File name:

install.exe

Full analysis: https://app.any.run/tasks/fa006a09-c2cf-4709-a828-b5309edb3d2b
Verdict: Malicious activity
Threats:

Socks5systemz is a botnet that utilizes its infection capabilities to establish a network of compromised devices. These devices are then used to forward malicious traffic. The criminals behind this malware sell access to the infected endpoints to other threat actors. Socks5systemz maintains control over thousands of devices and communicates with them using specific commands.

Malware Trends Tracker     >>>
Analysis date: September 10, 2024, 00:20:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
socks5systemz
proxy
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C883436A51137626711481FED4BE79C8

SHA1:

57C7E6907219E8AAE747F64343066963B57508B0

SHA256:

7E33A3B6DE352650C44163C2FF989CAD764017C508E13B240F783C08C736F2C5

SSDEEP:

98304:RhaMBahUD7lI7kkm5qj5yz057MP42Xu/hrudaG2IhjLXEPns8IT5uhgnVyhQRXPG:mkCsTy/eQl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • audiocutterjoiner32_64.exe (PID: 4292)

    • SOCKS5SYSTEMZ has been detected (SURICATA)

      • audiocutterjoiner32_64.exe (PID: 4292)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • install.tmp (PID: 3244)

    • Process drops legitimate windows executable

      • install.tmp (PID: 3244)

    • Executable content was dropped or overwritten

      • install.exe (PID: 2468)
      • install.tmp (PID: 3244)
      • audiocutterjoiner32_64.exe (PID: 4292)

    • Reads security settings of Internet Explorer

      • audiocutterjoiner32_64.exe (PID: 4292)

    • Contacting a server suspected of hosting an CnC

      • audiocutterjoiner32_64.exe (PID: 4292)

    • Connects to unusual port

      • audiocutterjoiner32_64.exe (PID: 4292)

  • INFO

    • Create files in a temporary directory

      • install.exe (PID: 2468)
      • install.tmp (PID: 3244)

    • Checks supported languages

      • install.tmp (PID: 3244)
      • install.exe (PID: 2468)
      • audiocutterjoiner32_64.exe (PID: 4292)

    • Reads the computer name

      • install.tmp (PID: 3244)
      • audiocutterjoiner32_64.exe (PID: 4292)

    • Creates files or folders in the user directory

      • install.tmp (PID: 3244)

    • Creates a software uninstall entry

      • install.tmp (PID: 3244)

    • Creates files in the program directory

      • audiocutterjoiner32_64.exe (PID: 4292)

    • Checks proxy server information

      • audiocutterjoiner32_64.exe (PID: 4292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 37888
InitializedDataSize: 17920
UninitializedDataSize: -
EntryPoint: 0x9c40
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: Audio Cutter Joiner Setup
FileVersion:
LegalCopyright:
ProductName: Audio Cutter Joiner
ProductVersion:
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start install.exe install.tmp #SOCKS5SYSTEMZ audiocutterjoiner32_64.exe

Process information

PID
CMD
Path
Indicators
Parent process
2468"C:\Users\admin\AppData\Local\Temp\install.exe" C:\Users\admin\AppData\Local\Temp\install.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Audio Cutter Joiner Setup
Version:
Modules
Images
c:\users\admin\appdata\local\temp\install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3244"C:\Users\admin\AppData\Local\Temp\is-DS6DM.tmp\install.tmp" /SL5="$503A8,3387544,54272,C:\Users\admin\AppData\Local\Temp\install.exe" C:\Users\admin\AppData\Local\Temp\is-DS6DM.tmp\install.tmp
install.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ds6dm.tmp\install.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4292"C:\Users\admin\AppData\Local\Audio Cutter Joiner\audiocutterjoiner32_64.exe" -iC:\Users\admin\AppData\Local\Audio Cutter Joiner\audiocutterjoiner32_64.exe
install.tmp
User:
admin
Company:
DA Software
Integrity Level:
MEDIUM
Description:
DAC Core Library
Version:
2.4.9.4
Modules
Images
c:\users\admin\appdata\local\audio cutter joiner\audiocutterjoiner32_64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\imm32.dll
Total events
560
Read events
544
Write events
16
Delete events
0

Modification events

(PID) Process:(3244) install.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio Cutter Joiner_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.5.2 (a)
(PID) Process:(3244) install.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio Cutter Joiner_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Local\Audio Cutter Joiner
(PID) Process:(3244) install.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio Cutter Joiner_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Audio Cutter Joiner\
(PID) Process:(3244) install.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio Cutter Joiner_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Audio Cutter Joiner
(PID) Process:(3244) install.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio Cutter Joiner_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(3244) install.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio Cutter Joiner_is1
Operation:writeName:Inno Setup: Language
Value:
english
(PID) Process:(3244) install.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio Cutter Joiner_is1
Operation:writeName:DisplayName
Value:
Audio Cutter Joiner 3.3.3.3
(PID) Process:(3244) install.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio Cutter Joiner_is1
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Local\Audio Cutter Joiner\unins000.exe"
(PID) Process:(3244) install.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio Cutter Joiner_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Users\admin\AppData\Local\Audio Cutter Joiner\unins000.exe" /SILENT
(PID) Process:(3244) install.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio Cutter Joiner_is1
Operation:writeName:NoModify
Value:
1
Executable files
13
Suspicious files
10
Text files
9
Unknown types
8

Dropped files

PID
Process
Filename
Type
3244install.tmpC:\Users\admin\AppData\Local\Temp\is-4MB3F.tmp\_isetup\_setup64.tmpexecutable
MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
SHA256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
3244install.tmpC:\Users\admin\AppData\Local\Audio Cutter Joiner\libeay32.dllexecutable
MD5:A236287C42F921D109475D47E9DCAC2B
SHA256:63AA600A7C914C2D59280069169CC93E750E42C9A1146E238C9128E073D578FD
3244install.tmpC:\Users\admin\AppData\Local\Audio Cutter Joiner\ssleay32.dllexecutable
MD5:EE856A00410ECED8CC609936D01F954E
SHA256:B6192300D3C1476EF3C25A368D055AA401035E78F9F6DBE5F93C84D36EF1FA62
3244install.tmpC:\Users\admin\AppData\Local\Temp\is-4MB3F.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
2468install.exeC:\Users\admin\AppData\Local\Temp\is-DS6DM.tmp\install.tmpexecutable
MD5:FBA25940D073D324E5DF77F502A5A7CE
SHA256:4944EBD7F24F7A842472ADA777B872F6C678FFD8B4D6009A3DD7ACA4ED444699
3244install.tmpC:\Users\admin\AppData\Local\Audio Cutter Joiner\is-4GNDJ.tmpexecutable
MD5:EE856A00410ECED8CC609936D01F954E
SHA256:B6192300D3C1476EF3C25A368D055AA401035E78F9F6DBE5F93C84D36EF1FA62
3244install.tmpC:\Users\admin\AppData\Local\Audio Cutter Joiner\whatsnew.txttext
MD5:BF23B0CB3FB4563A8E76D948920310FF
SHA256:E98378B5F1FB11DE06503B2143B593D1CB66B2B2E8F831FA39472F83AFDAEB26
3244install.tmpC:\Users\admin\AppData\Local\Audio Cutter Joiner\libssl-1_1.dllexecutable
MD5:20B6B06BBD211A8ACFE51193653E4167
SHA256:7A16E6ED0C0A49AEB8EA4972600A7A1422C92550602A150634B1C221F79300B4
3244install.tmpC:\Users\admin\AppData\Local\Audio Cutter Joiner\license.txttext
MD5:DC55027FDFFA56D9112D3D0E4F9AEA5E
SHA256:5AF24498951E305FE55378C58808261359DC559CC11BE72A56726AECD1F8676F
3244install.tmpC:\Users\admin\AppData\Local\Audio Cutter Joiner\is-A754G.tmpexecutable
MD5:C29A9B9FDC113CD40072635FDB8B364E
SHA256:83377518DBC716F3AF8DC125D8FDCC659F48A68934EFB1C3DCFF2E3F5D25236F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
75
DNS requests
22
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1440
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4292
audiocutterjoiner32_64.exe
GET
200
185.196.8.214:80
http://aybsouj.ru/search/?q=67e28dd86b59f621460aa91a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ee8889b5e4fa9281ae978fe71ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396287fd16c7ee96
unknown
suspicious
4292
audiocutterjoiner32_64.exe
GET
200
185.196.8.214:80
http://aybsouj.ru/search/?q=67e28dd86b59f621460aa91a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ee8889b5e4fa9281ae978fe71ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396287fd16c7ee96
unknown
suspicious
2120
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2700
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2700
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4292
audiocutterjoiner32_64.exe
GET
200
185.196.8.214:80
http://aybsouj.ru/search/?q=67e28dd86b59f621460aa91a7c27d78406abdd88be4b12eab517aa5c96bd86e892824b96148ab2865b77f80ebad9c60f7cb63037ed2ab423a43b4383ba915d911ec079b506a0708720fa12b86fc753bbf51aba1e7242fa7023cc366689fd14c9ed929d3ace
unknown
suspicious
4292
audiocutterjoiner32_64.exe
GET
200
185.196.8.214:80
http://aybsouj.ru/search/?q=67e28dd86b59f621460aa91a7c27d78406abdd88be4b12eab517aa5c96bd86e892824b96148ab2865b77f80ebad9c60f7cb63037ed2ab423a43b4383ba915d911ec079b506a0708720fa12b86fc753bbf51aba1e7242fa7023cc366689fd14c9ed929d3ace
unknown
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6012
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6380
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5336
SearchApp.exe
2.23.209.149:443
www.bing.com
Akamai International B.V.
GB
whitelisted
5336
SearchApp.exe
2.23.209.182:443
www.bing.com
Akamai International B.V.
GB
whitelisted
5336
SearchApp.exe
2.23.209.130:443
www.bing.com
Akamai International B.V.
GB
whitelisted
5336
SearchApp.exe
20.44.10.122:443
browser.pipe.aria.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.174
whitelisted
www.bing.com
  • 2.23.209.149
  • 2.23.209.179
  • 2.23.209.133
  • 2.23.209.130
  • 2.23.209.140
  • 2.23.209.182
whitelisted
r.bing.com
  • 2.23.209.182
  • 2.23.209.187
  • 2.23.209.140
  • 2.23.209.149
  • 2.23.209.130
  • 2.23.209.133
whitelisted
th.bing.com
  • 2.23.209.130
  • 2.23.209.140
  • 2.23.209.182
  • 2.23.209.133
  • 2.23.209.187
  • 2.23.209.149
  • 104.126.37.155
  • 104.126.37.178
  • 104.126.37.145
  • 104.126.37.170
  • 104.126.37.131
  • 104.126.37.130
  • 104.126.37.162
  • 104.126.37.144
  • 104.126.37.128
whitelisted
browser.pipe.aria.microsoft.com
  • 20.44.10.122
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.160.17
  • 40.126.32.133
  • 40.126.32.136
  • 40.126.32.140
  • 40.126.32.72
  • 40.126.32.138
  • 20.190.160.14
  • 40.126.32.74
whitelisted

Threats

PID
Process
Class
Message
4292
audiocutterjoiner32_64.exe
Potentially Bad Traffic
ET HUNTING Suspicious Windows NT version 9 User-Agent
4292
audiocutterjoiner32_64.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
4292
audiocutterjoiner32_64.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
4292
audiocutterjoiner32_64.exe
Malware Command and Control Activity Detected
PROXY [ANY.RUN] Socks5Systemz HTTP C2 Connection
4292
audiocutterjoiner32_64.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1
4292
audiocutterjoiner32_64.exe
Potentially Bad Traffic
ET HUNTING Suspicious Windows NT version 9 User-Agent
4292
audiocutterjoiner32_64.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1
4292
audiocutterjoiner32_64.exe
Malware Command and Control Activity Detected
PROXY [ANY.RUN] Socks5Systemz HTTP C2 Connection
4292
audiocutterjoiner32_64.exe
Potentially Bad Traffic
ET HUNTING Suspicious Windows NT version 9 User-Agent
4292
audiocutterjoiner32_64.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
install.exe