socks5systemz | b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706

Analysis

max time kernel
141s
max time network
130s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
29-06-2024 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.exe
Size

5.1MB
MD5

9196cc8ba2a5dcaf33eb774a23b59c02
SHA1

b08eef8351e511b7a7f8ed26089a48983add1fb1
SHA256

b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706
SHA512

bdb9cee93272cc20cb76434c79c0ca921e34ce8952a2b87a70cbd1bd750fce6b4ada75c1bcc451832fb2e937e0b0f05f4669676ca6d1ca8d2b47d0287ca54a2f
SSDEEP

98304:C85VkBCRsWdhvUTeNKXmkXOCeQK+1s9T8gIojhFJRqnEyYljvshuL/eQx9W:nsEwVeQ91s9TeojhpqpAvsIjeQa

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3360-86-0x0000000000AF0000-0x0000000000B92000-memory.dmp	family_socks5systemz
behavioral2/memory/3360-110-0x0000000000AF0000-0x0000000000B92000-memory.dmp	family_socks5systemz
behavioral2/memory/3360-111-0x0000000000AF0000-0x0000000000B92000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Executes dropped EXE 3 IoCs

Processes:

b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmpvkfreeaudiosaver32_64.exevkfreeaudiosaver32_64.exe

pid process

1940 b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp
2704 vkfreeaudiosaver32_64.exe
3360 vkfreeaudiosaver32_64.exe
Loads dropped DLL 1 IoCs

Processes:

b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp

pid process

1940 b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 91.211.247.248
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp

pid process

1940 b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp

pid	process
1940	b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp
2704	vkfreeaudiosaver32_64.exe
3360	vkfreeaudiosaver32_64.exe

pid	process
1940	b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp

description	ioc
Destination IP	91.211.247.248

pid	process
1940	b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.exeb3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp

description	pid	process	target process
PID 1624 wrote to memory of 1940	1624	b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.exe	b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp
PID 1624 wrote to memory of 1940	1624	b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.exe	b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp
PID 1624 wrote to memory of 1940	1624	b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.exe	b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp
PID 1940 wrote to memory of 2704	1940	b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp	vkfreeaudiosaver32_64.exe
PID 1940 wrote to memory of 2704	1940	b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp	vkfreeaudiosaver32_64.exe
PID 1940 wrote to memory of 2704	1940	b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp	vkfreeaudiosaver32_64.exe
PID 1940 wrote to memory of 3360	1940	b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp	vkfreeaudiosaver32_64.exe
PID 1940 wrote to memory of 3360	1940	b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp	vkfreeaudiosaver32_64.exe
PID 1940 wrote to memory of 3360	1940	b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp	vkfreeaudiosaver32_64.exe

C:\Users\Admin\AppData\Local\Temp\b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.exe
"C:\Users\Admin\AppData\Local\Temp\b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\is-4PNAB.tmp\b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4PNAB.tmp\b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp" /SL5="$D016C,5060496,54272,C:\Users\Admin\AppData\Local\Temp\b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\VK Free Audio Saver\vkfreeaudiosaver32_64.exe
"C:\Users\Admin\AppData\Local\VK Free Audio Saver\vkfreeaudiosaver32_64.exe" -i
3⤵
- Executes dropped EXE
PID:2704

C:\Users\Admin\AppData\Local\VK Free Audio Saver\vkfreeaudiosaver32_64.exe
"C:\Users\Admin\AppData\Local\VK Free Audio Saver\vkfreeaudiosaver32_64.exe" -s
3⤵
- Executes dropped EXE
PID:3360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-2EJPP.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4PNAB.tmp\b3a29cad90497cf7612401ac7883258270536d0e82888c79562e8d466e259706.tmp
Filesize
680KB

MD5
70295416713c0ce535665d806e3d54ac

SHA1
fe13c334ec67412f41fe190f93da7d45a57eccbd

SHA256
958c5f807a8268b09828e0f02a6c75a92f3a87dbd1853eb62e5996db990ba2ba

SHA512
2336597fb6ffe697ba62cd931479108556fee44319176989f961ae43aea62b111df6870a169202c6d960aface42779a2f82db48a69fe2072b711a512812f925c

Download Submit
C:\Users\Admin\AppData\Local\VK Free Audio Saver\vkfreeaudiosaver32_64.exe
Filesize
3.6MB

MD5
a69b04e687f2ef063c90e9278becb96f

SHA1
219fdef9a38ffef0f457dd6446ea42ee5126259f

SHA256
9ccde236ad397e968dd1595d3b63781eb3a319b8f39b1687b5e56eed42ed1a6c

SHA512
1cf54018c8794a96e3e0a1f4954287f7c1c15180db093a01001e107db26eba1d33ef5e2cbdd226693820f2079b71e0b57e06974e6d4565eb566a6a8cd034c2cf

Download Submit
memory/1624-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1624-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1624-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1940-10-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1940-70-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2704-64-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/2704-63-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/2704-60-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/2704-59-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/3360-75-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/3360-88-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/3360-71-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/3360-74-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/3360-66-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/3360-78-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/3360-81-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/3360-84-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/3360-86-0x0000000000AF0000-0x0000000000B92000-memory.dmp

Filesize
648KB

Download
memory/3360-68-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/3360-94-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/3360-97-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/3360-100-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/3360-103-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/3360-106-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/3360-109-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/3360-110-0x0000000000AF0000-0x0000000000B92000-memory.dmp

Filesize
648KB

Download
memory/3360-111-0x0000000000AF0000-0x0000000000B92000-memory.dmp

Filesize
648KB

Download
memory/3360-115-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/3360-118-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download