f04d11a1c4811492e397bc151c65ea1958eab6cbcf279ece7bd59160bfbea3d8

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

10^/10

Malware Config

Signatures

Detects BazaLoader malware 6 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral2/memory/1368-0-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral2/memory/1368-93-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
behavioral2/memory/3972-111-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral2/memory/1368-112-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral2/memory/3972-204-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader

Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

3720 netsh.exe
3540 netsh.exe
4040 netsh.exe
4540 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

3972 svchost.exe

pid	process
3720	netsh.exe
3540	netsh.exe
4040	netsh.exe
4540	netsh.exe

pid	process
3972	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4244 schtasks.exe

pid	process
4244	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe

pid	process
3592	powershell.exe
3592	powershell.exe
820	powershell.exe
820	powershell.exe
3592	powershell.exe
820	powershell.exe
1368	svchost_dump_SCY - Copy.exe
1368	svchost_dump_SCY - Copy.exe
1904	powershell.exe
1904	powershell.exe
3868	powershell.exe
3868	powershell.exe
1904	powershell.exe
3868	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	708	WMIC.exe
Token: SeSecurityPrivilege	708	WMIC.exe
Token: SeTakeOwnershipPrivilege	708	WMIC.exe
Token: SeLoadDriverPrivilege	708	WMIC.exe
Token: SeSystemProfilePrivilege	708	WMIC.exe
Token: SeSystemtimePrivilege	708	WMIC.exe
Token: SeProfSingleProcessPrivilege	708	WMIC.exe
Token: SeIncBasePriorityPrivilege	708	WMIC.exe
Token: SeCreatePagefilePrivilege	708	WMIC.exe
Token: SeBackupPrivilege	708	WMIC.exe
Token: SeRestorePrivilege	708	WMIC.exe
Token: SeShutdownPrivilege	708	WMIC.exe
Token: SeDebugPrivilege	708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	708	WMIC.exe
Token: SeRemoteShutdownPrivilege	708	WMIC.exe
Token: SeUndockPrivilege	708	WMIC.exe
Token: SeManageVolumePrivilege	708	WMIC.exe
Token: 33	708	WMIC.exe
Token: 34	708	WMIC.exe
Token: 35	708	WMIC.exe
Token: 36	708	WMIC.exe
Token: SeIncreaseQuotaPrivilege	708	WMIC.exe
Token: SeSecurityPrivilege	708	WMIC.exe
Token: SeTakeOwnershipPrivilege	708	WMIC.exe
Token: SeLoadDriverPrivilege	708	WMIC.exe
Token: SeSystemProfilePrivilege	708	WMIC.exe
Token: SeSystemtimePrivilege	708	WMIC.exe
Token: SeProfSingleProcessPrivilege	708	WMIC.exe
Token: SeIncBasePriorityPrivilege	708	WMIC.exe
Token: SeCreatePagefilePrivilege	708	WMIC.exe
Token: SeBackupPrivilege	708	WMIC.exe
Token: SeRestorePrivilege	708	WMIC.exe
Token: SeShutdownPrivilege	708	WMIC.exe
Token: SeDebugPrivilege	708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	708	WMIC.exe
Token: SeRemoteShutdownPrivilege	708	WMIC.exe
Token: SeUndockPrivilege	708	WMIC.exe
Token: SeManageVolumePrivilege	708	WMIC.exe
Token: 33	708	WMIC.exe
Token: 34	708	WMIC.exe
Token: 35	708	WMIC.exe
Token: 36	708	WMIC.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeIncreaseQuotaPrivilege	3592	powershell.exe
Token: SeSecurityPrivilege	3592	powershell.exe
Token: SeTakeOwnershipPrivilege	3592	powershell.exe
Token: SeLoadDriverPrivilege	3592	powershell.exe
Token: SeSystemProfilePrivilege	3592	powershell.exe
Token: SeSystemtimePrivilege	3592	powershell.exe
Token: SeProfSingleProcessPrivilege	3592	powershell.exe
Token: SeIncBasePriorityPrivilege	3592	powershell.exe
Token: SeCreatePagefilePrivilege	3592	powershell.exe
Token: SeBackupPrivilege	3592	powershell.exe
Token: SeRestorePrivilege	3592	powershell.exe
Token: SeShutdownPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeSystemEnvironmentPrivilege	3592	powershell.exe
Token: SeRemoteShutdownPrivilege	3592	powershell.exe
Token: SeUndockPrivilege	3592	powershell.exe
Token: SeManageVolumePrivilege	3592	powershell.exe
Token: 33	3592	powershell.exe
Token: 34	3592	powershell.exe
Token: 35	3592	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	pid	process	target process
PID 1368 wrote to memory of 708	1368	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 1368 wrote to memory of 708	1368	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 1368 wrote to memory of 3540	1368	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1368 wrote to memory of 3540	1368	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1368 wrote to memory of 4040	1368	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1368 wrote to memory of 4040	1368	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1368 wrote to memory of 3592	1368	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1368 wrote to memory of 3592	1368	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1368 wrote to memory of 820	1368	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1368 wrote to memory of 820	1368	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1368 wrote to memory of 4384	1368	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1368 wrote to memory of 4384	1368	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1368 wrote to memory of 4244	1368	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1368 wrote to memory of 4244	1368	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1368 wrote to memory of 3972	1368	svchost_dump_SCY - Copy.exe	svchost.exe
PID 1368 wrote to memory of 3972	1368	svchost_dump_SCY - Copy.exe	svchost.exe
PID 3972 wrote to memory of 5052	3972	svchost.exe	WMIC.exe
PID 3972 wrote to memory of 5052	3972	svchost.exe	WMIC.exe
PID 3972 wrote to memory of 4540	3972	svchost.exe	netsh.exe
PID 3972 wrote to memory of 4540	3972	svchost.exe	netsh.exe
PID 3972 wrote to memory of 3720	3972	svchost.exe	netsh.exe
PID 3972 wrote to memory of 3720	3972	svchost.exe	netsh.exe
PID 3972 wrote to memory of 1904	3972	svchost.exe	powershell.exe
PID 3972 wrote to memory of 1904	3972	svchost.exe	powershell.exe
PID 3972 wrote to memory of 3868	3972	svchost.exe	powershell.exe
PID 3972 wrote to memory of 3868	3972	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3540

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:4384

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:4244

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
PID:5052

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4540

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
268b890dae39e430e8b127909067ed96

SHA1
35939515965c0693ef46e021254c3e73ea8c4a2b

SHA256
7643d492a6f1e035b63b2e16c9c21d974a77dfd2d8e90b9c15ee412625e88c4c

SHA512
abc4b2ce10a6566f38c00ad55e433791dd45fca47deec70178daf0763578ff019fb0ec70792d5e9ecde4eb6778a35ba8a8c7ecd07550597d9bbb13521c9b98fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ea8eb4c93b171a1bd8f78c2f8d3c5f91

SHA1
c974b8f55f8e9523e09efcca15e98bbc3fdaecf9

SHA256
c28a2524ce1c2ae80134f7706c2635ebab867c3f72a765c379e52a39f6b33eaa

SHA512
842566248d47165c75a0c8a0c68a5c4a86b53dcaa847bc87e68f009a806cd985845976ae2a0268e7951f580f1cb850398a73e3c18be18d142619b23987b73878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b56de2b8bc6e9405bb74e7663a644dad

SHA1
e03c970868caf2d294d6dad2ddbacac3fbdc3d3f

SHA256
e8862cda1942914ec2d39e4cc60906640ecf3691569649ca166f8cd422eba113

SHA512
4a6c82a801fabf2d30253b593c20ddc5ee1408696a7d7b1a17d1cf749c0b03de5520adcf5e1e7d3f2f6189298f74efb189bb08c2bd875ec54f20fbfd63a00e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tjkl3kme.2ws.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
399e885091f433c306661eee1cd438db

SHA1
d148192a1880432eb6a46fbf73777223fa279f5c

SHA256
e5ab202452cbbc9629ee9ad360da834e860e5650b490b60e63ffc1825772a1e3

SHA512
899863701065a827dd0b29f3e5f9dfa18ff6ac4683e5da16175f233bbb98895c224d7e391085d06106dd7d6ec2505449db4ad3fa242c9309e0c88889361935e0

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
6.5MB

MD5
66f7e24b15c2ab2cfcc687fe9bf32ba5

SHA1
5763bdcb5d26da4eff39e7428a69c95867bbab99

SHA256
7a51d725709a9f0092c013f0ed7b261e2720605fa50cc382edeabcec26766bc2

SHA512
b83ff853fdd86d9c5c376eca7ec31e2bc3b4570586f2ee3e7a386827c03aff7f9c627836955c796553290e11f3c0522e9ff226dae875f1bdf7a4fb46820be7e3

Download Submit
C:\Windows\System\svchost.exe

Filesize
5.2MB

MD5
5fd3d21a968f4b8a1577b5405ab1c36a

SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

Download Submit
memory/820-12-0x00007FFBCDAA0000-0x00007FFBCE48C000-memory.dmp

Filesize
9.9MB

Download
memory/820-15-0x00000235B8830000-0x00000235B8840000-memory.dmp

Filesize
64KB

Download
memory/820-14-0x00000235B8830000-0x00000235B8840000-memory.dmp

Filesize
64KB

Download
memory/820-94-0x00000235B8830000-0x00000235B8840000-memory.dmp

Filesize
64KB

Download
memory/820-49-0x00000235B8830000-0x00000235B8840000-memory.dmp

Filesize
64KB

Download
memory/820-98-0x00007FFBCDAA0000-0x00007FFBCE48C000-memory.dmp

Filesize
9.9MB

Download
memory/1368-112-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1368-93-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1368-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1904-155-0x000002606AC80000-0x000002606AC90000-memory.dmp

Filesize
64KB

Download
memory/1904-115-0x00007FFBCDA00000-0x00007FFBCE3EC000-memory.dmp

Filesize
9.9MB

Download
memory/1904-214-0x00007FFBCDA00000-0x00007FFBCE3EC000-memory.dmp

Filesize
9.9MB

Download
memory/1904-209-0x000002606AC80000-0x000002606AC90000-memory.dmp

Filesize
64KB

Download
memory/1904-119-0x000002606AC80000-0x000002606AC90000-memory.dmp

Filesize
64KB

Download
memory/1904-118-0x000002606AC80000-0x000002606AC90000-memory.dmp

Filesize
64KB

Download
memory/3592-10-0x000002A516820000-0x000002A516830000-memory.dmp

Filesize
64KB

Download
memory/3592-7-0x000002A516820000-0x000002A516830000-memory.dmp

Filesize
64KB

Download
memory/3592-5-0x00007FFBCDAA0000-0x00007FFBCE48C000-memory.dmp

Filesize
9.9MB

Download
memory/3592-6-0x000002A516A70000-0x000002A516A92000-memory.dmp

Filesize
136KB

Download
memory/3592-18-0x000002A52F0B0000-0x000002A52F126000-memory.dmp

Filesize
472KB

Download
memory/3592-101-0x000002A516820000-0x000002A516830000-memory.dmp

Filesize
64KB

Download
memory/3592-105-0x00007FFBCDAA0000-0x00007FFBCE48C000-memory.dmp

Filesize
9.9MB

Download
memory/3592-43-0x000002A516820000-0x000002A516830000-memory.dmp

Filesize
64KB

Download
memory/3868-126-0x0000019C29370000-0x0000019C29380000-memory.dmp

Filesize
64KB

Download
memory/3868-210-0x00007FFBCDA00000-0x00007FFBCE3EC000-memory.dmp

Filesize
9.9MB

Download
memory/3868-205-0x0000019C29370000-0x0000019C29380000-memory.dmp

Filesize
64KB

Download
memory/3868-158-0x0000019C29370000-0x0000019C29380000-memory.dmp

Filesize
64KB

Download
memory/3868-123-0x00007FFBCDA00000-0x00007FFBCE3EC000-memory.dmp

Filesize
9.9MB

Download
memory/3972-204-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3972-215-0x0000000036960000-0x0000000036E42000-memory.dmp

Filesize
4.9MB

Download
memory/3972-111-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads