socks5systemz | a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4

General

Target

a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.exe
Size

5.2MB
MD5

c1cc6000c6eaf1fe6347124647ab3ab5
SHA1

9925f96090c97b327bd3a63524545ed030e465d4
SHA256

a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4
SHA512

faa0c38cbcb742b89355c12a313e9a733beb2c18eca644283370444f708f1cceec2bf645fd7b48daad8f338121bbd1801294ddfb303d87dc8fc04239005983eb
SSDEEP

98304:C82GBZjmMpd1bTRYeUY4h4JydTLhr7lQShe2NXSAZ+2gcspFc7W5io6wG5f4:gqtd1HRYeU2JETtr7lW2NXSmngcUO7qD

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

ejglxdt.ua

http://ejglxdt.ua/search/?q=67e28dd8685cf679160da41e7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a271ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923f658cf711c9e890

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3024-80-0x0000000002A10000-0x0000000002AB2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2000	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.tmp
2628	pmediaserver.exe
3024	pmediaserver.exe

Loads dropped DLL 6 IoCs

pid	Process
1552	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.exe
2000	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.tmp
2000	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.tmp
2000	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.tmp
2000	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.tmp
2000	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	2	152.89.198.214	3024	pmediaserver.exe
Destination IP	3	152.89.198.214	3024	pmediaserver.exe
Destination IP	6	91.211.247.248	3024	pmediaserver.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pmediaserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pmediaserver.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 2000	1552	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.exe	31
PID 1552 wrote to memory of 2000	1552	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.exe	31
PID 1552 wrote to memory of 2000	1552	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.exe	31
PID 1552 wrote to memory of 2000	1552	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.exe	31
PID 1552 wrote to memory of 2000	1552	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.exe	31
PID 1552 wrote to memory of 2000	1552	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.exe	31
PID 1552 wrote to memory of 2000	1552	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.exe	31
PID 2000 wrote to memory of 2628	2000	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.tmp	32
PID 2000 wrote to memory of 2628	2000	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.tmp	32
PID 2000 wrote to memory of 2628	2000	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.tmp	32
PID 2000 wrote to memory of 2628	2000	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.tmp	32
PID 2000 wrote to memory of 3024	2000	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.tmp	33
PID 2000 wrote to memory of 3024	2000	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.tmp	33
PID 2000 wrote to memory of 3024	2000	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.tmp	33
PID 2000 wrote to memory of 3024	2000	a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.tmp	33

C:\Users\Admin\AppData\Local\Temp\a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.exe
"C:\Users\Admin\AppData\Local\Temp\a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\is-1P10T.tmp\a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1P10T.tmp\a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.tmp" /SL5="$40108,5099094,54272,C:\Users\Admin\AppData\Local\Temp\a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Pleenator Media Server\pmediaserver.exe
    "C:\Users\Admin\AppData\Local\Pleenator Media Server\pmediaserver.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2628
- - C:\Users\Admin\AppData\Local\Pleenator Media Server\pmediaserver.exe
    "C:\Users\Admin\AppData\Local\Pleenator Media Server\pmediaserver.exe" -s
    3⤵
    - Executes dropped EXE
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Pleenator Media Server\pmediaserver.exe

Filesize
5.2MB

MD5
f4c7470503c8f46c5054e32053428214

SHA1
6cc6f0cf72efc1926b515b3deb515e557afe299c

SHA256
072a1edd6ea32e0e76b0c712f1fd2f10656bb2a6c3764299105dfcb8928ffd40

SHA512
215d56071826070d1ff4e3d8c3ae73893df5d691bb35c5301869bce91e3dc6ed64e7e25a1798d0ce170664a15f2a1663ddc1efa6f0efa11844a425f3f3d45c3d

Download Submit
\Users\Admin\AppData\Local\Temp\is-1P10T.tmp\a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4.tmp

Filesize
680KB

MD5
78276d2aa5e45234705be62759f5d189

SHA1
ab59864f65055560ba43944e193fab202ca55290

SHA256
929d99810dc5edc5cc6e73ad47b15a58d1cff38baf96dda5a5f0975dd3db55af

SHA512
f3c03a032325a7b4263f7e27846347baf7d3ee3f2eccbfe68580d82f933e9c8ad3a1135d1a63bb09a33cbffeff53826030593092fe688b7907818b997a83b6f9

Download Submit
\Users\Admin\AppData\Local\Temp\is-ESM47.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-ESM47.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-ESM47.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1552-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1552-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1552-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2000-9-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2000-47-0x0000000003500000-0x0000000003A30000-memory.dmp

Filesize
5.2MB

Download
memory/2000-56-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2000-57-0x0000000003500000-0x0000000003A30000-memory.dmp

Filesize
5.2MB

Download
memory/2628-49-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/2628-53-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/2628-48-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-68-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-93-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-65-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-55-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-71-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-74-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-77-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-80-0x0000000002A10000-0x0000000002AB2000-memory.dmp

Filesize
648KB

Download
memory/3024-84-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-87-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-90-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-62-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-96-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-99-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-102-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-105-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-108-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-112-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-115-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-118-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3024-121-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing