Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/05/2024, 15:23

General

  • Target

    Syaaz.exe

  • Size

    2.4MB

  • MD5

    b9b17044245fff37882816fabddeadc1

  • SHA1

    8b53a064746a78072a0cbbdba97140e069139fac

  • SHA256

    3e186472c2020abca4cef8673cac61fac90dd135f58dca13221c66bea62e4b9d

  • SHA512

    63f38a092f78b53d0ae018bda7d9bb358428af58cb1dddc94cf3444db4806cf4655d82ac4a3665e5766d8cc7d314414ffe7b4246610e6fdf17ccb70dc31bdcb0

  • SSDEEP

    49152:tcnj29EIGBkpV+O93+xepz7BNBNTnx2azxcoBrZS3f4f:CXGruAx7DbxfFfw3O

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Syaaz.exe
    "C:\Users\Admin\AppData\Local\Temp\Syaaz.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1032
    • \??\c:\users\admin\appdata\local\temp\syaaz.exe 
      c:\users\admin\appdata\local\temp\syaaz.exe 
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2356 -s 156
        3⤵
        • Loads dropped DLL
        PID:1692
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1028
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2828
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2648
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2844
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2708
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:35 /f
              6⤵
              • Creates scheduled task(s)
              PID:2504
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:36 /f
              6⤵
              • Creates scheduled task(s)
              PID:1812
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:37 /f
              6⤵
              • Creates scheduled task(s)
              PID:2920
        • C:\Windows\Explorer.exe
          C:\Windows\Explorer.exe
          4⤵
            PID:2600

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe

      Filesize

      135KB

      MD5

      c4d7bc66a27fd889e4723a08762726fc

      SHA1

      6978b539cf9bc46e5d5922d5e141361f5da7cb71

      SHA256

      7ace49fb27732368b2136773d13210a37d9b01dfb8fc6cc52977a55633b562f2

      SHA512

      2f9204cc0e2b0983d4ba9424d849774bada1794bb0be2ae567ac3e6f5c6e5af3b072fbddf9c9587cf16b7a065e9f4f5ddcd286790aacead3db29445c12ad7414

    • \Users\Admin\AppData\Local\Temp\syaaz.exe 

      Filesize

      2.3MB

      MD5

      18bcc3e896b173891e2f16cb7ea99662

      SHA1

      4c67259d87428752f34cb22a3acbc0f2d5dfdc1f

      SHA256

      5427611cbbdea8ef4ce6b8306939dd35ee6b5bd939875cc26587885ff95dff9b

      SHA512

      0149efb58d8241ff7d50ed9bce0f4e61c061173ad5a83442e08a16f412c3448fe74633cff0283103e1f299165335864e1dc817301bc17da7c70965abcac3b48d

    • \Windows\Resources\Themes\icsys.icn.exe

      Filesize

      135KB

      MD5

      2d272a9e71c1e0b670e5a666416dfe84

      SHA1

      9a64430763c537f978115383f5ba69017a18c9e7

      SHA256

      ce8ea4132f3627cd1d823b481973c3790e4b0f3453e16537920c65ced84ba118

      SHA512

      194dd053ebf8ed722229207b39dea1c76bc5d6ca5279ba5ce8bd2fc9d72bdf8bd29f961a0ea24c9ea9d602a0cefc9aa26f097ec8e10d33fdd62b71b2039ad6a7

    • \Windows\Resources\spoolsv.exe

      Filesize

      135KB

      MD5

      d81d40537f0ef3b47ef59f6e16b6afb7

      SHA1

      0bc9eecddac26ae1ee79045be997f82240e40dfc

      SHA256

      d7485ebaea2ab9a4a1390afc9d023896facf1cd1632c803e8b3de9111eb6f60f

      SHA512

      a471ad1ab3a06996d9b886c84102595dd6fc6eef001c3ee89165b320ca1f17f556e291439527956be88590856859f43db69b09d0bb874403294764d598445c3a

    • \Windows\Resources\svchost.exe

      Filesize

      135KB

      MD5

      98e84845beeb16fcbd79c14abc5e3146

      SHA1

      889c7484f0462d81d740457062768ef97de1c2cd

      SHA256

      12983ce41d6ce092b4f86b5d587a11e7d6e801c8218260f6cb9c4e2e28dcff05

      SHA512

      04aa7a444a6da750636565b0fc360660692b5137f3d86cd9d455d6aeeb5a5bb38208426fbaa4fa16990ba37a706eea89f80f1ff49a4c886b1cc0baf60d420087

    • memory/1028-62-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/1032-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/1032-63-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2648-48-0x0000000000360000-0x000000000037F000-memory.dmp

      Filesize

      124KB

    • memory/2648-61-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2708-60-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2828-35-0x0000000000500000-0x000000000051F000-memory.dmp

      Filesize

      124KB

    • memory/2844-55-0x00000000002C0000-0x00000000002DF000-memory.dmp

      Filesize

      124KB