socks5systemz | c078a7f5fd5c87edd330cab444ba5029b0724ffe2cad4328b2c2af2b3626ecd7

General

Target

4pBCPFJgt.exe
Size

3.5MB
MD5

5bc369e30cec8a0ede314e14bec67ff3
SHA1

36c7b49100792b7392f9438c03b15fe37e463730
SHA256

c078a7f5fd5c87edd330cab444ba5029b0724ffe2cad4328b2c2af2b3626ecd7
SHA512

86195aad361c8281db024ba9c8fe783c3c0421ca395c466d95f5c67aa1de42d84c28e0b2f376a2ce9d700a7d31c4549c8d40fb8dd5f2cc461a71ec29e2ce81c4
SSDEEP

49152:1v+WHZoFWX1sahT6ecbqX3xycyFdhhBSOtN4R/d4S34FH2qW+mQQChBr8:N+EKclhTc2g3nhwOtaRNwWqW+mQRPw

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral1/memory/4508-76-0x0000000000910000-0x00000000009B0000-memory.dmp	family_socks5systemz
behavioral1/memory/4508-114-0x0000000000910000-0x00000000009B0000-memory.dmp	family_socks5systemz
behavioral1/memory/4508-115-0x0000000000910000-0x00000000009B0000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz

Executes dropped EXE 2 IoCs

pid	Process
1692	4pBCPFJgt.tmp
4508	systemknight131.exe

Loads dropped DLL 2 IoCs

pid	Process
1692	4pBCPFJgt.tmp
4508	systemknight131.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4pBCPFJgt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4pBCPFJgt.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemknight131.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1692	4pBCPFJgt.tmp
1692	4pBCPFJgt.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1692	4pBCPFJgt.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 1692	228	4pBCPFJgt.exe	88
PID 228 wrote to memory of 1692	228	4pBCPFJgt.exe	88
PID 228 wrote to memory of 1692	228	4pBCPFJgt.exe	88
PID 1692 wrote to memory of 4508	1692	4pBCPFJgt.tmp	92
PID 1692 wrote to memory of 4508	1692	4pBCPFJgt.tmp	92
PID 1692 wrote to memory of 4508	1692	4pBCPFJgt.tmp	92

C:\Users\Admin\AppData\Local\Temp\4pBCPFJgt.exe
"C:\Users\Admin\AppData\Local\Temp\4pBCPFJgt.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\AppData\Local\Temp\is-KNJ5K.tmp\4pBCPFJgt.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KNJ5K.tmp\4pBCPFJgt.tmp" /SL5="$702DE,3418797,54272,C:\Users\Admin\AppData\Local\Temp\4pBCPFJgt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\System Knight 1.3.1\systemknight131.exe
    "C:\Users\Admin\AppData\Local\System Knight 1.3.1\systemknight131.exe" -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\System Knight 1.3.1\sqlite3.dll

Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Local\System Knight 1.3.1\systemknight131.exe

Filesize
2.9MB

MD5
177bfae953e8dde7f22cdf68a0486398

SHA1
1f59ec544a77a1415a945f6e088c3a9e001c7509

SHA256
e25cfa80e4c0d27f5d3d999cf4146ba99b35610d387477bf6cad8ea5acf54f02

SHA512
9ad51178194e48a1f48718d0ba4851d68ecd70a783eb3db25d6a61ab3675848f28a91e9f3395483046306bc8eaf7759d7b9199a89266060a5aef0e1747a82060

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1EFGR.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KNJ5K.tmp\4pBCPFJgt.tmp

Filesize
692KB

MD5
fbe8538b857396c74fe725ab5129478b

SHA1
4a18d12be646e2789981f01e857385d1036cc28a

SHA256
c926f4a287b286dc3eb12b4f79b67b17e9c6e30f29457814ab33e5d512fb0a42

SHA512
93e6cbf740de37fe802ac2c0081aed8bcd5ec96b93b09defefb95f637a106f1fb8bbc1896f593ebbcdf9cdd88006d0b051c56a87dfca82fe914cb4ba46683d0d

Download Submit
memory/228-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/228-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/228-52-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1692-51-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1692-13-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4508-56-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/4508-76-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download
memory/4508-50-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4508-53-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4508-55-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4508-45-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4508-59-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4508-63-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4508-67-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4508-71-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4508-78-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4508-46-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4508-83-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4508-87-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4508-91-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4508-95-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4508-99-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4508-103-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4508-114-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download
memory/4508-115-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download
memory/4508-119-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4508-123-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing