socks5systemz | 530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746d

General

Target

530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe
Size

4.1MB
MD5

49b41322a9004a9d62187251ff5654d0
SHA1

5f73f7ed0f63ad46a8d9482adbcf6663857aa1ac
SHA256

530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746d
SHA512

5f02bc3c11b86343c1bf57fc09ce669a4f66b5eb5c0e1a5dbb304f8b06986c0bfe5e9d81087c58fab074ec8f1a0d38c0a2d4c574c5cf148bf1d5a8706dcca56b
SSDEEP

98304:I+1egWNBi1GiYxMaDNMxS/ny3G1A1xSCFjmcNp:0qY5M8y3GcBtmcNp

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2772-105-0x0000000002A40000-0x0000000002AE2000-memory.dmp	family_socks5systemz
behavioral1/memory/2772-129-0x0000000002A40000-0x0000000002AE2000-memory.dmp	family_socks5systemz
behavioral1/memory/2772-128-0x0000000002A40000-0x0000000002AE2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz
Executes dropped EXE 2 IoCs

Processes:

530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmpdancodecsportable.exe

pid process

2528 530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp
2772 dancodecsportable.exe

Loads dropped DLL 5 IoCs

Processes:

530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp

pid	process
1708	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe
2528	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp
2528	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp
2528	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp
2528	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 45.155.250.90
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc
Destination IP	45.155.250.90

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dancodecsportable.exe530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dancodecsportable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp

pid	process
2528	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp
2528	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp

pid process

2528 530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp

description	pid	process	target process
PID 1708 wrote to memory of 2528	1708	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp
PID 1708 wrote to memory of 2528	1708	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp
PID 1708 wrote to memory of 2528	1708	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp
PID 1708 wrote to memory of 2528	1708	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp
PID 1708 wrote to memory of 2528	1708	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp
PID 1708 wrote to memory of 2528	1708	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp
PID 1708 wrote to memory of 2528	1708	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp
PID 2528 wrote to memory of 2772	2528	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp	dancodecsportable.exe
PID 2528 wrote to memory of 2772	2528	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp	dancodecsportable.exe
PID 2528 wrote to memory of 2772	2528	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp	dancodecsportable.exe
PID 2528 wrote to memory of 2772	2528	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp	dancodecsportable.exe

C:\Users\Admin\AppData\Local\Temp\530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe
"C:\Users\Admin\AppData\Local\Temp\530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\is-NT1IP.tmp\530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NT1IP.tmp\530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp" /SL5="$400F8,4052791,54272,C:\Users\Admin\AppData\Local\Temp\530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Dan Codecs Portable\dancodecsportable.exe
    "C:\Users\Admin\AppData\Local\Dan Codecs Portable\dancodecsportable.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Dan Codecs Portable\dancodecsportable.exe

Filesize
3.1MB

MD5
458e52194fce2f10b543a9e2bb5131fd

SHA1
141742fa4b769232dfbe718ad9fd87d410494b87

SHA256
5a9803961be30c0a751dab01fe080371e9d2d4d0ad6a23b60b455c72b52cdcf0

SHA512
f22281abf92f4e46c62f398b948bfc54eec624be0e6072405610b8ebd36633d2202bccde666536f473b39f976d3100ab9bc5d55ee898703c63eebfd7d1dc81d2

Download Submit
\Users\Admin\AppData\Local\Temp\is-MMAIG.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-MMAIG.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-NT1IP.tmp\530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp

Filesize
689KB

MD5
53d2b7460e392ca1a72a2879c9d72aac

SHA1
abd470089a3f58f5ec4884aa32a038f616e040b1

SHA256
2d96a48a093dc0f1f5ce6b7f74ed5d0c3d80190dbf3b214826ce17a1e0ad6708

SHA512
acbf0d936da9a71ad76f9cfeff637694fd0b1d7d0bd85714bb4feb19cfb5181133ecd327ae5fe32548d9ddeeb2dd4bf4d53aa81109a19e6b8d8b88219cd2259c

Download Submit
memory/1708-87-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1708-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1708-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2528-115-0x0000000003ED0000-0x00000000041F0000-memory.dmp

Filesize
3.1MB

Download
memory/2528-80-0x0000000003ED0000-0x00000000041F0000-memory.dmp

Filesize
3.1MB

Download
memory/2528-8-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2528-86-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2772-105-0x0000000002A40000-0x0000000002AE2000-memory.dmp

Filesize
648KB

Download
memory/2772-114-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2772-92-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2772-95-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2772-98-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2772-101-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2772-104-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2772-82-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2772-111-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2772-89-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2772-83-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2772-118-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2772-121-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2772-124-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2772-127-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2772-129-0x0000000002A40000-0x0000000002AE2000-memory.dmp

Filesize
648KB

Download
memory/2772-128-0x0000000002A40000-0x0000000002AE2000-memory.dmp

Filesize
648KB

Download
memory/2772-133-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2772-136-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download

pid	process
2528	530139afd5a1ff04dd836fd96991f3cee901328cdb101c58afa877bcbeca746dN.tmp
2772	dancodecsportable.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads