socks5systemz | 4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d

General

Target

4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.exe
Size

6.3MB
MD5

278a9ce09e045ecbc97f3572092a23f9
SHA1

a5da8fbc2d8b9fca1ac3088df1050575c77039c3
SHA256

4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d
SHA512

19cd90ba0bec655ee889ffdc4301730c4dc0b371b83a960e676bc2de882dfebfdb46a4b2debbfb3e3b150ef0b0439a9eaa66146724fe0d2185f187c30487780b
SSDEEP

98304:NvwN8rg7l7aWyR4psl6w2OucWp6O+FbvHyWiAeyDTMybbpicWmJLtWk1sq9GLdvI:lwN8aa1aThULuXAxHMybRj9ylI

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/3712-179-0x00000000007D0000-0x0000000000872000-memory.dmp	family_socks5systemz
behavioral2/memory/3712-202-0x00000000007D0000-0x0000000000872000-memory.dmp	family_socks5systemz
behavioral2/memory/3712-203-0x00000000007D0000-0x0000000000872000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz

Executes dropped EXE 2 IoCs

pid	Process
1484	4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp
3712	syncplayer32_64.exe

Loads dropped DLL 3 IoCs

pid	Process
1484	4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp
1484	4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp
1484	4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syncplayer32_64.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1484	4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp
1484	4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1484	4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1484	1076	4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.exe	84
PID 1076 wrote to memory of 1484	1076	4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.exe	84
PID 1076 wrote to memory of 1484	1076	4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.exe	84
PID 1484 wrote to memory of 3712	1484	4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp	88
PID 1484 wrote to memory of 3712	1484	4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp	88
PID 1484 wrote to memory of 3712	1484	4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp	88

C:\Users\Admin\AppData\Local\Temp\4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.exe
"C:\Users\Admin\AppData\Local\Temp\4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Admin\AppData\Local\Temp\is-F5FSH.tmp\4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-F5FSH.tmp\4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp" /SL5="$501E4,6321408,54272,C:\Users\Admin\AppData\Local\Temp\4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Users\Admin\AppData\Local\SyncPlayer 4.2.2\syncplayer32_64.exe
    "C:\Users\Admin\AppData\Local\SyncPlayer 4.2.2\syncplayer32_64.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SyncPlayer 4.2.2\syncplayer32_64.exe

Filesize
2.9MB

MD5
da5af185ba28b11e94d44e212440ea4c

SHA1
3c519b07976110acaf87f715b247b90161e079a9

SHA256
89e72decf6ea603698f705c0981621e7a6cb8765eac297c7ec71a0a0f79d4fb3

SHA512
4a65f7416b5c4379c64f603a7dc3324c6debf9a21c77b3292d7ae0739edf76f34abad16620f079b632077e26d09c8b3995f4891c1567f497f312863c89c4c6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F5FSH.tmp\4c95cd6467c50ee79f22aade768a7f48edb43a941e443775413384aa87c9a35d.tmp

Filesize
692KB

MD5
14a38c79f4c58e9a8bd28ecac8a1287d

SHA1
2a6eb640e81fe3bba119e2f79ae8edb9a3936700

SHA256
6cc1284b2e78ad026c5b3ef680afded5152c17d4714e09c7d62b1b271b5e6fe0

SHA512
b5d7a4a55fb3d4c98fada08cda9871b7cc755474563677fbcdf2516ee9418260a07dc5e0fd1c403d4e558c4f7f2ac4447807829aa951101b4406e55275818ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PH8N6.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PH8N6.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
memory/1076-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1076-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1076-160-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1484-159-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1484-10-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3712-166-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3712-185-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3712-155-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3712-162-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3712-163-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3712-154-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3712-169-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3712-172-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3712-175-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3712-178-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3712-179-0x00000000007D0000-0x0000000000872000-memory.dmp

Filesize
648KB

Download
memory/3712-156-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3712-188-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3712-189-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3712-192-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3712-195-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3712-198-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3712-201-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3712-202-0x00000000007D0000-0x0000000000872000-memory.dmp

Filesize
648KB

Download
memory/3712-203-0x00000000007D0000-0x0000000000872000-memory.dmp

Filesize
648KB

Download
memory/3712-207-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3712-210-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing