socks5systemz | e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad

General

Target

e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe
Size

6.3MB
MD5

66c0f52778b2d76adcd5cd1fada612e9
SHA1

78baf14c084d7b17b9d3ff5ae6563f76b684d4ee
SHA256

e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad
SHA512

1a02b437b688767957f8050f8522af696d1eece266aba1eee1049da9368ad51cd93af6e81a7ac80df167655ce0c6761d8208875e2a66a1d7ea5fd3412c9e004e
SSDEEP

196608:Eelsnw7goEDIuGV0BXWB4aXDUIqRZWxAKrnD:plsn9JIuJW9UIwm9D

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral1/memory/640-109-0x0000000002BA0000-0x0000000002C42000-memory.dmp	family_socks5systemz
behavioral1/memory/640-133-0x0000000002BA0000-0x0000000002C42000-memory.dmp	family_socks5systemz
behavioral1/memory/640-132-0x0000000002BA0000-0x0000000002C42000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz

Executes dropped EXE 2 IoCs

pid	Process
2300	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp
640	cutmovie32.exe

Loads dropped DLL 5 IoCs

pid	Process
2892	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe
2300	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp
2300	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp
2300	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp
2300	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cutmovie32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2300	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp
2300	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2300	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2300	2892	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe	30
PID 2892 wrote to memory of 2300	2892	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe	30
PID 2892 wrote to memory of 2300	2892	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe	30
PID 2892 wrote to memory of 2300	2892	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe	30
PID 2892 wrote to memory of 2300	2892	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe	30
PID 2892 wrote to memory of 2300	2892	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe	30
PID 2892 wrote to memory of 2300	2892	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe	30
PID 2300 wrote to memory of 1988	2300	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp	31
PID 2300 wrote to memory of 1988	2300	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp	31
PID 2300 wrote to memory of 1988	2300	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp	31
PID 2300 wrote to memory of 1988	2300	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp	31
PID 2300 wrote to memory of 640	2300	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp	33
PID 2300 wrote to memory of 640	2300	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp	33
PID 2300 wrote to memory of 640	2300	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp	33
PID 2300 wrote to memory of 640	2300	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp	33
PID 1988 wrote to memory of 2200	1988	net.exe	34
PID 1988 wrote to memory of 2200	1988	net.exe	34
PID 1988 wrote to memory of 2200	1988	net.exe	34
PID 1988 wrote to memory of 2200	1988	net.exe	34

C:\Users\Admin\AppData\Local\Temp\e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe
"C:\Users\Admin\AppData\Local\Temp\e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\is-9246A.tmp\e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9246A.tmp\e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp" /SL5="$400D6,6350050,56832,C:\Users\Admin\AppData\Local\Temp\e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" pause cut_movie_1173
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 pause cut_movie_1173
      4⤵
      System Location Discovery: System Language Discovery
      PID:2200
- - C:\Users\Admin\AppData\Local\Cut Movie 2020.3.33\cutmovie32.exe
    "C:\Users\Admin\AppData\Local\Cut Movie 2020.3.33\cutmovie32.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Cut Movie 2020.3.33\cutmovie32.exe

Filesize
3.6MB

MD5
64f0f58358a97d70707cc3681b21ac88

SHA1
e5df01fac2cd514a69fc448e5f356910a918db7c

SHA256
e76b5e2d949b4c3a161dd67c49272ca2e205e9a7e343e4955c64ce014998b554

SHA512
5acee37da6d16963b7b000c860c9cf28b1383bdff38cba567930ae757488a3e0d17b7d70ad3788dec2d155e7ecec5d08b84e6d8a3100b1b58788d392fdefb21e

Download Submit
\Users\Admin\AppData\Local\Temp\is-9246A.tmp\e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp

Filesize
692KB

MD5
94968be4127b694889864365b3f35a23

SHA1
e562feb6b0e0c3bea01c2134c528fb3a543beb0e

SHA256
eb1435ddc6ce5bc6467f7b54670ea83bd639e514459fd15b5c70f483558e7f8f

SHA512
eb2f2ee876147f07169aa712eaef1b38806c12df1479da9f5ff6e5cac9ad74e45ea784728dbb3497f90913ae9990dfa2e299bfd2e9db7d239ea6712518b223e4

Download Submit
\Users\Admin\AppData\Local\Temp\is-PPHIH.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-PPHIH.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/640-133-0x0000000002BA0000-0x0000000002C42000-memory.dmp

Filesize
648KB

Download
memory/640-96-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/640-140-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/640-132-0x0000000002BA0000-0x0000000002C42000-memory.dmp

Filesize
648KB

Download
memory/640-86-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/640-87-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/640-125-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/640-131-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/640-93-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/640-137-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/640-99-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/640-102-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/640-105-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/640-108-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/640-109-0x0000000002BA0000-0x0000000002C42000-memory.dmp

Filesize
648KB

Download
memory/640-115-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/640-118-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/640-128-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/640-122-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/2300-84-0x00000000034D0000-0x0000000003877000-memory.dmp

Filesize
3.7MB

Download
memory/2300-119-0x00000000034D0000-0x0000000003877000-memory.dmp

Filesize
3.7MB

Download
memory/2300-90-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2300-14-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2892-91-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2892-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2892-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing