socks5systemz | cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5

Analysis

max time kernel
292s
max time network
298s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.exe
Size

5.2MB
MD5

2e6b95f790b937dfbf6ced11b9ef2086
SHA1

42c5bcf0c4e8f051032b067a27d0d4eab49f09fb
SHA256

cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5
SHA512

21c284a6e59219cef3ed029843537530709735e20d877e09fb9af98c022e693d33712df9828a8b45933b66819c01b4965b6fcd871a87549600ed0ec5ac65814d
SSDEEP

98304:C0eIiO3I9YMXusxjCoVdSTHKw2N+FEVIUbkCTQBRR7hfwMYygQxg:tee3I9T+EjCoVdSLwN+ZYeH/fV3gQC

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/2744-92-0x0000000002290000-0x0000000002331000-memory.dmp family_socks5systemz
Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Executes dropped EXE 3 IoCs

Processes:

cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmptotalrecorderfree32_64.exetotalrecorderfree32_64.exe

pid process

1796 cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp
2752 totalrecorderfree32_64.exe
2744 totalrecorderfree32_64.exe

resource	yara_rule
behavioral1/memory/2744-92-0x0000000002290000-0x0000000002331000-memory.dmp	family_socks5systemz

pid	process
1796	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp
2752	totalrecorderfree32_64.exe
2744	totalrecorderfree32_64.exe

Loads dropped DLL 5 IoCs

Processes:

cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.execd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp

pid	process
2932	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.exe
1796	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp
1796	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp
1796	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp
1796	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp

Unexpected DNS network traffic destination 13 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	152.89.198.214
Destination IP	45.155.250.90
Destination IP	152.89.198.214
Destination IP	141.98.234.31
Destination IP	141.98.234.31
Destination IP	152.89.198.214
Destination IP	141.98.234.31
Destination IP	91.211.247.248
Destination IP	45.155.250.90
Destination IP	45.155.250.90
Destination IP	81.31.197.38
Destination IP	91.211.247.248
Destination IP	81.31.197.38

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp

pid process

1796 cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp

pid	process
1796	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.execd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp

description	pid	process	target process
PID 2932 wrote to memory of 1796	2932	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.exe	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp
PID 2932 wrote to memory of 1796	2932	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.exe	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp
PID 2932 wrote to memory of 1796	2932	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.exe	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp
PID 2932 wrote to memory of 1796	2932	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.exe	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp
PID 2932 wrote to memory of 1796	2932	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.exe	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp
PID 2932 wrote to memory of 1796	2932	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.exe	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp
PID 2932 wrote to memory of 1796	2932	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.exe	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp
PID 1796 wrote to memory of 2752	1796	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp	totalrecorderfree32_64.exe
PID 1796 wrote to memory of 2752	1796	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp	totalrecorderfree32_64.exe
PID 1796 wrote to memory of 2752	1796	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp	totalrecorderfree32_64.exe
PID 1796 wrote to memory of 2752	1796	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp	totalrecorderfree32_64.exe
PID 1796 wrote to memory of 2744	1796	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp	totalrecorderfree32_64.exe
PID 1796 wrote to memory of 2744	1796	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp	totalrecorderfree32_64.exe
PID 1796 wrote to memory of 2744	1796	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp	totalrecorderfree32_64.exe
PID 1796 wrote to memory of 2744	1796	cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp	totalrecorderfree32_64.exe

C:\Users\Admin\AppData\Local\Temp\cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.exe
"C:\Users\Admin\AppData\Local\Temp\cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\Temp\is-47RL4.tmp\cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-47RL4.tmp\cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp" /SL5="$40016,5153728,54272,C:\Users\Admin\AppData\Local\Temp\cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Total Recorder Free\totalrecorderfree32_64.exe
"C:\Users\Admin\AppData\Local\Total Recorder Free\totalrecorderfree32_64.exe" -i
3⤵
- Executes dropped EXE
PID:2752

C:\Users\Admin\AppData\Local\Total Recorder Free\totalrecorderfree32_64.exe
"C:\Users\Admin\AppData\Local\Total Recorder Free\totalrecorderfree32_64.exe" -s
3⤵
- Executes dropped EXE
PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-47RL4.tmp\cd463caa0bff222a5e30c782cb1b7f0a9b24b9b2f71b990d9dcfe11eb82f35b5.tmp
Filesize
680KB

MD5
32f6596e136f3f8cfa1fbfd85acef958

SHA1
44411edb185b448613ac7dcfc24a6e2c0da382a3

SHA256
cd40719fec44d56ec09eeabfd56896f6bc80d4cd982f042068baca42141b4713

SHA512
e75005af4acd5ec4f53d584da8fbb2a72358af818dd6643e7eb5b862b3be582ed9cc8c8fb205b04ac2356da87826ab088c0ec658ee890a7605fd32be9b01d626

Download Submit
\Users\Admin\AppData\Local\Temp\is-JMK91.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-JMK91.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Total Recorder Free\totalrecorderfree32_64.exe
Filesize
3.3MB

MD5
f4670d2fa1b46639baaa77ec7e759173

SHA1
5564a87945d358eb2bd48c025368e7bbfeac42d5

SHA256
ece82bd569b223861a1b154bb405e69e6e56076f558aea369aacc41e6df0ecb2

SHA512
44967f60ef2bacea2abb77038098050ba82fb745bc21cb534c6bb399b848ed55dbf20cfae651e5e3378b4ffc5d38825209ab5bdab2e4912ad13252c65174f258

Download Submit
memory/1796-64-0x00000000038D0000-0x0000000003C25000-memory.dmp

Filesize
3.3MB

Download
memory/1796-76-0x00000000038D0000-0x0000000003C25000-memory.dmp

Filesize
3.3MB

Download
memory/1796-16-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1796-74-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2744-79-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-113-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-134-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-71-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-131-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-128-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-75-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-125-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-122-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-82-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-85-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-88-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-91-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-92-0x0000000002290000-0x0000000002331000-memory.dmp

Filesize
644KB

Download
memory/2744-98-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-101-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-104-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-107-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-110-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-119-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2744-116-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2752-66-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2752-65-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2752-69-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2932-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2932-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2932-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download