socks5systemz | e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763

General

Target

e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.exe
Size

4.2MB
MD5

fed67ea0168896c32680382b1fb8ecd3
SHA1

2d8462b69cb27a0256300d4ae9b7070823a24d87
SHA256

e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763
SHA512

b5f2e9426dd6cf7b960b852262f853283a324e0867f426b2f50e3f45482622c8acc4b461c092719248818979f037c11f84b659a692440f2d7be11c267bf42700
SSDEEP

98304:IqZngwJWJc4XMz7DIRx1NkYrPPyvcKSovAB5fyRC/7Q5+GZmkWP:vgwwJcXz78RxD7PyvcjWA5fQC/6+B

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/3164-101-0x00000000007F0000-0x0000000000892000-memory.dmp	family_socks5systemz
behavioral2/memory/3164-126-0x00000000007F0000-0x0000000000892000-memory.dmp	family_socks5systemz
behavioral2/memory/3164-127-0x00000000007F0000-0x0000000000892000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz

Executes dropped EXE 2 IoCs

pid	Process
1068	e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.tmp
3164	softartsvc32.exe

Loads dropped DLL 1 IoCs

pid	Process
1068	e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	softartsvc32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1068	e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.tmp
1068	e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1068	e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1068	1916	e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.exe	84
PID 1916 wrote to memory of 1068	1916	e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.exe	84
PID 1916 wrote to memory of 1068	1916	e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.exe	84
PID 1068 wrote to memory of 3164	1068	e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.tmp	88
PID 1068 wrote to memory of 3164	1068	e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.tmp	88
PID 1068 wrote to memory of 3164	1068	e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.tmp	88

C:\Users\Admin\AppData\Local\Temp\e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.exe
"C:\Users\Admin\AppData\Local\Temp\e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\is-SEKDC.tmp\e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SEKDC.tmp\e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.tmp" /SL5="$90056,4144992,54272,C:\Users\Admin\AppData\Local\Temp\e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Users\Admin\AppData\Local\SoftArts Video Converter\softartsvc32.exe
    "C:\Users\Admin\AppData\Local\SoftArts Video Converter\softartsvc32.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SoftArts Video Converter\softartsvc32.exe

Filesize
3.0MB

MD5
27fd43721b0e2658163e169bbb3c9c83

SHA1
8d84e7ffb9d70508ece6922f6833e534ac6183d1

SHA256
bd4b108dfd5717fe313ded60a47e091c568ae1ca65e73daa182b9eee56e7e2e6

SHA512
f1abf51dffbc6c87397f88fe26d6423204af421b80739938ba6498ace74c7e62636806f472e770dec86e9727d978cb5f8ed2586731c8bbfa9887dedf82b07869

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8DT0D.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SEKDC.tmp\e465650097f93c1fb47c83a6710d2e4b80324e6b1dfbefbb6c352201fc902763.tmp

Filesize
689KB

MD5
6877c54983bf7622c23c1ad9a041e4b9

SHA1
13c7b57f4f31cf9d2c5a5ef1eb96cf08de53c3df

SHA256
b7a22bc6f03e7bc0253e3c81e1b92e02e1f28e691be9c888251254b1c49c1bc1

SHA512
4c2d621bd1c2e9a8dc8b4d4c25a11b074c48e3b2e6827e18f91506d0b7df89d31a07c29f6cea82128822173c4ed3a79101bad4d8db94f65fd0c19c4160a329b5

Download Submit
memory/1068-81-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1068-7-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1916-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1916-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1916-82-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3164-91-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-108-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-77-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-85-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-84-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-88-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-76-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-94-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-97-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-101-0x00000000007F0000-0x0000000000892000-memory.dmp

Filesize
648KB

Download
memory/3164-102-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-80-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-109-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-112-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-113-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-116-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-119-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-122-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-125-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-126-0x00000000007F0000-0x0000000000892000-memory.dmp

Filesize
648KB

Download
memory/3164-127-0x00000000007F0000-0x0000000000892000-memory.dmp

Filesize
648KB

Download
memory/3164-131-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3164-134-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing