| File name: | adobe.exe |
| Full analysis: | https://app.any.run/tasks/bc1e985a-b64e-4c74-9f3e-9723d1f1650b |
| Verdict: | Malicious activity |
| Threats: | Socks5systemz is a botnet that utilizes its infection capabilities to establish a network of compromised devices. These devices are then used to forward malicious traffic. The criminals behind this malware sell access to the infected endpoints to other threat actors. Socks5systemz maintains control over thousands of devices and communicates with them using specific commands. |
| Analysis date: | December 15, 2023, 10:54:09 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | DB2B07839701C26827BDC9C74A96A822 |
| SHA1: | 5B46AD371980461EFBD3388EDBF5BE1C5C10E152 |
| SHA256: | 353B052CBA36672D3FE8758C0A4796A25B51F6B9D8BD1799F64DB829F45BE5EA |
| SSDEEP: | 98304:VnIX9tiX2Y7+0WccIJ3muiaWlFVRrKtt9sHL3QjE8c5HvRBEDo8mmAoW89FxKoTh:qpmFHBb |
MALICIOUS
Drops the executable file immediately after the start
- adobe.exe (PID: 3048)
- adobe.exe (PID: 2928)
- buttonlib.exe (PID: 1328)
- adobe.tmp (PID: 1560)
SOCKS5SYSTEMZ has been detected (SURICATA)
- buttonlib.exe (PID: 3832)
Connects to the CnC server
- buttonlib.exe (PID: 3832)
Uses Task Scheduler to run other applications
- adobe.tmp (PID: 1560)
SUSPICIOUS
Reads the Windows owner or organization settings
- adobe.tmp (PID: 1560)
Process drops legitimate windows executable
- adobe.tmp (PID: 1560)
Process drops SQLite DLL files
- adobe.tmp (PID: 1560)
Reads the Internet Settings
- buttonlib.exe (PID: 3832)
Connects to unusual port
- buttonlib.exe (PID: 3832)
Drops 7-zip archiver for unpacking
- adobe.tmp (PID: 1560)
INFO
Checks supported languages
- adobe.exe (PID: 3048)
- adobe.tmp (PID: 1864)
- adobe.exe (PID: 2928)
- adobe.tmp (PID: 1560)
- buttonlib.exe (PID: 3832)
- buttonlib.exe (PID: 1328)
- wmpnscfg.exe (PID: 2224)
Create files in a temporary directory
- adobe.exe (PID: 3048)
- adobe.exe (PID: 2928)
- adobe.tmp (PID: 1560)
Reads the computer name
- adobe.tmp (PID: 1864)
- adobe.tmp (PID: 1560)
- buttonlib.exe (PID: 3832)
- wmpnscfg.exe (PID: 2224)
- buttonlib.exe (PID: 1328)
Creates files in the program directory
- adobe.tmp (PID: 1560)
- buttonlib.exe (PID: 1328)
- buttonlib.exe (PID: 3832)
Checks proxy server information
- buttonlib.exe (PID: 3832)
Reads the machine GUID from the registry
- buttonlib.exe (PID: 3832)
Manual execution by a user
- wmpnscfg.exe (PID: 2224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (77.7) |
|---|---|---|
| .exe | | | Win32 Executable Delphi generic (10) |
| .dll | | | Win32 Dynamic Link Library (generic) (4.6) |
| .exe | | | Win32 Executable (generic) (3.1) |
| .exe | | | Win16/32 Executable Delphi generic (1.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:12:15 11:53:43+01:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 37888 |
| InitializedDataSize: | 32256 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x9c40 |
| OSVersion: | 1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | |
| FileDescription: | ButtonLIB Setup |
| FileVersion: | |
| LegalCopyright: | |
| ProductName: | ButtonLIB |
| ProductVersion: | 1.2.1.5 |
Total processes
51
Monitored processes
10
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1328 | "C:\Program Files\ButtonLIB\buttonlib.exe" -i | C:\Program Files\ButtonLIB\buttonlib.exe | — | adobe.tmp | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 0.8.2.402 Modules
| |||||||||||||||
| 1360 | "C:\Windows\system32\net.exe" helpmsg 15 | C:\Windows\System32\net.exe | — | adobe.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1560 | "C:\Users\admin\AppData\Local\Temp\is-71RS1.tmp\adobe.tmp" /SL5="$130176,7257302,68608,C:\Users\admin\AppData\Local\Temp\adobe.exe" /SPAWNWND=$1A0194 /NOTIFYWND=$1B0142 | C:\Users\admin\AppData\Local\Temp\is-71RS1.tmp\adobe.tmp | — | adobe.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 1864 | "C:\Users\admin\AppData\Local\Temp\is-SQB9D.tmp\adobe.tmp" /SL5="$1B0142,7257302,68608,C:\Users\admin\AppData\Local\Temp\adobe.exe" | C:\Users\admin\AppData\Local\Temp\is-SQB9D.tmp\adobe.tmp | — | adobe.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 1936 | C:\Windows\system32\net1 helpmsg 15 | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2224 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2424 | "C:\Windows\system32\schtasks.exe" /Query | C:\Windows\System32\schtasks.exe | — | adobe.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2928 | "C:\Users\admin\AppData\Local\Temp\adobe.exe" /SPAWNWND=$1A0194 /NOTIFYWND=$1B0142 | C:\Users\admin\AppData\Local\Temp\adobe.exe | adobe.tmp | ||||||||||||
User: admin Company: Integrity Level: HIGH Description: ButtonLIB Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 3048 | "C:\Users\admin\AppData\Local\Temp\adobe.exe" | C:\Users\admin\AppData\Local\Temp\adobe.exe | — | explorer.exe | |||||||||||
User: admin Company: Integrity Level: MEDIUM Description: ButtonLIB Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 3832 | "C:\Program Files\ButtonLIB\buttonlib.exe" -s | C:\Program Files\ButtonLIB\buttonlib.exe | adobe.tmp | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 0.8.2.402 Modules
| |||||||||||||||
Total events
1 128
Read events
1 096
Write events
32
Delete events
0
Modification events
| (PID) Process: | (3832) buttonlib.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (3832) buttonlib.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000005A010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3832) buttonlib.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (3832) buttonlib.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (3832) buttonlib.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3832) buttonlib.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3832) buttonlib.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3832) buttonlib.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3832) buttonlib.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47} |
| Operation: | write | Name: | WpadDecisionReason |
Value: 1 | |||
| (PID) Process: | (3832) buttonlib.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47} |
| Operation: | write | Name: | WpadDecisionTime |
Value: 32D4065C452FDA01 | |||
Executable files
111
Suspicious files
6
Text files
14
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1560 | adobe.tmp | C:\Users\admin\AppData\Local\Temp\is-KGBVD.tmp\_isetup\_isdecmp.dll | executable | |
MD5:3ADAA386B671C2DF3BAE5B39DC093008 | SHA256:71CD2F5BC6E13B8349A7C98697C6D2E3FCDEEA92699CEDD591875BEA869FAE38 | |||
| 1560 | adobe.tmp | C:\Program Files\ButtonLIB\stuff\is-1TJAD.tmp | text | |
MD5:992C00BEAB194CE392117BB419F53051 | SHA256:9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C | |||
| 1560 | adobe.tmp | C:\Program Files\ButtonLIB\uninstall\unins000.exe | executable | |
MD5:613FFB81D6DAC027BFCAEB4F422F4525 | SHA256:F814B563CDA408B1C7DFD3D66C1DE74F884664DAD1F8E5C9017579FF803BC165 | |||
| 3048 | adobe.exe | C:\Users\admin\AppData\Local\Temp\is-SQB9D.tmp\adobe.tmp | executable | |
MD5:F448D7F4B76E5C9C3A4EAFF16A8B9B73 | SHA256:7233B85EB0F8B3AA5CAE3811D727AA8742FEC4D1091C120A0FE15006F424CC49 | |||
| 1560 | adobe.tmp | C:\Users\admin\AppData\Local\Temp\is-KGBVD.tmp\_isetup\_shfoldr.dll | executable | |
MD5:92DC6EF532FBB4A5C3201469A5B5EB63 | SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 | |||
| 2928 | adobe.exe | C:\Users\admin\AppData\Local\Temp\is-71RS1.tmp\adobe.tmp | executable | |
MD5:F448D7F4B76E5C9C3A4EAFF16A8B9B73 | SHA256:7233B85EB0F8B3AA5CAE3811D727AA8742FEC4D1091C120A0FE15006F424CC49 | |||
| 1560 | adobe.tmp | C:\Users\admin\AppData\Local\Temp\is-KGBVD.tmp\_isetup\_RegDLL.tmp | executable | |
MD5:0EE914C6F0BB93996C75941E1AD629C6 | SHA256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2 | |||
| 1560 | adobe.tmp | C:\Users\admin\AppData\Local\Temp\is-KGBVD.tmp\_isetup\_iscrypt.dll | executable | |
MD5:A69559718AB506675E907FE49DEB71E9 | SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC | |||
| 1560 | adobe.tmp | C:\Program Files\ButtonLIB\uninstall\is-I72VF.tmp | executable | |
MD5:613FFB81D6DAC027BFCAEB4F422F4525 | SHA256:F814B563CDA408B1C7DFD3D66C1DE74F884664DAD1F8E5C9017579FF803BC165 | |||
| 1560 | adobe.tmp | C:\Program Files\ButtonLIB\stuff\is-806I3.tmp | text | |
MD5:257D1BF38FA7859FFC3717EF36577C04 | SHA256:DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
8
DNS requests
1
Threats
16
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3832 | buttonlib.exe | GET | 200 | 185.196.8.22:80 | http://bgwmeco.com/click/?counter=de7ef49b2c006853fb38357b3206f31360ff1905c311578eaae3c7edb62cde24353e1d9a943e9d150388429452e940e0a4a21bca13c034069538dc1a959a22237244a421216497c02320889f8f71035f8edc06fb17cdde5bb026 | unknown | text | 3.99 Kb | unknown |
3832 | buttonlib.exe | GET | 200 | 185.196.8.22:80 | http://bgwmeco.com/click/?counter=de7ef49b2c006853fb38357b3206f31360ff1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f508166429e289d58869b3a226d55f676647fc3813369d184da325a5089d801fe12ce | unknown | text | 4.13 Kb | unknown |
3832 | buttonlib.exe | GET | 200 | 185.196.8.22:80 | http://bgwmeco.com/click/?counter=de7ef49b2c006853fb38357b3206f31360ff1905c311578eaae3c7edb62cde24353e1d9a943e9d150388429452e940e0a4a21bca13c034069538dc1a959a22237244a421216497c02320889f8f71035f8edc06fb17cdde5bb026 | unknown | text | 14 b | unknown |
3832 | buttonlib.exe | GET | 200 | 185.196.8.22:80 | http://bgwmeco.com/click/?counter=de7ef49b2c006853fb38357b3206f31360ff1905c311578eaae3c7edb62cde24353e1d9a943e9d150388429452e940e0a4a21bca13c034069538dc1a959a22237244a421216497c02320889f8f71035f8edc06fb17cdde5bb026 | unknown | text | 14 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3832 | buttonlib.exe | 185.196.8.22:80 | bgwmeco.com | — | US | unknown |
3832 | buttonlib.exe | 95.216.227.177:2023 | — | Hetzner Online GmbH | FI | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
bgwmeco.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3832 | buttonlib.exe | A Network Trojan was detected | ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 |
3832 | buttonlib.exe | A Network Trojan was detected | ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 |
3832 | buttonlib.exe | Potentially Bad Traffic | ET HUNTING Suspicious Windows NT version 9 User-Agent |
3832 | buttonlib.exe | Malware Command and Control Activity Detected | PROXY [ANY.RUN] Socks5Systemz HTTP C2 Connection |
3832 | buttonlib.exe | A Network Trojan was detected | ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 |
3832 | buttonlib.exe | Malware Command and Control Activity Detected | PROXY [ANY.RUN] Socks5Systemz HTTP C2 Connection |
3832 | buttonlib.exe | A Network Trojan was detected | ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 |
3832 | buttonlib.exe | Potentially Bad Traffic | ET HUNTING Suspicious Windows NT version 9 User-Agent |
3832 | buttonlib.exe | A Network Trojan was detected | ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 |
3832 | buttonlib.exe | Malware Command and Control Activity Detected | PROXY [ANY.RUN] Socks5Systemz HTTP C2 Connection |