socks5systemz | 6f420842274a1f21505a6547551fe6021007b22f69e60556dfa8e9657a536e7f

General

Target

fb60b8e0dfa48c25dda7a9b1bb55bff6.exe
Size

3.7MB
MD5

fb60b8e0dfa48c25dda7a9b1bb55bff6
SHA1

e16e205591973df664dae61cb92845b6e27a2599
SHA256

6f420842274a1f21505a6547551fe6021007b22f69e60556dfa8e9657a536e7f
SHA512

144087304f3832ab1a4b118bdeddc05b5e97b355e8ce905609847052da1aa42b5e39ef5ad7d666ce80d0c125328028c7a2d89a37151879c2284a7bfb88cc76a9
SSDEEP

98304:NEgc0L2vDz3Zvb2jatfAzeSmSTuzY2SK5vsY9xlcY10rJkk:yg92v3NbyatfAzeSmycL/VnlcCoJp

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/5952-75-0x0000000002420000-0x00000000024C0000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz

Executes dropped EXE 2 IoCs

pid	Process
2652	fb60b8e0dfa48c25dda7a9b1bb55bff6.tmp
5952	simplydiskexplorer38.exe

Loads dropped DLL 2 IoCs

pid	Process
2652	fb60b8e0dfa48c25dda7a9b1bb55bff6.tmp
5952	simplydiskexplorer38.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb60b8e0dfa48c25dda7a9b1bb55bff6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb60b8e0dfa48c25dda7a9b1bb55bff6.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	simplydiskexplorer38.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2652	fb60b8e0dfa48c25dda7a9b1bb55bff6.tmp
2652	fb60b8e0dfa48c25dda7a9b1bb55bff6.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2652	fb60b8e0dfa48c25dda7a9b1bb55bff6.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 2652	4948	fb60b8e0dfa48c25dda7a9b1bb55bff6.exe	78
PID 4948 wrote to memory of 2652	4948	fb60b8e0dfa48c25dda7a9b1bb55bff6.exe	78
PID 4948 wrote to memory of 2652	4948	fb60b8e0dfa48c25dda7a9b1bb55bff6.exe	78
PID 2652 wrote to memory of 5952	2652	fb60b8e0dfa48c25dda7a9b1bb55bff6.tmp	79
PID 2652 wrote to memory of 5952	2652	fb60b8e0dfa48c25dda7a9b1bb55bff6.tmp	79
PID 2652 wrote to memory of 5952	2652	fb60b8e0dfa48c25dda7a9b1bb55bff6.tmp	79

C:\Users\Admin\AppData\Local\Temp\fb60b8e0dfa48c25dda7a9b1bb55bff6.exe
"C:\Users\Admin\AppData\Local\Temp\fb60b8e0dfa48c25dda7a9b1bb55bff6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\is-M4Q6H.tmp\fb60b8e0dfa48c25dda7a9b1bb55bff6.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-M4Q6H.tmp\fb60b8e0dfa48c25dda7a9b1bb55bff6.tmp" /SL5="$6030E,3602193,54272,C:\Users\Admin\AppData\Local\Temp\fb60b8e0dfa48c25dda7a9b1bb55bff6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Local\Simply Disk Explorer 5.0.3.8\simplydiskexplorer38.exe
    "C:\Users\Admin\AppData\Local\Simply Disk Explorer 5.0.3.8\simplydiskexplorer38.exe" -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5952

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Simply Disk Explorer 5.0.3.8\simplydiskexplorer38.exe

Filesize
3.2MB

MD5
bc9ba0fc3920c5c2968223de836aa414

SHA1
4e63fb8a236b4230e3d0439e349d6f2fc0fa3e3b

SHA256
3ec29dcc9dc0fee50c3027ab2f5dd2dec32518e3ea03dfe35ecbeb1b6cc81627

SHA512
e8385e10dfd038497111d23df89a0a8d82ccf86557de1d35fbcd4add2d8b1a358b0825d8d6886c6a741ba55efefa51439664651da91000ccf098998c90abbf45

Download Submit
C:\Users\Admin\AppData\Local\Simply Disk Explorer 5.0.3.8\sqlite3.dll

Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ITQLO.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M4Q6H.tmp\fb60b8e0dfa48c25dda7a9b1bb55bff6.tmp

Filesize
692KB

MD5
4a9699f8d64229a8653205854455dc85

SHA1
c06179cc53c71f0e75a548ff70e64c7482962ebc

SHA256
9b32db1da22b7ac195e2c6ef75ce62ca329ec86ced25fb057ba17657331ddbc1

SHA512
0d922bfaf5c208a6f89db76ab1c1f8ee5990d0412488228b2ea49ea12a20ba65abb1545fdfa4bd9beba7b6f2408dbe0158849c93094f60eeae0acb5f6fe1b6d8

Download Submit
memory/2652-51-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2652-16-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4948-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4948-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4948-52-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5952-56-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/5952-71-0x0000000000400000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download
memory/5952-46-0x0000000000400000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download
memory/5952-53-0x0000000000400000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download
memory/5952-55-0x0000000000400000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download
memory/5952-45-0x0000000000400000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download
memory/5952-59-0x0000000000400000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download
memory/5952-63-0x0000000000400000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download
memory/5952-67-0x0000000000400000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download
memory/5952-50-0x0000000000400000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download
memory/5952-75-0x0000000002420000-0x00000000024C0000-memory.dmp

Filesize
640KB

Download
memory/5952-78-0x0000000000400000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download
memory/5952-83-0x0000000000400000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download
memory/5952-87-0x0000000000400000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download
memory/5952-91-0x0000000000400000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download
memory/5952-95-0x0000000000400000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download
memory/5952-99-0x0000000000400000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download
memory/5952-103-0x0000000000400000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download
memory/5952-107-0x0000000000400000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download
memory/5952-111-0x0000000000400000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download

Resubmissions

Analysis

Sharing