socks5systemz | 5dea8691394058b4c4e88ac3fc070dd30c5ea528ad07d9fe8d1e6dde566adac7

General

Target

c776a9efdaba18f15a5f554ae52c0385.exe
Size

6.1MB
MD5

c776a9efdaba18f15a5f554ae52c0385
SHA1

32e0de85a222239a0c5a4f8ef283739902c738bb
SHA256

5dea8691394058b4c4e88ac3fc070dd30c5ea528ad07d9fe8d1e6dde566adac7
SHA512

f5f815cba389917229a624d43cdf21ce4ca7f1c7c816de25034744ad94dd930418f45b39bd90f4d0bc79a021946fd1f119d6217a768b844ec27744f49da655ec
SSDEEP

196608:yakrzX8aK5bABGehKapJ0kEz/HVl82386d:4rzd8EJ37Q38W

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1724-144-0x00000000029E0000-0x0000000002A82000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz

Executes dropped EXE 2 IoCs

pid	Process
2884	c776a9efdaba18f15a5f554ae52c0385.tmp
1724	syncplayer32_64.exe

Loads dropped DLL 6 IoCs

pid	Process
2828	c776a9efdaba18f15a5f554ae52c0385.exe
2884	c776a9efdaba18f15a5f554ae52c0385.tmp
2884	c776a9efdaba18f15a5f554ae52c0385.tmp
2884	c776a9efdaba18f15a5f554ae52c0385.tmp
2884	c776a9efdaba18f15a5f554ae52c0385.tmp
2884	c776a9efdaba18f15a5f554ae52c0385.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c776a9efdaba18f15a5f554ae52c0385.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c776a9efdaba18f15a5f554ae52c0385.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syncplayer32_64.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2884	2828	c776a9efdaba18f15a5f554ae52c0385.exe	30
PID 2828 wrote to memory of 2884	2828	c776a9efdaba18f15a5f554ae52c0385.exe	30
PID 2828 wrote to memory of 2884	2828	c776a9efdaba18f15a5f554ae52c0385.exe	30
PID 2828 wrote to memory of 2884	2828	c776a9efdaba18f15a5f554ae52c0385.exe	30
PID 2828 wrote to memory of 2884	2828	c776a9efdaba18f15a5f554ae52c0385.exe	30
PID 2828 wrote to memory of 2884	2828	c776a9efdaba18f15a5f554ae52c0385.exe	30
PID 2828 wrote to memory of 2884	2828	c776a9efdaba18f15a5f554ae52c0385.exe	30
PID 2884 wrote to memory of 1724	2884	c776a9efdaba18f15a5f554ae52c0385.tmp	31
PID 2884 wrote to memory of 1724	2884	c776a9efdaba18f15a5f554ae52c0385.tmp	31
PID 2884 wrote to memory of 1724	2884	c776a9efdaba18f15a5f554ae52c0385.tmp	31
PID 2884 wrote to memory of 1724	2884	c776a9efdaba18f15a5f554ae52c0385.tmp	31

C:\Users\Admin\AppData\Local\Temp\c776a9efdaba18f15a5f554ae52c0385.exe
"C:\Users\Admin\AppData\Local\Temp\c776a9efdaba18f15a5f554ae52c0385.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\is-9LQD6.tmp\c776a9efdaba18f15a5f554ae52c0385.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9LQD6.tmp\c776a9efdaba18f15a5f554ae52c0385.tmp" /SL5="$400F4,6149981,54272,C:\Users\Admin\AppData\Local\Temp\c776a9efdaba18f15a5f554ae52c0385.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\SyncPlayer 1.2.8\syncplayer32_64.exe
    "C:\Users\Admin\AppData\Local\SyncPlayer 1.2.8\syncplayer32_64.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1724

Network

DNS

dduyjyx.info

syncplayer32_64.exe

Remote address:

45.155.250.90:53

Request

dduyjyx.info

IN A

Response

dduyjyx.info

IN A

185.208.158.202
GET

http://dduyjyx.info/search/?q=67e28dd86c5ea07d445fab4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f271ea771795af8e05c446db22f31df92d8b38e316a667d307eca743ec4c2b07b5296692386789f918c2ea93

syncplayer32_64.exe

Remote address:

185.208.158.202:80

Request

GET /search/?q=67e28dd86c5ea07d445fab4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f271ea771795af8e05c446db22f31df92d8b38e316a667d307eca743ec4c2b07b5296692386789f918c2ea93 HTTP/1.1
Host: dduyjyx.info
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Response

HTTP/1.1 200 OK

Server: nginx/1.20.1
Date: Tue, 05 Nov 2024 01:15:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.4.33

185.208.158.202:80

http://dduyjyx.info/search/?q=67e28dd86c5ea07d445fab4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f271ea771795af8e05c446db22f31df92d8b38e316a667d307eca743ec4c2b07b5296692386789f918c2ea93

http

syncplayer32_64.exe

551 B
612 B
5
4

HTTP Request

GET http://dduyjyx.info/search/?q=67e28dd86c5ea07d445fab4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f271ea771795af8e05c446db22f31df92d8b38e316a667d307eca743ec4c2b07b5296692386789f918c2ea93

HTTP Response

200

45.155.250.90:53

dduyjyx.info

dns

syncplayer32_64.exe

58 B
86 B
1
1

DNS Request

dduyjyx.info

DNS Response

185.208.158.202

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\SyncPlayer 1.2.8\syncplayer32_64.exe

Filesize
2.4MB

MD5
5fbd9e9b8796e7b4a40fd070f0f43f8e

SHA1
a8f7c0ed0a95d0de6760c6f98805b31ced75ae79

SHA256
028a437887e0a5a12493c3ec0a5d23c6ed182cd0e88e40f0e8180904ed6a41c1

SHA512
02a40d5dc8044b8875f8846204d4f0c76c1bee7e81422e0cb209bda05c46f88e61b802520f445fabff5dd17b9dfbd0de82b9ee8312f5863af3c902bf9f7c1754

Download Submit
\Users\Admin\AppData\Local\Temp\is-56643.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-56643.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b6f11a0ab7715f570f45900a1fe84732

SHA1
77b1201e535445af5ea94c1b03c0a1c34d67a77b

SHA256
e47dd306a9854599f02bc1b07ca6dfbd5220f8a1352faa9616d1a327de0bbf67

SHA512
78a757e67d21eb7cc95954df15e3eeff56113d6b40fb73f0c5f53304265cc52c79125d6f1b3655b64f9a411711b5b70f746080d708d7c222f4e65bad64b1b771

Download Submit
\Users\Admin\AppData\Local\Temp\is-56643.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-9LQD6.tmp\c776a9efdaba18f15a5f554ae52c0385.tmp

Filesize
683KB

MD5
0d05e478ec0e67b3670c32f7fcd99ac2

SHA1
bbef8ae7b0e306e6172e2a0d9d6bacebf7f71886

SHA256
abf4a9fad2c3c735450cd35f7ae7255a52c0da48432c41682598536a9a708360

SHA512
677790b8807661e5ed9386bfd12a892dd9fef732d3228902a0718d0d64cba25c9c23b7ff67827373a77307dc1b41695ecb9ea64b71ae622f69bed8bb84ff3af7

Download Submit
memory/1724-131-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1724-137-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1724-173-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1724-121-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1724-170-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1724-166-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1724-123-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1724-163-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1724-128-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1724-160-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1724-134-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1724-157-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1724-140-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1724-143-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1724-144-0x00000000029E0000-0x0000000002A82000-memory.dmp

Filesize
648KB

Download
memory/1724-150-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1724-154-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/2828-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2828-126-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2828-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2884-153-0x0000000004710000-0x000000000498C000-memory.dmp

Filesize
2.5MB

Download
memory/2884-10-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2884-122-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2884-120-0x0000000004710000-0x000000000498C000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.