socks5systemz | fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d

General

Target

fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.exe
Size

4.3MB
MD5

7b5c9c816277ce3e0ab2c2987e2fb17d
SHA1

38d830f6b5cfe60ffc1ac3194c84f53d28afa063
SHA256

fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d
SHA512

a24ba544c500446eced652f945618abf48f9898ef68070441fed894aa8a2853312b3a9e691ddd44c8dcf4013e723df40c7b104cdf2a0acbb839b78ba841b6e05
SSDEEP

98304:cRW2fva4Yxwp0BT7o0OaCs4qcezx9IAAfdwUnvJG7Ly/E3Nm44mhjgc0Gft4IbB+:mXHYpB2Zqcex9DABn4b3NmYjlXVLv6

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

ddnotow.info

http://ddnotow.info/search/?q=67e28dd86558fa2d4658af497c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ee8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608afd12c3e79c9a3f

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2536-91-0x0000000000860000-0x0000000000902000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
1928	fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.tmp
1640	mixerfreeedition.exe
2536	mixerfreeedition.exe

Loads dropped DLL 1 IoCs

pid	Process
1928	fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	48	152.89.198.214	2536	mixerfreeedition.exe
Destination IP	50	91.211.247.248	2536	mixerfreeedition.exe
Destination IP	46	141.98.234.31	2536	mixerfreeedition.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixerfreeedition.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixerfreeedition.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 1928	640	fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.exe	85
PID 640 wrote to memory of 1928	640	fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.exe	85
PID 640 wrote to memory of 1928	640	fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.exe	85
PID 1928 wrote to memory of 1640	1928	fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.tmp	88
PID 1928 wrote to memory of 1640	1928	fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.tmp	88
PID 1928 wrote to memory of 1640	1928	fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.tmp	88
PID 1928 wrote to memory of 2536	1928	fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.tmp	89
PID 1928 wrote to memory of 2536	1928	fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.tmp	89
PID 1928 wrote to memory of 2536	1928	fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.tmp	89

C:\Users\Admin\AppData\Local\Temp\fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.exe
"C:\Users\Admin\AppData\Local\Temp\fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\is-VT3A4.tmp\fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-VT3A4.tmp\fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.tmp" /SL5="$80090,4223599,54272,C:\Users\Admin\AppData\Local\Temp\fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Local\Mixer Free Edition\mixerfreeedition.exe
    "C:\Users\Admin\AppData\Local\Mixer Free Edition\mixerfreeedition.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1640
- - C:\Users\Admin\AppData\Local\Mixer Free Edition\mixerfreeedition.exe
    "C:\Users\Admin\AppData\Local\Mixer Free Edition\mixerfreeedition.exe" -s
    3⤵
    - Executes dropped EXE
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mixer Free Edition\libeay32.dll

Filesize
1.9MB

MD5
5fbd844a6ce26deb5337e8e6dd7c7b70

SHA1
5302e49b2027a07c7bb8f95d45510efc0d954cf8

SHA256
f0d640c4e07c81c29f0ec2b603ec3017bdd4db0d0e26c3fa364a6bbf45826058

SHA512
c383b5ec9fb9efd53cdf00c2b0940fe60a35a857f8be40ae0763647c3523712553910aca8504768cc86895b2168525fa6043d567e66e0ed5696e2c8e5e7b992d

Download Submit
C:\Users\Admin\AppData\Local\Mixer Free Edition\mixerfreeedition.exe

Filesize
1.9MB

MD5
d15b798e9fa9b56ad9f205561a283486

SHA1
1878b0ff7c1ff143287f91ef0ff07e435bc00a77

SHA256
c0711fff5c8b5c5395aae89ecabd51b7ebf3f037d31114d281f8eccf327703da

SHA512
e388beba35e9b4dd84b0073000a1ee0749d87d0161eb817048da367f2f745ec96f11fec7fb5b9650f3c4137f030757c47d6146ae6428689312fbfc3532ee36b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AS7KT.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VT3A4.tmp\fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d.tmp

Filesize
696KB

MD5
c6061f804038f66af0cbf28c43abf849

SHA1
0473fc63f6514857bba850ce50206fbe8c992b64

SHA256
6261d17d1ab1744496c0f2988954989398d6829f2417df5420ffdf6d64f8678e

SHA512
edf27bfeec82752b6d52a8eb68853dde5d5effd9c3a8c1c93e181167d8bc5ae2c6d7b19ac74955c91aa4e90913fb7dcc8439d33a5e0c8aac5fe71c914596e0ae

Download Submit
memory/640-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/640-72-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/640-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1640-63-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/1640-60-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/1640-65-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/1640-59-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/1928-71-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1928-13-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2536-81-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-99-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-74-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-75-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-78-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-68-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-84-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-87-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-92-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-91-0x0000000000860000-0x0000000000902000-memory.dmp

Filesize
648KB

Download
memory/2536-98-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-70-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-102-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-105-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-108-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-111-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-114-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-117-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-120-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-124-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-127-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-130-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-133-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2536-136-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing