socks5systemz | a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19

Analysis

max time kernel
292s
max time network
298s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.exe
Size

5.2MB
MD5

22f8e2f2e376d18100dfa7ce119ae1a2
SHA1

854a8441717613e4d97edcdbfd2a1c42d645c508
SHA256

a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19
SHA512

1d595082816eac5f76c937782f427b32805f12a84b4a877606472943edbcf53c7bc4e49410c9e2282a41623f54f58543e47caa1c5adbb8df59d57cd0fc9084d4
SSDEEP

98304:CEfrNoij3/+QOkv5x49mbToGyfcz1bJG1PrUWgxBGXvn5SDbUGQBql3E1uJQxcMv:Heij3/QkhambT/z1bJGlMxBGXv5SDDQ/

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

bwrubjq.com

juermvm.info

Signatures

Detect Socks5Systemz Payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/2540-92-0x00000000026D0000-0x0000000002772000-memory.dmp family_socks5systemz
Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Executes dropped EXE 3 IoCs

Processes:

a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmpwavmp3splitter32.exewavmp3splitter32.exe

pid process

620 a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp
2556 wavmp3splitter32.exe
2540 wavmp3splitter32.exe

resource	yara_rule
behavioral1/memory/2540-92-0x00000000026D0000-0x0000000002772000-memory.dmp	family_socks5systemz

pid	process
620	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp
2556	wavmp3splitter32.exe
2540	wavmp3splitter32.exe

Loads dropped DLL 5 IoCs

Processes:

a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.exea6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp

pid	process
1484	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.exe
620	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp
620	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp
620	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp
620	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp

Unexpected DNS network traffic destination 13 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	45.155.250.90
Destination IP	45.155.250.90
Destination IP	81.31.197.38
Destination IP	91.211.247.248
Destination IP	152.89.198.214
Destination IP	152.89.198.214
Destination IP	152.89.198.214
Destination IP	152.89.198.214
Destination IP	141.98.234.31
Destination IP	81.31.197.38
Destination IP	91.211.247.248
Destination IP	141.98.234.31
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp

pid process

620 a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp

pid	process
620	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.exea6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp

description	pid	process	target process
PID 1484 wrote to memory of 620	1484	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.exe	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp
PID 1484 wrote to memory of 620	1484	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.exe	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp
PID 1484 wrote to memory of 620	1484	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.exe	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp
PID 1484 wrote to memory of 620	1484	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.exe	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp
PID 1484 wrote to memory of 620	1484	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.exe	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp
PID 1484 wrote to memory of 620	1484	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.exe	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp
PID 1484 wrote to memory of 620	1484	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.exe	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp
PID 620 wrote to memory of 2556	620	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp	wavmp3splitter32.exe
PID 620 wrote to memory of 2556	620	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp	wavmp3splitter32.exe
PID 620 wrote to memory of 2556	620	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp	wavmp3splitter32.exe
PID 620 wrote to memory of 2556	620	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp	wavmp3splitter32.exe
PID 620 wrote to memory of 2540	620	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp	wavmp3splitter32.exe
PID 620 wrote to memory of 2540	620	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp	wavmp3splitter32.exe
PID 620 wrote to memory of 2540	620	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp	wavmp3splitter32.exe
PID 620 wrote to memory of 2540	620	a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp	wavmp3splitter32.exe

C:\Users\Admin\AppData\Local\Temp\a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.exe
"C:\Users\Admin\AppData\Local\Temp\a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\is-4A1EA.tmp\a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4A1EA.tmp\a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp" /SL5="$40016,5157028,54272,C:\Users\Admin\AppData\Local\Temp\a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Local\Direct WAV MP3 Splitter\wavmp3splitter32.exe
"C:\Users\Admin\AppData\Local\Direct WAV MP3 Splitter\wavmp3splitter32.exe" -i
3⤵
- Executes dropped EXE
PID:2556

C:\Users\Admin\AppData\Local\Direct WAV MP3 Splitter\wavmp3splitter32.exe
"C:\Users\Admin\AppData\Local\Direct WAV MP3 Splitter\wavmp3splitter32.exe" -s
3⤵
- Executes dropped EXE
PID:2540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Direct WAV MP3 Splitter\wavmp3splitter32.exe
Filesize
3.6MB

MD5
f74876fdfb3cf3b4101a6864819b47fd

SHA1
6a1becdc706100e84551ac70f820eeaf98418a5a

SHA256
3c7d92037a045854f437f52009feb4dbe88cc4bd038d355c6a782bded99a6573

SHA512
9fd3c7d277df143829a51ff6094ee493fa57c701a5e48fa5778a714bf5c525c8f613255a2087e441dfcc6c9f0d5bd885265bb45cb0f75c4448c80c0cae814fad

Download Submit
\Users\Admin\AppData\Local\Temp\is-4A1EA.tmp\a6ecfe477b96917303399df2876ee5fe876fee88dbb452e092b6794643243c19.tmp
Filesize
680KB

MD5
59177ea3e8147d91b694e9949c60d194

SHA1
5c8cfd3fcccd7be056c7c0e2e4fc063c38dc14bd

SHA256
9687ab4b33b1a083194713be5a0f872ebb949773b832a20063a507073859e28c

SHA512
a235dab7d5dc6652f5f8256c1e2c19aef2f583ead02a920ee17658eeb64e8a9620767594d7e4b6ca4aa030643821133c1a18823c55ea769d3221383927ea8a08

Download Submit
\Users\Admin\AppData\Local\Temp\is-DS8OO.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-DS8OO.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/620-19-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/620-64-0x0000000003A60000-0x0000000003DF7000-memory.dmp

Filesize
3.6MB

Download
memory/620-79-0x0000000003A60000-0x0000000003DF7000-memory.dmp

Filesize
3.6MB

Download
memory/620-74-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1484-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1484-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1484-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2540-104-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-98-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-134-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-75-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-78-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-131-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-82-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-85-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-88-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-91-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-92-0x00000000026D0000-0x0000000002772000-memory.dmp

Filesize
648KB

Download
memory/2540-71-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-101-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-128-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-107-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-110-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-113-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-116-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-119-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-122-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2540-125-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2556-65-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2556-69-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/2556-66-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download