socks5systemz | fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381

General

Target

fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.exe
Size

4.6MB
MD5

e9cd92888955ec6ca951d1ecd9547247
SHA1

4f7e56c3bcadbe17bd81b8fbd47a0dbe53d03308
SHA256

fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381
SHA512

4d04c1b527021a63503f46585e5358c39a9f8e81453c2586b6399712e5c09d01c93a7dc42f65cb669587d4730c30b4bc247cc760101f03aae6bc35c5d229773b
SSDEEP

98304:48mgP/v+pYZF1O+oBWKLt0PG3ehUEtuf5UMv3+GcFKojWvix:28CEjOCpzgf563Zv

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5088-91-0x00000000009F0000-0x0000000000A92000-memory.dmp	family_socks5systemz
behavioral2/memory/5088-115-0x00000000009F0000-0x0000000000A92000-memory.dmp	family_socks5systemz
behavioral2/memory/5088-116-0x00000000009F0000-0x0000000000A92000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz
Executes dropped EXE 2 IoCs

Processes:

fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmpeditresync32_64.exe

pid process

1156 fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp
5088 editresync32_64.exe
Loads dropped DLL 1 IoCs

Processes:

fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp

pid process

1156 fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 91.211.247.248
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc
Destination IP	91.211.247.248

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

net.exenet1.exefb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.exefb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmpeditresync32_64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	editresync32_64.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp

pid	process
1156	fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp
1156	fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp

pid process

1156 fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.exefb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmpnet.exe

description	pid	process	target process
PID 1300 wrote to memory of 1156	1300	fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.exe	fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp
PID 1300 wrote to memory of 1156	1300	fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.exe	fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp
PID 1300 wrote to memory of 1156	1300	fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.exe	fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp
PID 1156 wrote to memory of 4720	1156	fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp	net.exe
PID 1156 wrote to memory of 4720	1156	fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp	net.exe
PID 1156 wrote to memory of 4720	1156	fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp	net.exe
PID 1156 wrote to memory of 5088	1156	fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp	editresync32_64.exe
PID 1156 wrote to memory of 5088	1156	fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp	editresync32_64.exe
PID 1156 wrote to memory of 5088	1156	fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp	editresync32_64.exe
PID 4720 wrote to memory of 3008	4720	net.exe	net1.exe
PID 4720 wrote to memory of 3008	4720	net.exe	net1.exe
PID 4720 wrote to memory of 3008	4720	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.exe
"C:\Users\Admin\AppData\Local\Temp\fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\is-T0F63.tmp\fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-T0F63.tmp\fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp" /SL5="$6021C,4592439,56832,C:\Users\Admin\AppData\Local\Temp\fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" pause edit_resync_11123
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 pause edit_resync_11123
      4⤵
      System Location Discovery: System Language Discovery
      PID:3008
- - C:\Users\Admin\AppData\Local\Edit Resync 0.32\editresync32_64.exe
    "C:\Users\Admin\AppData\Local\Edit Resync 0.32\editresync32_64.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Edit Resync 0.32\editresync32_64.exe

Filesize
3.5MB

MD5
3e5e08e97ff424fe7785b9bc354d7ed2

SHA1
20be0d4da50bed834bd4dac2e7a6fc351dae00cf

SHA256
75792d63606f15b6b79bd27d0d21d91385added17914eb0297cc26d3b0a1a4b2

SHA512
97a8ae77fd0896201c38703686616b064a40e482606383aa8ae9492efdad3ca04a8c397c130481407870c7b55b98e45ab05ebaaa21808764a5c8242a4ee2de91

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9NBHA.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T0F63.tmp\fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp

Filesize
692KB

MD5
d57e747bad25a0fec0e55eac48edbb31

SHA1
856a43e3f009ef36d5999dfbc70ff169d703fc3a

SHA256
386ff218c575b721cd3d44d7b1781a5d6766b438e1317baeb18d34c3f6e99866

SHA512
aa5c2a372057ccdcc940ca3c61b4d0d45e684f447435acef477d02aa575956a9e298789921972bc596745a30dff407a20d2752c8104d6d86ee92bbde4d1e8081

Download Submit
memory/1156-72-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1156-6-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1300-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1300-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1300-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5088-84-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/5088-99-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/5088-69-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/5088-75-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/5088-78-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/5088-81-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/5088-71-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/5088-87-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/5088-91-0x00000000009F0000-0x0000000000A92000-memory.dmp

Filesize
648KB

Download
memory/5088-92-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/5088-98-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/5088-68-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/5088-102-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/5088-105-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/5088-108-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/5088-111-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/5088-114-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/5088-115-0x00000000009F0000-0x0000000000A92000-memory.dmp

Filesize
648KB

Download
memory/5088-116-0x00000000009F0000-0x0000000000A92000-memory.dmp

Filesize
648KB

Download
memory/5088-120-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/5088-123-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download

pid	process
1156	fb73a481b553f79d9fb826a5d973bc84e3905e8cb7da0d34aea8f6c55ac8d381.tmp
5088	editresync32_64.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads