socks5systemz | fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89

Analysis

max time kernel
141s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.exe
Size

4.9MB
MD5

d0edf30605f41e7e4276afafe83f1662
SHA1

1861294776a2e5313b5280f26d8548377244e5b8
SHA256

fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89
SHA512

65f721622e9d9e0f223eccc17cfb033a7935b59ee518678602af2afef405d6bd83fc2da143dae2f23a608da0af3bd861b1984f56f2ce636ad45eb4e76e299dc4
SSDEEP

98304:Cy68M6TruLpVDmp2bFqmtEDLM0HnHq5DNogDrxW5OFIZ9zMawKQxg:E6eLSp2bogEfM0nq9mgXxWbZdQC

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1216-86-0x0000000002540000-0x00000000025E1000-memory.dmp	family_socks5systemz
behavioral1/memory/1216-109-0x0000000002540000-0x00000000025E1000-memory.dmp	family_socks5systemz
behavioral1/memory/1216-110-0x0000000002540000-0x00000000025E1000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Executes dropped EXE 3 IoCs

Processes:

fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmptotalrecorderfree32_64.exetotalrecorderfree32_64.exe

pid process

3368 fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp
1520 totalrecorderfree32_64.exe
1216 totalrecorderfree32_64.exe
Loads dropped DLL 1 IoCs

Processes:

fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp

pid process

3368 fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 141.98.234.31
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp

pid process

3368 fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp

pid	process
3368	fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp
1520	totalrecorderfree32_64.exe
1216	totalrecorderfree32_64.exe

pid	process
3368	fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp

description	ioc
Destination IP	141.98.234.31

pid	process
3368	fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.exefe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp

description	pid	process	target process
PID 3740 wrote to memory of 3368	3740	fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.exe	fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp
PID 3740 wrote to memory of 3368	3740	fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.exe	fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp
PID 3740 wrote to memory of 3368	3740	fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.exe	fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp
PID 3368 wrote to memory of 1520	3368	fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp	totalrecorderfree32_64.exe
PID 3368 wrote to memory of 1520	3368	fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp	totalrecorderfree32_64.exe
PID 3368 wrote to memory of 1520	3368	fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp	totalrecorderfree32_64.exe
PID 3368 wrote to memory of 1216	3368	fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp	totalrecorderfree32_64.exe
PID 3368 wrote to memory of 1216	3368	fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp	totalrecorderfree32_64.exe
PID 3368 wrote to memory of 1216	3368	fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp	totalrecorderfree32_64.exe

C:\Users\Admin\AppData\Local\Temp\fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.exe
"C:\Users\Admin\AppData\Local\Temp\fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3740

C:\Users\Admin\AppData\Local\Temp\is-197UV.tmp\fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp
"C:\Users\Admin\AppData\Local\Temp\is-197UV.tmp\fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp" /SL5="$601DA,4920792,54272,C:\Users\Admin\AppData\Local\Temp\fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3368

C:\Users\Admin\AppData\Local\Total Recorder Free\totalrecorderfree32_64.exe
"C:\Users\Admin\AppData\Local\Total Recorder Free\totalrecorderfree32_64.exe" -i
3⤵
- Executes dropped EXE
PID:1520

C:\Users\Admin\AppData\Local\Total Recorder Free\totalrecorderfree32_64.exe
"C:\Users\Admin\AppData\Local\Total Recorder Free\totalrecorderfree32_64.exe" -s
3⤵
- Executes dropped EXE
PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4152,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=1748 /prefetch:8
1⤵
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-197UV.tmp\fe9b7b5e162ac6434bfac1e756d6712331d02ec687c15ddfb4bf86009b8c7b89.tmp
Filesize
680KB

MD5
32f6596e136f3f8cfa1fbfd85acef958

SHA1
44411edb185b448613ac7dcfc24a6e2c0da382a3

SHA256
cd40719fec44d56ec09eeabfd56896f6bc80d4cd982f042068baca42141b4713

SHA512
e75005af4acd5ec4f53d584da8fbb2a72358af818dd6643e7eb5b862b3be582ed9cc8c8fb205b04ac2356da87826ab088c0ec658ee890a7605fd32be9b01d626

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N1AKE.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Total Recorder Free\totalrecorderfree32_64.exe
Filesize
3.1MB

MD5
64ecd01c744504ff4853bcda43ab68a6

SHA1
a9eebed2814af7f132c13228d93021bcd83d0a73

SHA256
9cacdebe0b4cdf8ad59d0551de211aeb6db2975fdc1005e0eeb098bd5cc2f3d0

SHA512
f4523ae356ba6ebd97fa50673984dd02e03b9ad7f1c1727b697acec580442fa754c2095549aa8c8e79026afa8addbc76df6b36bc618b3005b37dd178095878d5

Download Submit
memory/1216-96-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1216-80-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1216-117-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1216-114-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1216-110-0x0000000002540000-0x00000000025E1000-memory.dmp

Filesize
644KB

Download
memory/1216-109-0x0000000002540000-0x00000000025E1000-memory.dmp

Filesize
644KB

Download
memory/1216-108-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1216-68-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1216-105-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1216-102-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1216-71-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1216-74-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1216-77-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1216-99-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1216-83-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1216-86-0x0000000002540000-0x00000000025E1000-memory.dmp

Filesize
644KB

Download
memory/1216-87-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1216-93-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1520-64-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1520-65-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1520-60-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1520-59-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/3368-12-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3368-70-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3740-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3740-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3740-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download