socks5systemz | c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4

General

Target

c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.exe
Size

5.4MB
MD5

63244d51f20e41e971342724d077069d
SHA1

039313797b893989b186864a18c930f6f026d32f
SHA256

c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4
SHA512

f88f3d63ad7c92fc6a95932c696cdd06ec7a6f8a3436cbd592a5f2a2e947308367d826d865a4c423df6f9126cae1ca402d0445ea6974ef454116ad5d79339311
SSDEEP

98304:QqSPEMlnomNMivQ9l+3N4l9MewiEIJ3+ImhOiqDbFIWzTSsR:5RmQy94vBj3+ImLCBIaSQ

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1688-189-0x0000000000930000-0x00000000009D2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz

Executes dropped EXE 2 IoCs

Processes:

c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.tmpsyncplayer.exe

pid	Process
4560	c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.tmp
1688	syncplayer.exe

Loads dropped DLL 1 IoCs

Processes:

c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.tmp

pid	Process
4560	c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	141.98.234.31

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.tmpsyncplayer.exec93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syncplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.tmp

pid	Process
4560	c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.tmp

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.exec93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.tmp

description	pid	Process	procid_target
PID 1188 wrote to memory of 4560	1188	c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.exe	84
PID 1188 wrote to memory of 4560	1188	c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.exe	84
PID 1188 wrote to memory of 4560	1188	c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.exe	84
PID 4560 wrote to memory of 1688	4560	c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.tmp	88
PID 4560 wrote to memory of 1688	4560	c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.tmp	88
PID 4560 wrote to memory of 1688	4560	c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.tmp	88

C:\Users\Admin\AppData\Local\Temp\c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.exe
"C:\Users\Admin\AppData\Local\Temp\c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\is-Q17D8.tmp\c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-Q17D8.tmp\c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.tmp" /SL5="$60214,5453723,54272,C:\Users\Admin\AppData\Local\Temp\c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Local\SyncPlayer 1.7.14\syncplayer.exe
    "C:\Users\Admin\AppData\Local\SyncPlayer 1.7.14\syncplayer.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SyncPlayer 1.7.14\syncplayer.exe

Filesize
2.9MB

MD5
e5e55a3ed23cfd6f6c323a2b6fee6f36

SHA1
e150e40e442d9288ba51ac1c87d5a925c9057dbc

SHA256
8ccfb798298d7ed04523abb28774bfa5b6574ae0a5eea9a2659a8c5e691d9739

SHA512
e228ecd328efc167de0a74241b704a5a77764913a3933dd258e45236601298d785d1f2975d8bc58a2251d21fcc8c28dcbb3491d503d6c8e5908538b7effad770

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-48NVS.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q17D8.tmp\c93208574c17d73f0e6b38a0fd4541c5396e0fac24b337f05c5c6f5d87653bd4.tmp

Filesize
688KB

MD5
b64059456aabaf06ba79c9973f9d1793

SHA1
688eb67a50caf131369962b319719d23836e8bd7

SHA256
842c518bf03f170b3532bf30f2c471f8f5a75aac57ca66111063d885db99956b

SHA512
26569cc29759f1036a3fb05e671c2ea1d37d163dc43b1fa79909b2239fe445c38754faee300877cb9bc7c994abf87517d73622bd4f54fa95c2a7f21875b6cd77

Download Submit
memory/1188-170-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1188-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1188-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1688-179-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1688-189-0x0000000000930000-0x00000000009D2000-memory.dmp

Filesize
648KB

Download
memory/1688-168-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1688-218-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1688-164-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1688-172-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1688-173-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1688-176-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1688-215-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1688-182-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1688-185-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1688-165-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1688-188-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1688-195-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1688-198-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1688-199-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1688-202-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1688-205-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1688-208-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1688-211-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4560-16-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4560-169-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads