socks5systemz | e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad

General

Target

e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe
Size

6.3MB
MD5

66c0f52778b2d76adcd5cd1fada612e9
SHA1

78baf14c084d7b17b9d3ff5ae6563f76b684d4ee
SHA256

e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad
SHA512

1a02b437b688767957f8050f8522af696d1eece266aba1eee1049da9368ad51cd93af6e81a7ac80df167655ce0c6761d8208875e2a66a1d7ea5fd3412c9e004e
SSDEEP

196608:Eelsnw7goEDIuGV0BXWB4aXDUIqRZWxAKrnD:plsn9JIuJW9UIwm9D

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3364-103-0x0000000000A50000-0x0000000000AF2000-memory.dmp	family_socks5systemz
behavioral2/memory/3364-127-0x0000000000A50000-0x0000000000AF2000-memory.dmp	family_socks5systemz
behavioral2/memory/3364-128-0x0000000000A50000-0x0000000000AF2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz
Executes dropped EXE 2 IoCs

Processes:

e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmpcutmovie32.exe

pid process

2848 e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp
3364 cutmovie32.exe
Loads dropped DLL 1 IoCs

Processes:

e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp

pid process

2848 e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 141.98.234.31
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc
Destination IP	141.98.234.31

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exee28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmpcutmovie32.exenet.exenet1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cutmovie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp

pid	process
2848	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp
2848	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp

pid process

2848 e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exee28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmpnet.exe

description	pid	process	target process
PID 2684 wrote to memory of 2848	2684	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp
PID 2684 wrote to memory of 2848	2684	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp
PID 2684 wrote to memory of 2848	2684	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp
PID 2848 wrote to memory of 4952	2848	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp	net.exe
PID 2848 wrote to memory of 4952	2848	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp	net.exe
PID 2848 wrote to memory of 4952	2848	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp	net.exe
PID 2848 wrote to memory of 3364	2848	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp	cutmovie32.exe
PID 2848 wrote to memory of 3364	2848	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp	cutmovie32.exe
PID 2848 wrote to memory of 3364	2848	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp	cutmovie32.exe
PID 4952 wrote to memory of 1700	4952	net.exe	net1.exe
PID 4952 wrote to memory of 1700	4952	net.exe	net1.exe
PID 4952 wrote to memory of 1700	4952	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe
"C:\Users\Admin\AppData\Local\Temp\e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\is-RGG34.tmp\e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RGG34.tmp\e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp" /SL5="$60244,6350050,56832,C:\Users\Admin\AppData\Local\Temp\e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" pause cut_movie_1173
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 pause cut_movie_1173
      4⤵
      System Location Discovery: System Language Discovery
      PID:1700
- - C:\Users\Admin\AppData\Local\Cut Movie 2020.3.33\cutmovie32.exe
    "C:\Users\Admin\AppData\Local\Cut Movie 2020.3.33\cutmovie32.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Cut Movie 2020.3.33\cutmovie32.exe

Filesize
3.6MB

MD5
64f0f58358a97d70707cc3681b21ac88

SHA1
e5df01fac2cd514a69fc448e5f356910a918db7c

SHA256
e76b5e2d949b4c3a161dd67c49272ca2e205e9a7e343e4955c64ce014998b554

SHA512
5acee37da6d16963b7b000c860c9cf28b1383bdff38cba567930ae757488a3e0d17b7d70ad3788dec2d155e7ecec5d08b84e6d8a3100b1b58788d392fdefb21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P5CII.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RGG34.tmp\e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp

Filesize
692KB

MD5
94968be4127b694889864365b3f35a23

SHA1
e562feb6b0e0c3bea01c2134c528fb3a543beb0e

SHA256
eb1435ddc6ce5bc6467f7b54670ea83bd639e514459fd15b5c70f483558e7f8f

SHA512
eb2f2ee876147f07169aa712eaef1b38806c12df1479da9f5ff6e5cac9ad74e45ea784728dbb3497f90913ae9990dfa2e299bfd2e9db7d239ea6712518b223e4

Download Submit
memory/2684-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2684-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2684-85-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2848-84-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2848-6-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3364-96-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/3364-111-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/3364-83-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/3364-87-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/3364-90-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/3364-93-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/3364-80-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/3364-99-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/3364-103-0x0000000000A50000-0x0000000000AF2000-memory.dmp

Filesize
648KB

Download
memory/3364-104-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/3364-110-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/3364-82-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/3364-114-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/3364-117-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/3364-120-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/3364-123-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/3364-126-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/3364-127-0x0000000000A50000-0x0000000000AF2000-memory.dmp

Filesize
648KB

Download
memory/3364-128-0x0000000000A50000-0x0000000000AF2000-memory.dmp

Filesize
648KB

Download
memory/3364-132-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/3364-135-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download

pid	process
2848	e28108e4363f6b81cd4ce0b2a9a6d654c8158d1a37a27421d277725092cdbcad.tmp
3364	cutmovie32.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads