socks5systemz | 0d7db567df0c03f033db70107c7699d21fdc046d3b502160e45b6c26a7a5291d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2025, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.exe
Size

3.6MB
MD5

4d00204c805a047237431defbb66eac2
SHA1

0348a3e6aa4c353aedbfb32280c24113edb142e0
SHA256

af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc
SHA512

bb1471e1b1d1da7d1f57b9028184f68e266ebe9923e5f56015fdfc9bee29b5ac66cfeeb4667b023f656a7569df2291af243376e8567293bb2be4d8a10608739e
SSDEEP

98304:3c16jhPDcUCQcIMq2DMm0kXp6DzAqiVrfzhcn:AUhbcRHMmlSzAqiVtcn

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral6/memory/3864-74-0x0000000000930000-0x00000000009D0000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz

Executes dropped EXE 2 IoCs

pid	Process
1436	af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.tmp
3864	crystalbenchmarks214.exe

Loads dropped DLL 2 IoCs

pid	Process
1436	af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.tmp
3864	crystalbenchmarks214.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crystalbenchmarks214.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1436	af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.tmp
1436	af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1436	af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 1436	3324	af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.exe	80
PID 3324 wrote to memory of 1436	3324	af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.exe	80
PID 3324 wrote to memory of 1436	3324	af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.exe	80
PID 1436 wrote to memory of 3864	1436	af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.tmp	81
PID 1436 wrote to memory of 3864	1436	af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.tmp	81
PID 1436 wrote to memory of 3864	1436	af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.tmp	81

C:\Users\Admin\AppData\Local\Temp\quarantine\af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Users\Admin\AppData\Local\Temp\is-0LTVL.tmp\af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0LTVL.tmp\af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.tmp" /SL5="$B0280,3539577,56832,C:\Users\Admin\AppData\Local\Temp\quarantine\af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Users\Admin\AppData\Local\Crystal Bench Marks 2.1.4\crystalbenchmarks214.exe
    "C:\Users\Admin\AppData\Local\Crystal Bench Marks 2.1.4\crystalbenchmarks214.exe" -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Crystal Bench Marks 2.1.4\crystalbenchmarks214.exe

Filesize
2.8MB

MD5
7913ad66f709e5e40f3c2c2a63c68852

SHA1
5cbbe8d26c0058c998e4d6fb0b3b1327a3bfd4ee

SHA256
4ce286ea058d30786495578b2089d3ed2db10653fad2ff0c09352f49b004ed44

SHA512
a726ff276fab58bc6b5fc0a52c13ab479b9ad3ab435e664a19f5abe186aa1e522495d69e60c9b786767899ff1d59484f793369eb09137b1342aa6f414d98e884

Download Submit
C:\Users\Admin\AppData\Local\Crystal Bench Marks 2.1.4\sqlite3.dll

Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0LTVL.tmp\af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.tmp

Filesize
694KB

MD5
d3239f7e300381cb33da3c6effcec6fa

SHA1
245d51c44b9f312254d6b24f37cc0f4e053c4bb4

SHA256
8fa5c095628ebbf7a244a84e15a3a700c7aa9cdc87a66e5687ce24148a5da763

SHA512
8a7525b21072c0e4e69fd94e446b7ef73928a41590b83b29fe94216ce9341947226f4142a6e320eb89f0513561f474f59d754069924f67ab139655ae17a589d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DCQAS.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1436-49-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1436-6-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3324-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3324-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3324-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3864-53-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/3864-74-0x0000000000930000-0x00000000009D0000-memory.dmp

Filesize
640KB

Download
memory/3864-44-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/3864-54-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/3864-52-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/3864-41-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/3864-57-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/3864-61-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/3864-65-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/3864-69-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/3864-73-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/3864-48-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/3864-82-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/3864-85-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/3864-87-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/3864-90-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/3864-94-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/3864-98-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/3864-102-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/3864-116-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/3864-120-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download