socks5systemz | 20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee

General

Target

20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.exe
Size

4.1MB
MD5

fc54b2526c2dfe1a32117f9165e7380a
SHA1

2c5ef4857254c52a245eba8bb26f0098adf082c0
SHA256

20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee
SHA512

0a4b9563aee9497c3dc15b8122ba668e955043c23cb19108f012486bdcc015956e529aeb5ff3ccbb621909270cc87b93ecaece6ae15aabdd6ff578fcc70dbdd3
SSDEEP

98304:IVA3IkOQnFmCoAFa3t+wL9Bp3aCQCiU98r:BIkOKFmCoIa9jp//9A

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/2704-100-0x00000000009C0000-0x0000000000A62000-memory.dmp	family_socks5systemz
behavioral2/memory/2704-123-0x00000000009C0000-0x0000000000A62000-memory.dmp	family_socks5systemz
behavioral2/memory/2704-124-0x00000000009C0000-0x0000000000A62000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz

Executes dropped EXE 2 IoCs

pid	Process
2848	20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.tmp
2704	ascreenrecorder3.exe

Loads dropped DLL 1 IoCs

pid	Process
2848	20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ascreenrecorder3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2848	20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.tmp
2848	20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2848	20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 2848	4836	20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.exe	84
PID 4836 wrote to memory of 2848	4836	20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.exe	84
PID 4836 wrote to memory of 2848	4836	20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.exe	84
PID 2848 wrote to memory of 2704	2848	20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.tmp	86
PID 2848 wrote to memory of 2704	2848	20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.tmp	86
PID 2848 wrote to memory of 2704	2848	20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.tmp	86

C:\Users\Admin\AppData\Local\Temp\20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.exe
"C:\Users\Admin\AppData\Local\Temp\20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Local\Temp\is-OI33A.tmp\20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-OI33A.tmp\20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.tmp" /SL5="$60062,4052906,54272,C:\Users\Admin\AppData\Local\Temp\20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Local\AScreenRecorder\ascreenrecorder3.exe
    "C:\Users\Admin\AppData\Local\AScreenRecorder\ascreenrecorder3.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AScreenRecorder\ascreenrecorder3.exe

Filesize
2.7MB

MD5
247b6f246be51e61b1889b89b065f174

SHA1
83950b48866cb91867ebe5228621ef9e5fcb18d4

SHA256
2253215375ad3ea0bf8959b6cd206aaa8be23de8df157e76c7d453e4e847ed9c

SHA512
92c41de8ab91dfbaddf9cd2bfa72f5df3244675368915653389be91f5f2e85a83bcebd7b8b64e8b2c6dd16d72b16a74f2bf35fe39c96f0f6b9753232a6c955af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5D7MI.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OI33A.tmp\20d0002172ac6e25892e38d986c92e31cd269762cd972e26f493dd852b829fee.tmp

Filesize
689KB

MD5
0e849b2dfb90fbf06f63538ab15e6011

SHA1
3eba492519f7f3a22671b39c380a1fd2768d3d2b

SHA256
d2a192821275feec87893c7f6321f3362e28818260975be9f380bac790e6f2f1

SHA512
6f61da095a7877b2ba806571ce57cb9625dae28c8e7752fe3b3363f3bab2d5a14210130e0b470d1fd7532ed752c2c4b5be6a7bc6a95b3daef15946374a38cae1

Download Submit
memory/2704-93-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/2704-116-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/2704-131-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/2704-76-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/2704-77-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/2704-78-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/2704-128-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/2704-124-0x00000000009C0000-0x0000000000A62000-memory.dmp

Filesize
648KB

Download
memory/2704-84-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/2704-87-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/2704-90-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/2704-123-0x00000000009C0000-0x0000000000A62000-memory.dmp

Filesize
648KB

Download
memory/2704-96-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/2704-99-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/2704-100-0x00000000009C0000-0x0000000000A62000-memory.dmp

Filesize
648KB

Download
memory/2704-106-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/2704-109-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/2704-110-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/2704-113-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/2704-122-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/2704-119-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/2848-7-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2848-81-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4836-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4836-82-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4836-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing