Analysis
-
max time kernel
143s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 19:52
Static task
static1
Behavioral task
behavioral1
Sample
4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.exe
Resource
win10v2004-20241007-en
General
-
Target
4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.exe
-
Size
6.3MB
-
MD5
278a9ce09e045ecbc97f3572092a23f9
-
SHA1
a5da8fbc2d8b9fca1ac3088df1050575c77039c3
-
SHA256
4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d
-
SHA512
19cd90ba0bec655ee889ffdc4301730c4dc0b371b83a960e676bc2de882dfebfdb46a4b2debbfb3e3b150ef0b0439a9eaa66146724fe0d2185f187c30487780b
-
SSDEEP
98304:NvwN8rg7l7aWyR4psl6w2OucWp6O+FbvHyWiAeyDTMybbpicWmJLtWk1sq9GLdvI:lwN8aa1aThULuXAxHMybRj9ylI
Malware Config
Signatures
-
Detect Socks5Systemz Payload 3 IoCs
resource yara_rule behavioral2/memory/3712-179-0x00000000007D0000-0x0000000000872000-memory.dmp family_socks5systemz behavioral2/memory/3712-202-0x00000000007D0000-0x0000000000872000-memory.dmp family_socks5systemz behavioral2/memory/3712-203-0x00000000007D0000-0x0000000000872000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Socks5systemz family
-
Executes dropped EXE 2 IoCs
pid Process 1484 4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp 3712 syncplayer32_64.exe -
Loads dropped DLL 3 IoCs
pid Process 1484 4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp 1484 4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp 1484 4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 45.155.250.90 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language syncplayer32_64.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1484 4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp 1484 4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1484 4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1076 wrote to memory of 1484 1076 4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.exe 84 PID 1076 wrote to memory of 1484 1076 4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.exe 84 PID 1076 wrote to memory of 1484 1076 4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.exe 84 PID 1484 wrote to memory of 3712 1484 4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp 88 PID 1484 wrote to memory of 3712 1484 4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp 88 PID 1484 wrote to memory of 3712 1484 4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.exe"C:\Users\Admin\AppData\Local\Temp\4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\is-F5FSH.tmp\4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp"C:\Users\Admin\AppData\Local\Temp\is-F5FSH.tmp\4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp" /SL5="$501E4,6321408,54272,C:\Users\Admin\AppData\Local\Temp\4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Local\SyncPlayer 4.2.2\syncplayer32_64.exe"C:\Users\Admin\AppData\Local\SyncPlayer 4.2.2\syncplayer32_64.exe" -i3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3712
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5da5af185ba28b11e94d44e212440ea4c
SHA13c519b07976110acaf87f715b247b90161e079a9
SHA25689e72decf6ea603698f705c0981621e7a6cb8765eac297c7ec71a0a0f79d4fb3
SHA5124a65f7416b5c4379c64f603a7dc3324c6debf9a21c77b3292d7ae0739edf76f34abad16620f079b632077e26d09c8b3995f4891c1567f497f312863c89c4c6ec
-
C:\Users\Admin\AppData\Local\Temp\is-F5FSH.tmp\4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp
Filesize692KB
MD514a38c79f4c58e9a8bd28ecac8a1287d
SHA12a6eb640e81fe3bba119e2f79ae8edb9a3936700
SHA2566cc1284b2e78ad026c5b3ef680afded5152c17d4714e09c7d62b1b271b5e6fe0
SHA512b5d7a4a55fb3d4c98fada08cda9871b7cc755474563677fbcdf2516ee9418260a07dc5e0fd1c403d4e558c4f7f2ac4447807829aa951101b4406e55275818ac0
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
19KB
MD53adaa386b671c2df3bae5b39dc093008
SHA1067cf95fbdb922d81db58432c46930f86d23dded
SHA25671cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303