Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/05/2024, 15:23
Static task
static1
Behavioral task
behavioral1
Sample
Syaaz.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Syaaz.exe
Resource
win10v2004-20240419-en
General
-
Target
Syaaz.exe
-
Size
2.4MB
-
MD5
b9b17044245fff37882816fabddeadc1
-
SHA1
8b53a064746a78072a0cbbdba97140e069139fac
-
SHA256
3e186472c2020abca4cef8673cac61fac90dd135f58dca13221c66bea62e4b9d
-
SHA512
63f38a092f78b53d0ae018bda7d9bb358428af58cb1dddc94cf3444db4806cf4655d82ac4a3665e5766d8cc7d314414ffe7b4246610e6fdf17ccb70dc31bdcb0
-
SSDEEP
49152:tcnj29EIGBkpV+O93+xepz7BNBNTnx2azxcoBrZS3f4f:CXGruAx7DbxfFfw3O
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Executes dropped EXE 6 IoCs
pid Process 2356 syaaz.exe 1028 icsys.icn.exe 2828 explorer.exe 2648 spoolsv.exe 2844 svchost.exe 2708 spoolsv.exe -
Loads dropped DLL 11 IoCs
pid Process 1032 Syaaz.exe 1032 Syaaz.exe 1680 Process not Found 1028 icsys.icn.exe 1692 WerFault.exe 1692 WerFault.exe 1692 WerFault.exe 2828 explorer.exe 2648 spoolsv.exe 2844 svchost.exe 1692 WerFault.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe Syaaz.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2504 schtasks.exe 1812 schtasks.exe 2920 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1032 Syaaz.exe 1032 Syaaz.exe 1032 Syaaz.exe 1032 Syaaz.exe 1032 Syaaz.exe 1032 Syaaz.exe 1032 Syaaz.exe 1032 Syaaz.exe 1032 Syaaz.exe 1032 Syaaz.exe 1032 Syaaz.exe 1032 Syaaz.exe 1032 Syaaz.exe 1032 Syaaz.exe 1032 Syaaz.exe 1032 Syaaz.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 2828 explorer.exe 2828 explorer.exe 2828 explorer.exe 2828 explorer.exe 2828 explorer.exe 2828 explorer.exe 2828 explorer.exe 2828 explorer.exe 2828 explorer.exe 2828 explorer.exe 2828 explorer.exe 2828 explorer.exe 2828 explorer.exe 2828 explorer.exe 2828 explorer.exe 2828 explorer.exe 2844 svchost.exe 2844 svchost.exe 2844 svchost.exe 2844 svchost.exe 2844 svchost.exe 2844 svchost.exe 2844 svchost.exe 2844 svchost.exe 2844 svchost.exe 2844 svchost.exe 2844 svchost.exe 2844 svchost.exe 2844 svchost.exe 2844 svchost.exe 2844 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2828 explorer.exe 2844 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1032 Syaaz.exe 1032 Syaaz.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 2828 explorer.exe 2828 explorer.exe 2648 spoolsv.exe 2648 spoolsv.exe 2844 svchost.exe 2844 svchost.exe 2708 spoolsv.exe 2708 spoolsv.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 1032 wrote to memory of 2356 1032 Syaaz.exe 28 PID 1032 wrote to memory of 2356 1032 Syaaz.exe 28 PID 1032 wrote to memory of 2356 1032 Syaaz.exe 28 PID 1032 wrote to memory of 2356 1032 Syaaz.exe 28 PID 1032 wrote to memory of 1028 1032 Syaaz.exe 30 PID 1032 wrote to memory of 1028 1032 Syaaz.exe 30 PID 1032 wrote to memory of 1028 1032 Syaaz.exe 30 PID 1032 wrote to memory of 1028 1032 Syaaz.exe 30 PID 2356 wrote to memory of 1692 2356 syaaz.exe 31 PID 2356 wrote to memory of 1692 2356 syaaz.exe 31 PID 2356 wrote to memory of 1692 2356 syaaz.exe 31 PID 1028 wrote to memory of 2828 1028 icsys.icn.exe 32 PID 1028 wrote to memory of 2828 1028 icsys.icn.exe 32 PID 1028 wrote to memory of 2828 1028 icsys.icn.exe 32 PID 1028 wrote to memory of 2828 1028 icsys.icn.exe 32 PID 2828 wrote to memory of 2648 2828 explorer.exe 33 PID 2828 wrote to memory of 2648 2828 explorer.exe 33 PID 2828 wrote to memory of 2648 2828 explorer.exe 33 PID 2828 wrote to memory of 2648 2828 explorer.exe 33 PID 2648 wrote to memory of 2844 2648 spoolsv.exe 34 PID 2648 wrote to memory of 2844 2648 spoolsv.exe 34 PID 2648 wrote to memory of 2844 2648 spoolsv.exe 34 PID 2648 wrote to memory of 2844 2648 spoolsv.exe 34 PID 2844 wrote to memory of 2708 2844 svchost.exe 35 PID 2844 wrote to memory of 2708 2844 svchost.exe 35 PID 2844 wrote to memory of 2708 2844 svchost.exe 35 PID 2844 wrote to memory of 2708 2844 svchost.exe 35 PID 2828 wrote to memory of 2600 2828 explorer.exe 36 PID 2828 wrote to memory of 2600 2828 explorer.exe 36 PID 2828 wrote to memory of 2600 2828 explorer.exe 36 PID 2828 wrote to memory of 2600 2828 explorer.exe 36 PID 2844 wrote to memory of 2504 2844 svchost.exe 37 PID 2844 wrote to memory of 2504 2844 svchost.exe 37 PID 2844 wrote to memory of 2504 2844 svchost.exe 37 PID 2844 wrote to memory of 2504 2844 svchost.exe 37 PID 2844 wrote to memory of 1812 2844 svchost.exe 42 PID 2844 wrote to memory of 1812 2844 svchost.exe 42 PID 2844 wrote to memory of 1812 2844 svchost.exe 42 PID 2844 wrote to memory of 1812 2844 svchost.exe 42 PID 2844 wrote to memory of 2920 2844 svchost.exe 44 PID 2844 wrote to memory of 2920 2844 svchost.exe 44 PID 2844 wrote to memory of 2920 2844 svchost.exe 44 PID 2844 wrote to memory of 2920 2844 svchost.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\Syaaz.exe"C:\Users\Admin\AppData\Local\Temp\Syaaz.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\users\admin\appdata\local\temp\syaaz.exec:\users\admin\appdata\local\temp\syaaz.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2356 -s 1563⤵
- Loads dropped DLL
PID:1692
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:35 /f6⤵
- Creates scheduled task(s)
PID:2504
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:36 /f6⤵
- Creates scheduled task(s)
PID:1812
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:37 /f6⤵
- Creates scheduled task(s)
PID:2920
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2600
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5c4d7bc66a27fd889e4723a08762726fc
SHA16978b539cf9bc46e5d5922d5e141361f5da7cb71
SHA2567ace49fb27732368b2136773d13210a37d9b01dfb8fc6cc52977a55633b562f2
SHA5122f9204cc0e2b0983d4ba9424d849774bada1794bb0be2ae567ac3e6f5c6e5af3b072fbddf9c9587cf16b7a065e9f4f5ddcd286790aacead3db29445c12ad7414
-
Filesize
2.3MB
MD518bcc3e896b173891e2f16cb7ea99662
SHA14c67259d87428752f34cb22a3acbc0f2d5dfdc1f
SHA2565427611cbbdea8ef4ce6b8306939dd35ee6b5bd939875cc26587885ff95dff9b
SHA5120149efb58d8241ff7d50ed9bce0f4e61c061173ad5a83442e08a16f412c3448fe74633cff0283103e1f299165335864e1dc817301bc17da7c70965abcac3b48d
-
Filesize
135KB
MD52d272a9e71c1e0b670e5a666416dfe84
SHA19a64430763c537f978115383f5ba69017a18c9e7
SHA256ce8ea4132f3627cd1d823b481973c3790e4b0f3453e16537920c65ced84ba118
SHA512194dd053ebf8ed722229207b39dea1c76bc5d6ca5279ba5ce8bd2fc9d72bdf8bd29f961a0ea24c9ea9d602a0cefc9aa26f097ec8e10d33fdd62b71b2039ad6a7
-
Filesize
135KB
MD5d81d40537f0ef3b47ef59f6e16b6afb7
SHA10bc9eecddac26ae1ee79045be997f82240e40dfc
SHA256d7485ebaea2ab9a4a1390afc9d023896facf1cd1632c803e8b3de9111eb6f60f
SHA512a471ad1ab3a06996d9b886c84102595dd6fc6eef001c3ee89165b320ca1f17f556e291439527956be88590856859f43db69b09d0bb874403294764d598445c3a
-
Filesize
135KB
MD598e84845beeb16fcbd79c14abc5e3146
SHA1889c7484f0462d81d740457062768ef97de1c2cd
SHA25612983ce41d6ce092b4f86b5d587a11e7d6e801c8218260f6cb9c4e2e28dcff05
SHA51204aa7a444a6da750636565b0fc360660692b5137f3d86cd9d455d6aeeb5a5bb38208426fbaa4fa16990ba37a706eea89f80f1ff49a4c886b1cc0baf60d420087