1508	is-R6GQH.tmp	31
PID 1508 wrote to memory of 2332	1508	is-R6GQH.tmp	31
PID 1508 wrote to memory of 2332	1508	is-R6GQH.tmp	31
PID 1508 wrote to memory of 2332	1508	is-R6GQH.tmp	31

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\is-CHNN4.tmp\is-R6GQH.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CHNN4.tmp\is-R6GQH.tmp" /SL4 $500F8 "C:\Users\Admin\AppData\Local\Temp\file.exe" 4213455 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Users\Admin\AppData\Local\VEX Video Extensions\vexvideoextensions.exe
    "C:\Users\Admin\AppData\Local\VEX Video Extensions\vexvideoextensions.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-2T5SN.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-2T5SN.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-CHNN4.tmp\is-R6GQH.tmp

Filesize
648KB

MD5
e704bfe4196d131a1fcf85ee61a9a37a

SHA1
2edc981577844c8813f86fbfcb2c0b13b109611c

SHA256
1c8143e311168c27d09d12cddf3889465c62f6da03b9377a7fb8451c2a1d84b9

SHA512
34f48c10d5b0729a648b6f8267f791d3aab058d93dbc6329aaccd2800dcb0f86c7f5b263d27657080e07d4b666c4cfa01d5cbe3f78983a483636310a1b92024b

Download Submit
\Users\Admin\AppData\Local\VEX Video Extensions\vexvideoextensions.exe

Filesize
2.6MB

MD5
6bb2de233d96a12ff9a3661b631e4aca

SHA1
31d04effaa4ca7d021af82fea3894fc7795e6248

SHA256
37946aaa77d5a3cd0a773440bfdf9d6f2aa44c08f178def458172b3fd2a565ee

SHA512
be32f7d55526faa4e60be6de7ccf96dc55a00f70d8b5220fe269b7d772f538c25f74b17fcc53d145f899cd4b63af41ba0386e2dfe21741ea2a707cf7d6bbdda3

Download Submit
memory/1508-89-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1508-115-0x0000000003500000-0x00000000037A8000-memory.dmp

Filesize
2.7MB

Download
memory/1508-9-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1508-84-0x0000000003500000-0x00000000037A8000-memory.dmp

Filesize
2.7MB

Download
memory/2332-98-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/2332-127-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/2332-85-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/2332-139-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/2332-92-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/2332-95-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/2332-136-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/2332-101-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/2332-104-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/2332-107-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/2332-108-0x0000000002980000-0x0000000002A22000-memory.dmp

Filesize
648KB

Download
memory/2332-114-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/2332-131-0x0000000002980000-0x0000000002A22000-memory.dmp

Filesize
648KB

Download
memory/2332-118-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/2332-121-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/2332-124-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/2332-86-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/2332-130-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/2332-132-0x0000000002980000-0x0000000002A22000-memory.dmp

Filesize
648KB

Download
memory/2700-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2700-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2700-90-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing