Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/11/2024, 12:00 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    5.9MB

  • MD5

    cbb34d95217826f4ad877e7e7a46b69c

  • SHA1

    d903374f9236b135cf42c4a573b5cd33df9074bd

  • SHA256

    707b321c42fbaa91cf41a9b41c85f3b56c7326cb32f40fc495f17df83b21cbed

  • SHA512

    eec4382387a1c2223da3350a28ec250cfa6dd2edb7eda6c516ee32fc784638f23005e992af337e9d87878fe2049b0a41df7f1c65c9d717d6a8771d7833be3f60

  • SSDEEP

    98304:PX4wRX+gNnYLzYhrMfgiBB3owncvnuOK+VWUhFh6J3GB4VVPYhpYEFyazx1G0:vnRX+gNnYvgHycaYwTVVPQyaB

Score
10/10
socks5systemzbotnetdiscovery

Malware Config

Signatures

  • Detect Socks5Systemz Payload 3 IoCs
  • Socks5Systemz

    Socks5Systemz is a botnet written in C++.

    botnetsocks5systemz
  • Socks5systemz family
    socks5systemz
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Users\Admin\AppData\Local\Temp\is-QFJJ4.tmp\file.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-QFJJ4.tmp\file.tmp" /SL5="$701BC,5532893,721408,C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3964
      • C:\Windows\SysWOW64\net.exe
        "C:\Windows\system32\net.exe" pause shine-encoder_11152
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4640
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 pause shine-encoder_11152
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3616
      • C:\Users\Admin\AppData\Local\Shine Encoder 1.4.3\shineencoder32.exe
        "C:\Users\Admin\AppData\Local\Shine Encoder 1.4.3\shineencoder32.exe" -i
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3528

Network

  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    136.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    136.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-se
    DNS
    bexlukg.com
    shineencoder32.exe
    Remote address:
    45.155.250.90:53
    Request
    bexlukg.com
    IN A
    Response
    bexlukg.com
    IN A
    185.208.158.202
  • flag-us
    DNS
    90.250.155.45.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    90.250.155.45.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://bexlukg.com/search/?q=67e28dd83a0ff32f1307af1e7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f071ea771795af8e05c444db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692386688f813c0e99c
    shineencoder32.exe
    Remote address:
    185.208.158.202:80
    Request
    GET /search/?q=67e28dd83a0ff32f1307af1e7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f071ea771795af8e05c444db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692386688f813c0e99c HTTP/1.1
    Host: bexlukg.com
    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.20.1
    Date: Fri, 15 Nov 2024 12:02:25 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: PHP/7.4.33
  • flag-us
    GET
    http://bexlukg.com/search/?q=67e28dd83a0ff32f1307af1e7c27d78406abdd88be4b12eab517aa5c96bd86ef94834b825a8bbc896c58e713bc90c91c36b5281fc235a925ed3e53d6bd974a95129070b417e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff812c1e992983bcb66
    shineencoder32.exe
    Remote address:
    185.208.158.202:80
    Request
    GET /search/?q=67e28dd83a0ff32f1307af1e7c27d78406abdd88be4b12eab517aa5c96bd86ef94834b825a8bbc896c58e713bc90c91c36b5281fc235a925ed3e53d6bd974a95129070b417e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff812c1e992983bcb66 HTTP/1.1
    Host: bexlukg.com
    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.20.1
    Date: Fri, 15 Nov 2024 12:02:27 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: PHP/7.4.33
  • flag-us
    DNS
    183.201.105.89.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.201.105.89.in-addr.arpa
    IN PTR
    Response
    183.201.105.89.in-addr.arpa
    IN PTR
    vm74456vps client-serversite
  • flag-us
    DNS
    202.158.208.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    202.158.208.185.in-addr.arpa
    IN PTR
    Response
  • 185.208.158.202:80
    bexlukg.com
    shineencoder32.exe
    208 B
     4
  • 185.208.158.202:80
    http://bexlukg.com/search/?q=67e28dd83a0ff32f1307af1e7c27d78406abdd88be4b12eab517aa5c96bd86ef94834b825a8bbc896c58e713bc90c91c36b5281fc235a925ed3e53d6bd974a95129070b417e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff812c1e992983bcb66
    http
    shineencoder32.exe
    906 B
     1.4kB
     6
    5

    HTTP Request

    GET http://bexlukg.com/search/?q=67e28dd83a0ff32f1307af1e7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f071ea771795af8e05c444db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692386688f813c0e99c

    HTTP Response

    200

    HTTP Request

    GET http://bexlukg.com/search/?q=67e28dd83a0ff32f1307af1e7c27d78406abdd88be4b12eab517aa5c96bd86ef94834b825a8bbc896c58e713bc90c91c36b5281fc235a925ed3e53d6bd974a95129070b417e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff812c1e992983bcb66

    HTTP Response

    200
  • 89.105.201.183:2023
    shineencoder32.exe
    507 B
     174 B
     5
    4
  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    136.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    136.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

  • 45.155.250.90:53
    bexlukg.com
    dns
    shineencoder32.exe
    57 B
     84 B
     1
    1

    DNS Request

    bexlukg.com

    DNS Response

    185.208.158.202

  • 8.8.8.8:53
    90.250.155.45.in-addr.arpa
    dns
    72 B
     135 B
     1
    1

    DNS Request

    90.250.155.45.in-addr.arpa

  • 8.8.8.8:53
    183.201.105.89.in-addr.arpa
    dns
    73 B
     117 B
     1
    1

    DNS Request

    183.201.105.89.in-addr.arpa

  • 8.8.8.8:53
    202.158.208.185.in-addr.arpa
    dns
    74 B
     149 B
     1
    1

    DNS Request

    202.158.208.185.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Shine Encoder 1.4.3\shineencoder32.exe
    Filesize

    3.6MB

    MD5

    f978d5eba9977af32374dcb616cb63fe

    SHA1

    d45c19f173d68fb11dd1c358b42b135e634ebe4e

    SHA256

    2921409fa28850e3c1874ae52a25b00f93961c278cf131f11f67cee89061f7c8

    SHA512

    0075c468db47b8f92b9d329089a61fd554c5f7fc374be34fcff8f925dba334ba41bab09303e16d32607597af5e2636203db312c412fc68b3bee60a799620fe9f

    Download Submit

  • C:\Users\Admin\AppData\Local\Shine Encoder 1.4.3\sqlite3.dll
    Filesize

    630KB

    MD5

    e477a96c8f2b18d6b5c27bde49c990bf

    SHA1

    e980c9bf41330d1e5bd04556db4646a0210f7409

    SHA256

    16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

    SHA512

    335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-9D259.tmp\_isetup\_iscrypt.dll
    Filesize

    2KB

    MD5

    a69559718ab506675e907fe49deb71e9

    SHA1

    bc8f404ffdb1960b50c12ff9413c893b56f2e36f

    SHA256

    2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

    SHA512

    e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-QFJJ4.tmp\file.tmp
    Filesize

    2.4MB

    MD5

    d39963c7160d31f9ef536becf3004498

    SHA1

    9485f170d679b63b6eaef023c2459d50e665dcd6

    SHA256

    70cdfb9222cfe63dc84ccb91fc76ed489e3a8ab62876dd0eaf57659d6d9d0adc

    SHA512

    b5b5cd3623af8be77979d51b6f7a19504f565435a256c2b5b908faca335ed1a330131c5b8bf845b290fb980c778434aa7addbcba3043c4421f7c9343344fdad5

    Download Submit

  • memory/3528-80-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3528-106-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3528-133-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3528-63-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3528-64-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3528-67-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3528-128-0x00000000009A0000-0x0000000000A42000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3528-129-0x00000000009A0000-0x0000000000A42000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3528-71-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3528-73-0x0000000060900000-0x0000000060992000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3528-72-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3528-76-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3528-126-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3528-84-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3528-88-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3528-93-0x00000000009A0000-0x0000000000A42000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3528-95-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3528-101-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3528-103-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3528-122-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3528-110-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3528-114-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3528-118-0x0000000000400000-0x000000000079F000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3964-6-0x0000000000400000-0x0000000000679000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3964-68-0x0000000000400000-0x0000000000679000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/4280-0-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/4280-69-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/4280-2-0x0000000000401000-0x00000000004A9000-memory.dmp

    Filesize

    672KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.