Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f08f680f17...45.exe

windows7-x64

10

f08f680f17...45.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/12/2024, 04:09 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f08f680f17aaf9505a8d53648545ce684af9b39a90a8dc9d2e872693e1d59b45.exe

  • Size

    6.9MB

  • MD5

    1015b0b5cfddfbc4baea6910d9c56c3c

  • SHA1

    9fe1cae9d38a53a1217556c60ffd3c02d8235d66

  • SHA256

    f08f680f17aaf9505a8d53648545ce684af9b39a90a8dc9d2e872693e1d59b45

  • SHA512

    536455cbd7a0240bb4608901c168826dadc4609132f07041bf6b4ac295b158f7cdf1be22790ee5776f80bbbc2bf4b4a13431375a7312b8f7afc05a13e22f2ecf

  • SSDEEP

    196608:gK2+nNevvWstwr2m5BmycyEbSfasepd5e4x6+AjZ6mjxzj:gDY6tiP3myRfzepXe4ny8gxzj

Score
10/10
socks5systemzbotnetdiscovery

Malware Config

Signatures

  • Detect Socks5Systemz Payload 1 IoCs
  • Socks5Systemz

    Socks5Systemz is a botnet written in C++.

    botnetsocks5systemz
  • Socks5systemz family
    socks5systemz
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 63 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f08f680f17aaf9505a8d53648545ce684af9b39a90a8dc9d2e872693e1d59b45.exe
    "C:\Users\Admin\AppData\Local\Temp\f08f680f17aaf9505a8d53648545ce684af9b39a90a8dc9d2e872693e1d59b45.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Users\Admin\AppData\Local\Temp\is-B960Q.tmp\f08f680f17aaf9505a8d53648545ce684af9b39a90a8dc9d2e872693e1d59b45.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-B960Q.tmp\f08f680f17aaf9505a8d53648545ce684af9b39a90a8dc9d2e872693e1d59b45.tmp" /SL5="$50250,6991381,54272,C:\Users\Admin\AppData\Local\Temp\f08f680f17aaf9505a8d53648545ce684af9b39a90a8dc9d2e872693e1d59b45.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4668
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Query
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1144
      • C:\Program Files (x86)\CRTGame\crtgame.exe
        "C:\Program Files (x86)\CRTGame\crtgame.exe" -i
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2336
      • C:\Windows\SysWOW64\net.exe
        "C:\Windows\system32\net.exe" helpmsg 10
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2316
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 helpmsg 10
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2700
      • C:\Program Files (x86)\CRTGame\crtgame.exe
        "C:\Program Files (x86)\CRTGame\crtgame.exe" -s
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1388

Network

  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    22.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    DNS
    ceddtor.net
    crtgame.exe
    Remote address:
    194.49.94.194:53
    Request
    ceddtor.net
    IN A
  • flag-nl
    DNS
    ceddtor.net
    crtgame.exe
    Remote address:
    194.49.94.194:53
    Request
    ceddtor.net
    IN A
  • flag-nl
    DNS
    ceddtor.net
    crtgame.exe
    Remote address:
    194.49.94.194:53
    Request
    ceddtor.net
    IN A
  • flag-nl
    DNS
    ceddtor.net
    crtgame.exe
    Remote address:
    194.49.94.194:53
    Request
    ceddtor.net
    IN A
  • flag-nl
    DNS
    ceddtor.net
    crtgame.exe
    Remote address:
    194.49.94.194:53
    Request
    ceddtor.net
    IN A
  • flag-us
    DNS
    194.94.49.194.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.94.49.194.in-addr.arpa
    IN PTR
    Response
  • flag-ru
    DNS
    ceddtor.net
    crtgame.exe
    Remote address:
    152.89.198.214:53
    Request
    ceddtor.net
    IN A
    Response
    ceddtor.net
    IN A
    94.232.249.187
  • flag-us
    DNS
    214.198.89.152.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    214.198.89.152.in-addr.arpa
    IN PTR
    Response
  • 94.232.249.187:80
    ceddtor.net
    crtgame.exe
    208 B
     4
  • 94.232.249.187:80
    ceddtor.net
    crtgame.exe
    104 B
     2
  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    142 B
     157 B
     2
    1

    DNS Request

    56.163.245.4.in-addr.arpa

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    140 B
     156 B
     2
    1

    DNS Request

    50.23.12.20.in-addr.arpa

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    22.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    22.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 194.49.94.194:53
    ceddtor.net
    dns
    crtgame.exe
    285 B
     5

    DNS Request

    ceddtor.net

    DNS Request

    ceddtor.net

    DNS Request

    ceddtor.net

    DNS Request

    ceddtor.net

    DNS Request

    ceddtor.net

  • 8.8.8.8:53
    194.94.49.194.in-addr.arpa
    dns
    72 B
     132 B
     1
    1

    DNS Request

    194.94.49.194.in-addr.arpa

  • 152.89.198.214:53
    ceddtor.net
    dns
    crtgame.exe
    57 B
     84 B
     1
    1

    DNS Request

    ceddtor.net

    DNS Response

    94.232.249.187

  • 8.8.8.8:53
    214.198.89.152.in-addr.arpa
    dns
    73 B
     127 B
     1
    1

    DNS Request

    214.198.89.152.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\CRTGame\crtgame.exe
    Filesize

    2.1MB

    MD5

    bb0124f16d88c4ec1fcfd9e524a5b921

    SHA1

    5017dc7277dbc5bb0b6f8428e4ff72603e3a370b

    SHA256

    59495c6e79c301f767f3d336050fb9927826f0ae972d634d395f5b44d7280a09

    SHA512

    4be3e838fb41cd4d01a12b639cdcb93df94deec0debd2593c53bbfe977daf5bcb9e3f97f6c47d33e76aea12ae2f9224f27652dfb5b5a69f53d201184766fff91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-B960Q.tmp\f08f680f17aaf9505a8d53648545ce684af9b39a90a8dc9d2e872693e1d59b45.tmp
    Filesize

    687KB

    MD5

    f448d7f4b76e5c9c3a4eaff16a8b9b73

    SHA1

    31808f1ffa84c954376975b7cdb0007e6b762488

    SHA256

    7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49

    SHA512

    f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-MCIJK.tmp\_isetup\_iscrypt.dll
    Filesize

    2KB

    MD5

    a69559718ab506675e907fe49deb71e9

    SHA1

    bc8f404ffdb1960b50c12ff9413c893b56f2e36f

    SHA256

    2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

    SHA512

    e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-MCIJK.tmp\_isetup\_isdecmp.dll
    Filesize

    19KB

    MD5

    3adaa386b671c2df3bae5b39dc093008

    SHA1

    067cf95fbdb922d81db58432c46930f86d23dded

    SHA256

    71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

    SHA512

    bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

    Download Submit

  • memory/832-161-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/832-0-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/832-2-0x0000000000401000-0x000000000040B000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1388-182-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1388-188-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1388-206-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1388-203-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1388-159-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1388-200-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1388-197-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1388-163-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1388-164-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1388-167-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1388-170-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1388-173-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1388-176-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1388-179-0x0000000000950000-0x00000000009F2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/1388-194-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1388-185-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1388-191-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2336-152-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2336-151-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2336-156-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2336-153-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4668-13-0x0000000000400000-0x00000000004BC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/4668-160-0x0000000000400000-0x00000000004BC000-memory.dmp

    Filesize

    752KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.