socks5systemz | 4783a7d327acb7eecb81d4d12d6c613d82ca759f23ba8b605f920b00b0ed4e33

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

5.3MB
MD5

0f5526ecee9020eb8cb4b38ab8962968
SHA1

be15a920d82d5c90810190d1b83ceb692c5e50a2
SHA256

4783a7d327acb7eecb81d4d12d6c613d82ca759f23ba8b605f920b00b0ed4e33
SHA512

16cd227cfd716dd79396b2e063e615cdc461302891537500c30fcca3a36e9f0197f8f79862688b0649de17be0dc9915982fc8409cf8f46a02abc82b573fba3c0
SSDEEP

98304:C5cDwdMKeFV5rmrEBUq7EauMOU7e4B3M7jpazNZRH49JGwSx0F1cQHFbQxS:bwdMKeFVUS7uMOtkejpKMeCFbQ0

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/3364-88-0x0000000000A90000-0x0000000000B32000-memory.dmp family_socks5systemz
Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Executes dropped EXE 3 IoCs

Processes:

file.tmpudadvdfreeripper.exeudadvdfreeripper.exe

pid process

4992 file.tmp
4200 udadvdfreeripper.exe
3364 udadvdfreeripper.exe
Loads dropped DLL 1 IoCs

Processes:

file.tmp

pid process

4992 file.tmp
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 45.155.250.90
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

file.tmp

pid process

4992 file.tmp

resource	yara_rule
behavioral2/memory/3364-88-0x0000000000A90000-0x0000000000B32000-memory.dmp	family_socks5systemz

pid	process
4992	file.tmp
4200	udadvdfreeripper.exe
3364	udadvdfreeripper.exe

pid	process
4992	file.tmp

description	ioc
Destination IP	45.155.250.90

pid	process
4992	file.tmp

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

file.exefile.tmp

description	pid	process	target process
PID 2464 wrote to memory of 4992	2464	file.exe	file.tmp
PID 2464 wrote to memory of 4992	2464	file.exe	file.tmp
PID 2464 wrote to memory of 4992	2464	file.exe	file.tmp
PID 4992 wrote to memory of 4200	4992	file.tmp	udadvdfreeripper.exe
PID 4992 wrote to memory of 4200	4992	file.tmp	udadvdfreeripper.exe
PID 4992 wrote to memory of 4200	4992	file.tmp	udadvdfreeripper.exe
PID 4992 wrote to memory of 3364	4992	file.tmp	udadvdfreeripper.exe
PID 4992 wrote to memory of 3364	4992	file.tmp	udadvdfreeripper.exe
PID 4992 wrote to memory of 3364	4992	file.tmp	udadvdfreeripper.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2464

C:\Users\Admin\AppData\Local\Temp\is-DBA0R.tmp\file.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DBA0R.tmp\file.tmp" /SL5="$B004E,5335502,54272,C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4992

C:\Users\Admin\AppData\Local\UDA DVD Free Ripper\udadvdfreeripper.exe
"C:\Users\Admin\AppData\Local\UDA DVD Free Ripper\udadvdfreeripper.exe" -i
3⤵
- Executes dropped EXE
PID:4200

C:\Users\Admin\AppData\Local\UDA DVD Free Ripper\udadvdfreeripper.exe
"C:\Users\Admin\AppData\Local\UDA DVD Free Ripper\udadvdfreeripper.exe" -s
3⤵
- Executes dropped EXE
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=1328 /prefetch:8
1⤵
PID:392

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-88A7J.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DBA0R.tmp\file.tmp
Filesize
680KB

MD5
57f105eb048c2e407e3cf46e6a350d2e

SHA1
ddc7ca9f8d7974fcfe60dbac04465772ad91068e

SHA256
1d7a6131a37000b32deddac26b45589a3d1e1399d1231fb9916f388a17d87aff

SHA512
c7f77db12ce7c705b418753b167fbbf1ee0a8cd3c75ca0f2da5fce4bfc9667b059494bd4b0c10a74e95c72beef09398a86746bcef7bf58bb84baa4ea1dae5007

Download Submit
C:\Users\Admin\AppData\Local\UDA DVD Free Ripper\udadvdfreeripper.exe
Filesize
4.2MB

MD5
ec248f37f83fa8287e6f4dae0526143d

SHA1
60c786fc2cdda1363e6ad5124e49154dd15edb39

SHA256
76e98f3e58b2feb79da1c842faca8993111888c5909d2b3c0690fe8df89a91c2

SHA512
7666ad073e8bfc6950c30cb8858e253ba40468510006cd734fddfae51c5a1e78d1fe8a258eac303aadc4e80dec8d963b0f4e87c369c243d98d99be88a0a72567

Download Submit
memory/2464-70-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2464-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2464-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3364-90-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/3364-95-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/3364-116-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/3364-113-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/3364-68-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/3364-69-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/3364-110-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/3364-107-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/3364-72-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/3364-75-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/3364-76-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/3364-79-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/3364-82-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/3364-85-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/3364-88-0x0000000000A90000-0x0000000000B32000-memory.dmp

Filesize
648KB

Download
memory/3364-104-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/3364-101-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/3364-98-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/4200-60-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/4200-59-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/4200-65-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/4200-64-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/4992-16-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4992-71-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download