socks5systemz | 4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2024, 10:16 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.exe
Size

4.6MB
MD5

62a28c201a7ad12d641b4a9961e8beba
SHA1

f8bc5092acab2173e61be6d28744539836b48357
SHA256

4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4
SHA512

253b91c6c9d6fa1270571922fd68cc19d4f401f16793793306217f7d2f692c56a8b789617c66a7a0544c159d0fe736f27ca802bf2fda2232ab1c7f0a7dd146bb
SSDEEP

98304:NKWnyl82/KZKuvFUW0DlrgjDSrx0cuMDILy6UM6OF4dkW:1nyCEUGW0hkjeiokU3pb

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/728-99-0x0000000000840000-0x00000000008E2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz

Executes dropped EXE 2 IoCs

pid	Process
3304	4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.tmp
728	screenstudio32.exe

Loads dropped DLL 2 IoCs

pid	Process
3304	4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.tmp
728	screenstudio32.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	screenstudio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3304	4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.tmp
3304	4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3304	4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 672 wrote to memory of 3304	672	4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.exe	83
PID 672 wrote to memory of 3304	672	4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.exe	83
PID 672 wrote to memory of 3304	672	4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.exe	83
PID 3304 wrote to memory of 4388	3304	4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.tmp	85
PID 3304 wrote to memory of 4388	3304	4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.tmp	85
PID 3304 wrote to memory of 4388	3304	4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.tmp	85
PID 3304 wrote to memory of 728	3304	4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.tmp	87
PID 3304 wrote to memory of 728	3304	4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.tmp	87
PID 3304 wrote to memory of 728	3304	4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.tmp	87
PID 4388 wrote to memory of 1540	4388	net.exe	88
PID 4388 wrote to memory of 1540	4388	net.exe	88
PID 4388 wrote to memory of 1540	4388	net.exe	88

C:\Users\Admin\AppData\Local\Temp\4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.exe
"C:\Users\Admin\AppData\Local\Temp\4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:672
- C:\Users\Admin\AppData\Local\Temp\is-QTKPI.tmp\4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QTKPI.tmp\4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.tmp" /SL5="$6029A,4561307,54272,C:\Users\Admin\AppData\Local\Temp\4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" pause screenstudio_11173
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 pause screenstudio_11173
      4⤵
      System Location Discovery: System Language Discovery
      PID:1540
- - C:\Users\Admin\AppData\Local\Screen Studio 1.40\screenstudio32.exe
    "C:\Users\Admin\AppData\Local\Screen Studio 1.40\screenstudio32.exe" -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:728

Network

DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

24.139.73.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.139.73.23.in-addr.arpa

IN PTR

Response

24.139.73.23.in-addr.arpa

IN PTR

a23-73-139-24deploystaticakamaitechnologiescom
DNS

101.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

101.210.23.2.in-addr.arpa

IN PTR

Response

101.210.23.2.in-addr.arpa

IN PTR

a2-23-210-101deploystaticakamaitechnologiescom
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

bdixjkf.com

screenstudio32.exe

Remote address:

141.98.234.31:53

Request

bdixjkf.com

IN A

Response

bdixjkf.com

IN A

185.208.158.202
GET

http://bdixjkf.com/search/?q=67e28dd86f55f07e4007af1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa44e8889b5e4fa9281ae978f771ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692386687fd14c0e892

screenstudio32.exe

Remote address:

185.208.158.202:80

Request

GET /search/?q=67e28dd86f55f07e4007af1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa44e8889b5e4fa9281ae978f771ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692386687fd14c0e892 HTTP/1.1
Host: bdixjkf.com
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Response

HTTP/1.1 200 OK

Server: nginx/1.20.1
Date: Mon, 18 Nov 2024 10:19:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.4.33
DNS

31.234.98.141.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.234.98.141.in-addr.arpa

IN PTR

Response

31.234.98.141.in-addr.arpa

IN PTR

cx21ip-ptrtech
DNS

202.158.208.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

202.158.208.185.in-addr.arpa

IN PTR

Response

185.208.158.202:80

http://bdixjkf.com/search/?q=67e28dd86f55f07e4007af1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa44e8889b5e4fa9281ae978f771ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692386687fd14c0e892

http

screenstudio32.exe

498 B
352 B
4
3

HTTP Request

GET http://bdixjkf.com/search/?q=67e28dd86f55f07e4007af1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa44e8889b5e4fa9281ae978f771ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692386687fd14c0e892

HTTP Response

200

8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

76.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

24.139.73.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

24.139.73.23.in-addr.arpa
8.8.8.8:53

101.210.23.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

101.210.23.2.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
141.98.234.31:53

bdixjkf.com

dns

screenstudio32.exe

57 B
84 B
1
1

DNS Request

bdixjkf.com

DNS Response

185.208.158.202
8.8.8.8:53

31.234.98.141.in-addr.arpa

dns

72 B
102 B
1
1

DNS Request

31.234.98.141.in-addr.arpa
8.8.8.8:53

202.158.208.185.in-addr.arpa

dns

74 B
149 B
1
1

DNS Request

202.158.208.185.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Screen Studio 1.40\screenstudio32.exe

Filesize
2.9MB

MD5
ae21a8251df61b78b4d6a14b0fe21284

SHA1
b0913358263a5df94e69c67a82e79aba7e82bc49

SHA256
9d03e14723458f8ec57bbf42740537a0b581a422691d4126eb2ee8b49cb94cfe

SHA512
e1333a4c4e00037fc5f668ca5d0c7f91d1ab2a5ccace2fa18eed7e1f0ddba6cb67fa3eb9d44b389909a302ba9a83148a5394576130ae8072c3fc00d0e799a389

Download Submit
C:\Users\Admin\AppData\Local\Screen Studio 1.40\sqlite3.dll

Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L79G6.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QTKPI.tmp\4f78e5ecac34d579fdaa448fe12dc77bbe920b53ae062e0c0b5692f6b6d29ae4.tmp

Filesize
692KB

MD5
2d03006136ba024a6507f1eaf276defa

SHA1
6d84081b0d017ff7e7553c29d6eea4571e34dbfc

SHA256
9376ebac9518a377b13e45adce680e186a7230d53b57a76a4e57c758826705d0

SHA512
4897bcc72f4e8704ab6883a4249828410d50e807d94811c73b6642320e204a4c9d269c5401b1d4c840acf0ed09f0be9cc4b9eec379bc03db5a3f7f6cd8709c51

Download Submit
memory/672-74-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/672-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/672-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/728-77-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/728-93-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/728-72-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/728-135-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/728-68-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/728-76-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/728-78-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/728-131-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/728-81-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/728-85-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/728-89-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/728-69-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/728-97-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/728-99-0x0000000000840000-0x00000000008E2000-memory.dmp

Filesize
648KB

Download
memory/728-105-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/728-107-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/728-110-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/728-114-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/728-118-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/728-122-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/728-126-0x0000000000400000-0x00000000006E5000-memory.dmp

Filesize
2.9MB

Download
memory/3304-16-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3304-73-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.