socks5systemz | a8aba4eea6ee777d808da1c3c6a7cd83ca9b7c10c451fdaa30e5c8ec966c3e06

Analysis

max time kernel
144s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

112fabc0aae6f0be68ca31f4acc53afa.exe
Size

4.5MB
MD5

112fabc0aae6f0be68ca31f4acc53afa
SHA1

e9f97d439abf459cdf7877ae4e61f1e2af934834
SHA256

a8aba4eea6ee777d808da1c3c6a7cd83ca9b7c10c451fdaa30e5c8ec966c3e06
SHA512

2ed1aed32004fe8251a7f37d2bcaa0011505cbbd8f41577c0ebe621f583ddfac60ff55f75bd9881b6b69189346904f147692d5ea714112d8618059ee6fe63d5f
SSDEEP

98304:CC/Gs7cpyygvvmx0y/Bu5pQOCsaY5WQb77sQ7Jg532miynC8SiQx2:l/zcpyygv+xV0SsWA7ZFgbzUiQw

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2492-91-0x00000000028A0000-0x0000000002942000-memory.dmp	family_socks5systemz
behavioral1/memory/2492-113-0x00000000028A0000-0x0000000002942000-memory.dmp	family_socks5systemz
behavioral1/memory/2492-114-0x00000000028A0000-0x0000000002942000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Executes dropped EXE 3 IoCs

Processes:

112fabc0aae6f0be68ca31f4acc53afa.tmpmp3doctorfree.exemp3doctorfree.exe

pid process

2216 112fabc0aae6f0be68ca31f4acc53afa.tmp
2624 mp3doctorfree.exe
2492 mp3doctorfree.exe

pid	process
2216	112fabc0aae6f0be68ca31f4acc53afa.tmp
2624	mp3doctorfree.exe
2492	mp3doctorfree.exe

Loads dropped DLL 5 IoCs

Processes:

112fabc0aae6f0be68ca31f4acc53afa.exe112fabc0aae6f0be68ca31f4acc53afa.tmp

pid	process
2208	112fabc0aae6f0be68ca31f4acc53afa.exe
2216	112fabc0aae6f0be68ca31f4acc53afa.tmp
2216	112fabc0aae6f0be68ca31f4acc53afa.tmp
2216	112fabc0aae6f0be68ca31f4acc53afa.tmp
2216	112fabc0aae6f0be68ca31f4acc53afa.tmp

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 91.211.247.248
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

112fabc0aae6f0be68ca31f4acc53afa.tmp

pid process

2216 112fabc0aae6f0be68ca31f4acc53afa.tmp

description	ioc
Destination IP	91.211.247.248

pid	process
2216	112fabc0aae6f0be68ca31f4acc53afa.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

112fabc0aae6f0be68ca31f4acc53afa.exe112fabc0aae6f0be68ca31f4acc53afa.tmp

description	pid	process	target process
PID 2208 wrote to memory of 2216	2208	112fabc0aae6f0be68ca31f4acc53afa.exe	112fabc0aae6f0be68ca31f4acc53afa.tmp
PID 2208 wrote to memory of 2216	2208	112fabc0aae6f0be68ca31f4acc53afa.exe	112fabc0aae6f0be68ca31f4acc53afa.tmp
PID 2208 wrote to memory of 2216	2208	112fabc0aae6f0be68ca31f4acc53afa.exe	112fabc0aae6f0be68ca31f4acc53afa.tmp
PID 2208 wrote to memory of 2216	2208	112fabc0aae6f0be68ca31f4acc53afa.exe	112fabc0aae6f0be68ca31f4acc53afa.tmp
PID 2208 wrote to memory of 2216	2208	112fabc0aae6f0be68ca31f4acc53afa.exe	112fabc0aae6f0be68ca31f4acc53afa.tmp
PID 2208 wrote to memory of 2216	2208	112fabc0aae6f0be68ca31f4acc53afa.exe	112fabc0aae6f0be68ca31f4acc53afa.tmp
PID 2208 wrote to memory of 2216	2208	112fabc0aae6f0be68ca31f4acc53afa.exe	112fabc0aae6f0be68ca31f4acc53afa.tmp
PID 2216 wrote to memory of 2624	2216	112fabc0aae6f0be68ca31f4acc53afa.tmp	mp3doctorfree.exe
PID 2216 wrote to memory of 2624	2216	112fabc0aae6f0be68ca31f4acc53afa.tmp	mp3doctorfree.exe
PID 2216 wrote to memory of 2624	2216	112fabc0aae6f0be68ca31f4acc53afa.tmp	mp3doctorfree.exe
PID 2216 wrote to memory of 2624	2216	112fabc0aae6f0be68ca31f4acc53afa.tmp	mp3doctorfree.exe
PID 2216 wrote to memory of 2492	2216	112fabc0aae6f0be68ca31f4acc53afa.tmp	mp3doctorfree.exe
PID 2216 wrote to memory of 2492	2216	112fabc0aae6f0be68ca31f4acc53afa.tmp	mp3doctorfree.exe
PID 2216 wrote to memory of 2492	2216	112fabc0aae6f0be68ca31f4acc53afa.tmp	mp3doctorfree.exe
PID 2216 wrote to memory of 2492	2216	112fabc0aae6f0be68ca31f4acc53afa.tmp	mp3doctorfree.exe

C:\Users\Admin\AppData\Local\Temp\112fabc0aae6f0be68ca31f4acc53afa.exe
"C:\Users\Admin\AppData\Local\Temp\112fabc0aae6f0be68ca31f4acc53afa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Local\Temp\is-U1L1C.tmp\112fabc0aae6f0be68ca31f4acc53afa.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U1L1C.tmp\112fabc0aae6f0be68ca31f4acc53afa.tmp" /SL5="$400F4,4418583,54272,C:\Users\Admin\AppData\Local\Temp\112fabc0aae6f0be68ca31f4acc53afa.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Local\MP3Doctor Free 2022\mp3doctorfree.exe
"C:\Users\Admin\AppData\Local\MP3Doctor Free 2022\mp3doctorfree.exe" -i
3⤵
- Executes dropped EXE
PID:2624

C:\Users\Admin\AppData\Local\MP3Doctor Free 2022\mp3doctorfree.exe
"C:\Users\Admin\AppData\Local\MP3Doctor Free 2022\mp3doctorfree.exe" -s
3⤵
- Executes dropped EXE
PID:2492

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\MP3Doctor Free 2022\mp3doctorfree.exe
Filesize
3.7MB

MD5
75c17ae3bd4cea74f33d2fd9fce99bc7

SHA1
c21da2480c5763bc4f7239ed3a0bd989e6104240

SHA256
5a6b3a305894ba708e6854c3358f1fed535301d95cafe861c461ccf2db60ee8d

SHA512
5ae61e879ab41caf0200466321b10d318a52be1211e65f5c1b694743b15bc2f5c8e62cdddc88225dbebfea7fec6ef714f4689be986fe1856bea9b4e393bcfca7

Download Submit
\Users\Admin\AppData\Local\Temp\is-AK94H.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-AK94H.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-U1L1C.tmp\112fabc0aae6f0be68ca31f4acc53afa.tmp
Filesize
680KB

MD5
a8acbb635dadcdb78f1859944862815c

SHA1
83872731d4effcfa9d15612316210b2e76da02e4

SHA256
8727197eb8363c1c5fdb30b8a98323964d2444a38c3436d1d8c4e64e60c5789b

SHA512
f671adc769c422ef3eb651447c3aed365f70ce62f7f442b5b748d5f7f269be9b657711f2489c6a1b1132495f59f18fd6e4b683c029dd628b24b98a07da264cf7

Download Submit
memory/2208-72-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2208-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2208-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2216-16-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2216-64-0x0000000005A30000-0x0000000005DE7000-memory.dmp

Filesize
3.7MB

Download
memory/2216-75-0x0000000005A30000-0x0000000005DE7000-memory.dmp

Filesize
3.7MB

Download
memory/2216-73-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2492-97-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2492-91-0x00000000028A0000-0x0000000002942000-memory.dmp

Filesize
648KB

Download
memory/2492-74-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2492-121-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2492-78-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2492-81-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2492-84-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2492-87-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2492-90-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2492-118-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2492-114-0x00000000028A0000-0x0000000002942000-memory.dmp

Filesize
648KB

Download
memory/2492-100-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2492-103-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2492-106-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2492-109-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2492-112-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2492-113-0x00000000028A0000-0x0000000002942000-memory.dmp

Filesize
648KB

Download
memory/2624-65-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2624-69-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2624-66-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download