socks5systemz | 1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e

General

Target

1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.exe
Size

4.3MB
MD5

d82a5d515e202bd878e28860b88ccb77
SHA1

82bb20e6b538420c9da34b8a863790b8ea0f8c51
SHA256

1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e
SHA512

2614aca6c7907c18c84b85afd8ff0655f6971a1329c10254cb7412b197a967dd4262ce57e846f78bf201aa0436e76272771a2aae13151a88751c4f660fdf2088
SSDEEP

98304:C/n5kiTOOrVoKowIcqm6ZBCUAGpJg/pf+0L5AiLPziVCHQx3:KlOIVoKowIk63/A+8pf+Y5z2VCHQp

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

bbbbznx.com

http://bbbbznx.com/search/?q=67e28dd83e5aa079125baa1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f271ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608afd12c3e8959f38

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/5856-75-0x00000000007F0000-0x0000000000892000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
1080	1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.tmp
5124	disksettings.exe
5856	disksettings.exe

Loads dropped DLL 3 IoCs

pid	Process
1080	1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.tmp
1080	1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.tmp
1080	1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	43	152.89.198.214	5856	disksettings.exe
Destination IP	44	91.211.247.248	5856	disksettings.exe
Destination IP	41	152.89.198.214	5856	disksettings.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	disksettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	disksettings.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1080	1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5140 wrote to memory of 1080	5140	1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.exe	87
PID 5140 wrote to memory of 1080	5140	1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.exe	87
PID 5140 wrote to memory of 1080	5140	1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.exe	87
PID 1080 wrote to memory of 5124	1080	1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.tmp	89
PID 1080 wrote to memory of 5124	1080	1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.tmp	89
PID 1080 wrote to memory of 5124	1080	1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.tmp	89
PID 1080 wrote to memory of 5856	1080	1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.tmp	90
PID 1080 wrote to memory of 5856	1080	1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.tmp	90
PID 1080 wrote to memory of 5856	1080	1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.tmp	90

C:\Users\Admin\AppData\Local\Temp\1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.exe
"C:\Users\Admin\AppData\Local\Temp\1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5140
- C:\Users\Admin\AppData\Local\Temp\is-NB1OJ.tmp\1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NB1OJ.tmp\1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.tmp" /SL5="$60274,4096824,54272,C:\Users\Admin\AppData\Local\Temp\1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Users\Admin\AppData\Local\Disk Settings\disksettings.exe
    "C:\Users\Admin\AppData\Local\Disk Settings\disksettings.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5124
- - C:\Users\Admin\AppData\Local\Disk Settings\disksettings.exe
    "C:\Users\Admin\AppData\Local\Disk Settings\disksettings.exe" -s
    3⤵
    - Executes dropped EXE
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Disk Settings\disksettings.exe

Filesize
2.4MB

MD5
43d5944b57334d4687e6f1bfbe532dc4

SHA1
34552ecc7ca9415aadd48b34a93b047c4321f9fe

SHA256
4ed95acd510f9b8b92e628a079c754ab51a155824d676e9fe57d0ccd69a13e7c

SHA512
12a924ceabe37284edc9d102b496f7712da09fa8e7ba154bf5cfacff6c0d3d2c708fb0fa2e68ff74ba8a0096dd673272ddd006c49283557d2f882e59cdd33570

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2EEBE.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2EEBE.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NB1OJ.tmp\1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e.tmp

Filesize
680KB

MD5
dd138912c741cabf0c299654773876d1

SHA1
a3b5d44d1b75d9b78fdcacb812afa6d001f2ee8c

SHA256
bd9536a1d39ba785979bc9c0739f717e399a7feca0f13d03ea05035b799c789b

SHA512
76c2756a1c14b610070061637236d3c148f8c926d406b0145ab1f082456138e3a30eaf7cf67f79b8511d234d7b2a191ea99b498d4f06482584eb35a881501895

Download Submit
memory/1080-7-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1080-55-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/5124-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5124-46-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5124-47-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5124-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5140-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5140-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/5140-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5856-68-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-85-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-62-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-65-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-75-0x00000000007F0000-0x0000000000892000-memory.dmp

Filesize
648KB

Download
memory/5856-82-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-58-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-88-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-97-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-100-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-103-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-107-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-110-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-113-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-116-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5856-119-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing