f04d11a1c4811492e397bc151c65ea1958eab6cbcf279ece7bd59160bfbea3d8

Resubmissions

23-01-2024 14:03

240123-rcwpqsbff3 10

23-01-2024 13:44

240123-q13yaabef7 10

Analysis

max time kernel
9s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23-01-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

10^/10

evasion trojan

Malware Config

Signatures

Detects BazaLoader malware 9 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral1/memory/2324-0-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
\Windows\system\svchost.exe	BazaLoader
behavioral1/memory/1036-37-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral1/memory/2324-34-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
C:\Windows\system\svchost.exe	BazaLoader
C:\Windows\system\svchost.exe	BazaLoader
\Windows\system\svchost.exe	BazaLoader
behavioral1/memory/2324-38-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral1/memory/1036-64-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader

Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

2964 netsh.exe
2676 netsh.exe
1116 netsh.exe
1428 netsh.exe
Drops file in Windows directory 1 IoCs

Processes:

svchost_dump_SCY - Copy.exe

description ioc process

File created C:\Windows\System\xxx1.bak svchost_dump_SCY - Copy.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1960 schtasks.exe

pid	process
2964	netsh.exe
2676	netsh.exe
1116	netsh.exe
1428	netsh.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe

pid	process
1960	schtasks.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

WMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1920	WMIC.exe
Token: SeSecurityPrivilege	1920	WMIC.exe
Token: SeTakeOwnershipPrivilege	1920	WMIC.exe
Token: SeLoadDriverPrivilege	1920	WMIC.exe
Token: SeSystemProfilePrivilege	1920	WMIC.exe
Token: SeSystemtimePrivilege	1920	WMIC.exe
Token: SeProfSingleProcessPrivilege	1920	WMIC.exe
Token: SeIncBasePriorityPrivilege	1920	WMIC.exe
Token: SeCreatePagefilePrivilege	1920	WMIC.exe
Token: SeBackupPrivilege	1920	WMIC.exe
Token: SeRestorePrivilege	1920	WMIC.exe
Token: SeShutdownPrivilege	1920	WMIC.exe
Token: SeDebugPrivilege	1920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1920	WMIC.exe
Token: SeRemoteShutdownPrivilege	1920	WMIC.exe
Token: SeUndockPrivilege	1920	WMIC.exe
Token: SeManageVolumePrivilege	1920	WMIC.exe
Token: 33	1920	WMIC.exe
Token: 34	1920	WMIC.exe
Token: 35	1920	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1920	WMIC.exe
Token: SeSecurityPrivilege	1920	WMIC.exe
Token: SeTakeOwnershipPrivilege	1920	WMIC.exe
Token: SeLoadDriverPrivilege	1920	WMIC.exe
Token: SeSystemProfilePrivilege	1920	WMIC.exe
Token: SeSystemtimePrivilege	1920	WMIC.exe
Token: SeProfSingleProcessPrivilege	1920	WMIC.exe
Token: SeIncBasePriorityPrivilege	1920	WMIC.exe
Token: SeCreatePagefilePrivilege	1920	WMIC.exe
Token: SeBackupPrivilege	1920	WMIC.exe
Token: SeRestorePrivilege	1920	WMIC.exe
Token: SeShutdownPrivilege	1920	WMIC.exe
Token: SeDebugPrivilege	1920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1920	WMIC.exe
Token: SeRemoteShutdownPrivilege	1920	WMIC.exe
Token: SeUndockPrivilege	1920	WMIC.exe
Token: SeManageVolumePrivilege	1920	WMIC.exe
Token: 33	1920	WMIC.exe
Token: 34	1920	WMIC.exe
Token: 35	1920	WMIC.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

svchost_dump_SCY - Copy.exe

description	pid	process	target process
PID 2324 wrote to memory of 1920	2324	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2324 wrote to memory of 1920	2324	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2324 wrote to memory of 1920	2324	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2324 wrote to memory of 2964	2324	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2324 wrote to memory of 2964	2324	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2324 wrote to memory of 2964	2324	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2324 wrote to memory of 2676	2324	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2324 wrote to memory of 2676	2324	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2324 wrote to memory of 2676	2324	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2324 wrote to memory of 2232	2324	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2324 wrote to memory of 2232	2324	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2324 wrote to memory of 2232	2324	svchost_dump_SCY - Copy.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2964

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
PID:2232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
PID:2724

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:2736

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:1960

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
PID:1036

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1116

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
PID:608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
PID:2448

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
1⤵
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14cfef0e6f5d3560dfd7ad3ec35c5542

SHA1
c7892724101005ecb8ed9154685fc0575ac2cdf6

SHA256
61b701ecf35429f18b0e7e9fd7da4bd1908f6ad8f5bdb022114964c8a05fdffd

SHA512
d140a9b06c1c233da7d0a001237ea62553af3d28fcd29e4a4da062de2b9023acc3f1d9973f438c650d75ae280c7b4668dccf7fc2061602e19089317542cef96e

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
226KB

MD5
ac0a85d50ef7db6c0ac51ba4fdfcd3eb

SHA1
b9cfff58a1e3b9052ea537c008f4e2edc6d4e492

SHA256
3e8d823836701bcca3c5828a3e51ca395a6fbfbe024880af18e7c2c5053eb492

SHA512
afd955d231a926a2c47dd590d314cdd06406477cfb007c1d27d8e6a118799f734f001bc87fbf0f4fac5ba94320dbc4992e06770b59d94e1ffbad8ca973db512d

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
23KB

MD5
2a068f63de91d8c7325ed05850e5d682

SHA1
fa95ccc5c3c1d206b2e82c9aec2445631e5949df

SHA256
417724515176253fa7db402e9e3e6935c9bf752dc44fd4bf81b7e8bcd86584a6

SHA512
b2766026c5d59e251b48fd4df253dd2e4135ec7bd2c70b8a29ed9677e329574ca3a9d92af5e538f546bbb47e0474a7671ad83e24f5daa78f4f9ca4dca901b09f

Download Submit
C:\Windows\system\svchost.exe

Filesize
267KB

MD5
dc33dc5be9110424fad3c3ba244fd381

SHA1
a35f6447573e80314b8133faf67d4cb060486caf

SHA256
87c0f646da25345b0109a77f6b39a7191731a3a6e3aa47ea6569c065573d439e

SHA512
cc88c2d56f50ef9652e30f8032777ad312b63b0887c269a68aef2775d532975fe83415fd9ea534ff0ac5b291ba92162f776bcb0a458319f1dd1e381235f2df65

Download Submit
C:\Windows\system\svchost.exe

Filesize
695KB

MD5
615ef32c247a2c14142a20d4ea9f975c

SHA1
7da6baaa5b1019831f6261037d4c5206f390a516

SHA256
6a5f195087b79924a0dacc8c98d87ac1a52d0bd9d992f5c7e37760e41430516e

SHA512
0a1f6d333dd3fc9266c4a8c06055f746f40c9f88c9a7f4aa13f181a16cbf23803774fc1dc1300b8185de7ff2727dc6716d9ac8421be98089df8e4e6359e4076b

Download Submit
\Windows\system\svchost.exe

Filesize
675KB

MD5
ad7decf1b462516cd5e080abee40cb24

SHA1
d13d41aada29b970af1be1b0af92a57017ef7602

SHA256
08cfe483a1539ca37c64c7163b867f818012e9c86f50e021db779c24280fb377

SHA512
38904e968c655e4d04204e361b15f9ec21698f559465b37f16f5e034b50a12ca7d29769a65766b97388572e101c337dd7dc98de516ff3d7d10af05eccf607f4e

Download Submit
\Windows\system\svchost.exe

Filesize
240KB

MD5
abe26ff686c4854ab40c0c8e35417d32

SHA1
57e3710bc619994ec6b17b6b0c0e83b30f9b6fda

SHA256
25401d389646b64d614361ac788ff0068efdfcfbf3af7aff488f256fad9b2705

SHA512
efe30a9ba7dd33890535c7561d2d7d7a3a8131c26d609bd08360bdbc77958714335ad1d162f26a204187ceb3c6f1e866c1d96406b4f3b38a75275b7087479e8d

Download Submit
memory/608-62-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/608-59-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/608-61-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/608-60-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/608-58-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/608-63-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/1036-37-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1036-65-0x000000001EE00000-0x000000001F2E2000-memory.dmp

Filesize
4.9MB

Download
memory/1036-64-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2232-13-0x0000000002B50000-0x0000000002BD0000-memory.dmp

Filesize
512KB

Download
memory/2232-15-0x0000000002B50000-0x0000000002BD0000-memory.dmp

Filesize
512KB

Download
memory/2232-14-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2232-6-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2232-12-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2232-16-0x0000000002B54000-0x0000000002B57000-memory.dmp

Filesize
12KB

Download
memory/2232-5-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2232-19-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2324-35-0x0000000040C30000-0x0000000041266000-memory.dmp

Filesize
6.2MB

Download
memory/2324-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2324-36-0x0000000040C30000-0x0000000041266000-memory.dmp

Filesize
6.2MB

Download
memory/2324-34-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2324-38-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2448-47-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2448-45-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2448-51-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2448-44-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2448-50-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2448-46-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2448-57-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2448-49-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2448-48-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-21-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download
memory/2724-20-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2724-17-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2724-22-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download
memory/2724-23-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2724-24-0x0000000002D5B000-0x0000000002DC2000-memory.dmp

Filesize
412KB

Download
memory/2724-18-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download