Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2024 13:44
Behavioral task
behavioral1
Sample
svchost_dump_SCY - Copy.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
svchost_dump_SCY - Copy.exe
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
svchost_dump_SCY - Copy.exe
Resource
win10v2004-20231215-en
General
-
Target
svchost_dump_SCY - Copy.exe
-
Size
5.2MB
-
MD5
5fd3d21a968f4b8a1577b5405ab1c36a
-
SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
-
SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
-
SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
-
SSDEEP
98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs
Malware Config
Signatures
-
Detects BazaLoader malware 8 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
Processes:
resource yara_rule behavioral3/memory/2908-0-0x0000000140000000-0x0000000140636000-memory.dmp BazaLoader behavioral3/memory/2908-37-0x0000000140000000-0x0000000140636000-memory.dmp BazaLoader C:\Windows\System\svchost.exe BazaLoader C:\Windows\System\svchost.exe BazaLoader C:\Windows\System\svchost.exe BazaLoader behavioral3/memory/2792-45-0x0000000140000000-0x0000000140636000-memory.dmp BazaLoader behavioral3/memory/2908-46-0x0000000140000000-0x0000000140636000-memory.dmp BazaLoader behavioral3/memory/2792-61-0x0000000140000000-0x0000000140636000-memory.dmp BazaLoader -
Modifies Windows Firewall 1 TTPs 4 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exepid process 1900 netsh.exe 4776 netsh.exe 3376 netsh.exe 1448 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svchost_dump_SCY - Copy.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation svchost_dump_SCY - Copy.exe Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2792 svchost.exe -
Drops file in Windows directory 4 IoCs
Processes:
svchost_dump_SCY - Copy.exesvchost.exedescription ioc process File created C:\Windows\System\xxx1.bak svchost_dump_SCY - Copy.exe File created C:\Windows\System\svchost.exe svchost_dump_SCY - Copy.exe File opened for modification C:\Windows\System\svchost.exe svchost_dump_SCY - Copy.exe File created C:\Windows\System\xxx1.bak svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exepid process 2176 powershell.exe 2176 powershell.exe 1524 powershell.exe 1524 powershell.exe 2176 powershell.exe 1524 powershell.exe 2908 svchost_dump_SCY - Copy.exe 2908 svchost_dump_SCY - Copy.exe 4492 powershell.exe 4492 powershell.exe 4492 powershell.exe 976 powershell.exe 976 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exepowershell.exepowershell.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1796 WMIC.exe Token: SeSecurityPrivilege 1796 WMIC.exe Token: SeTakeOwnershipPrivilege 1796 WMIC.exe Token: SeLoadDriverPrivilege 1796 WMIC.exe Token: SeSystemProfilePrivilege 1796 WMIC.exe Token: SeSystemtimePrivilege 1796 WMIC.exe Token: SeProfSingleProcessPrivilege 1796 WMIC.exe Token: SeIncBasePriorityPrivilege 1796 WMIC.exe Token: SeCreatePagefilePrivilege 1796 WMIC.exe Token: SeBackupPrivilege 1796 WMIC.exe Token: SeRestorePrivilege 1796 WMIC.exe Token: SeShutdownPrivilege 1796 WMIC.exe Token: SeDebugPrivilege 1796 WMIC.exe Token: SeSystemEnvironmentPrivilege 1796 WMIC.exe Token: SeRemoteShutdownPrivilege 1796 WMIC.exe Token: SeUndockPrivilege 1796 WMIC.exe Token: SeManageVolumePrivilege 1796 WMIC.exe Token: 33 1796 WMIC.exe Token: 34 1796 WMIC.exe Token: 35 1796 WMIC.exe Token: 36 1796 WMIC.exe Token: SeIncreaseQuotaPrivilege 1796 WMIC.exe Token: SeSecurityPrivilege 1796 WMIC.exe Token: SeTakeOwnershipPrivilege 1796 WMIC.exe Token: SeLoadDriverPrivilege 1796 WMIC.exe Token: SeSystemProfilePrivilege 1796 WMIC.exe Token: SeSystemtimePrivilege 1796 WMIC.exe Token: SeProfSingleProcessPrivilege 1796 WMIC.exe Token: SeIncBasePriorityPrivilege 1796 WMIC.exe Token: SeCreatePagefilePrivilege 1796 WMIC.exe Token: SeBackupPrivilege 1796 WMIC.exe Token: SeRestorePrivilege 1796 WMIC.exe Token: SeShutdownPrivilege 1796 WMIC.exe Token: SeDebugPrivilege 1796 WMIC.exe Token: SeSystemEnvironmentPrivilege 1796 WMIC.exe Token: SeRemoteShutdownPrivilege 1796 WMIC.exe Token: SeUndockPrivilege 1796 WMIC.exe Token: SeManageVolumePrivilege 1796 WMIC.exe Token: 33 1796 WMIC.exe Token: 34 1796 WMIC.exe Token: 35 1796 WMIC.exe Token: 36 1796 WMIC.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeIncreaseQuotaPrivilege 3696 WMIC.exe Token: SeSecurityPrivilege 3696 WMIC.exe Token: SeTakeOwnershipPrivilege 3696 WMIC.exe Token: SeLoadDriverPrivilege 3696 WMIC.exe Token: SeSystemProfilePrivilege 3696 WMIC.exe Token: SeSystemtimePrivilege 3696 WMIC.exe Token: SeProfSingleProcessPrivilege 3696 WMIC.exe Token: SeIncBasePriorityPrivilege 3696 WMIC.exe Token: SeCreatePagefilePrivilege 3696 WMIC.exe Token: SeBackupPrivilege 3696 WMIC.exe Token: SeRestorePrivilege 3696 WMIC.exe Token: SeShutdownPrivilege 3696 WMIC.exe Token: SeDebugPrivilege 3696 WMIC.exe Token: SeSystemEnvironmentPrivilege 3696 WMIC.exe Token: SeRemoteShutdownPrivilege 3696 WMIC.exe Token: SeUndockPrivilege 3696 WMIC.exe Token: SeManageVolumePrivilege 3696 WMIC.exe Token: 33 3696 WMIC.exe Token: 34 3696 WMIC.exe Token: 35 3696 WMIC.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
svchost_dump_SCY - Copy.exesvchost.exedescription pid process target process PID 2908 wrote to memory of 1796 2908 svchost_dump_SCY - Copy.exe WMIC.exe PID 2908 wrote to memory of 1796 2908 svchost_dump_SCY - Copy.exe WMIC.exe PID 2908 wrote to memory of 1900 2908 svchost_dump_SCY - Copy.exe netsh.exe PID 2908 wrote to memory of 1900 2908 svchost_dump_SCY - Copy.exe netsh.exe PID 2908 wrote to memory of 4776 2908 svchost_dump_SCY - Copy.exe netsh.exe PID 2908 wrote to memory of 4776 2908 svchost_dump_SCY - Copy.exe netsh.exe PID 2908 wrote to memory of 2176 2908 svchost_dump_SCY - Copy.exe powershell.exe PID 2908 wrote to memory of 2176 2908 svchost_dump_SCY - Copy.exe powershell.exe PID 2908 wrote to memory of 1524 2908 svchost_dump_SCY - Copy.exe powershell.exe PID 2908 wrote to memory of 1524 2908 svchost_dump_SCY - Copy.exe powershell.exe PID 2908 wrote to memory of 3244 2908 svchost_dump_SCY - Copy.exe schtasks.exe PID 2908 wrote to memory of 3244 2908 svchost_dump_SCY - Copy.exe schtasks.exe PID 2908 wrote to memory of 560 2908 svchost_dump_SCY - Copy.exe schtasks.exe PID 2908 wrote to memory of 560 2908 svchost_dump_SCY - Copy.exe schtasks.exe PID 2908 wrote to memory of 2792 2908 svchost_dump_SCY - Copy.exe svchost.exe PID 2908 wrote to memory of 2792 2908 svchost_dump_SCY - Copy.exe svchost.exe PID 2792 wrote to memory of 3696 2792 svchost.exe WMIC.exe PID 2792 wrote to memory of 3696 2792 svchost.exe WMIC.exe PID 2792 wrote to memory of 3376 2792 svchost.exe netsh.exe PID 2792 wrote to memory of 3376 2792 svchost.exe netsh.exe PID 2792 wrote to memory of 1448 2792 svchost.exe netsh.exe PID 2792 wrote to memory of 1448 2792 svchost.exe netsh.exe PID 2792 wrote to memory of 4492 2792 svchost.exe powershell.exe PID 2792 wrote to memory of 4492 2792 svchost.exe powershell.exe PID 2792 wrote to memory of 976 2792 svchost.exe powershell.exe PID 2792 wrote to memory of 976 2792 svchost.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:1900 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:4776 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /TN "Timer"2⤵PID:3244
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
PID:560 -
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3696 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:3376 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:1448 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
PID:976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD515dde0683cd1ca19785d7262f554ba93
SHA1d039c577e438546d10ac64837b05da480d06bf69
SHA256d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA51257c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.7MB
MD5399e885091f433c306661eee1cd438db
SHA1d148192a1880432eb6a46fbf73777223fa279f5c
SHA256e5ab202452cbbc9629ee9ad360da834e860e5650b490b60e63ffc1825772a1e3
SHA512899863701065a827dd0b29f3e5f9dfa18ff6ac4683e5da16175f233bbb98895c224d7e391085d06106dd7d6ec2505449db4ad3fa242c9309e0c88889361935e0
-
Filesize
2.9MB
MD5ce12819fc39b0a987f90ecb2ba56ee61
SHA12a4cc8c8eed769e062e5f91713f2a19815cbd53b
SHA256efb44e8ca3ba974d1316dd9a32de4ef75f0fc3ec9a73b33084be007e98d46093
SHA51218b40ab8b0174ab733ec319500754ce8db5e8bfa5b0440a0341659b1cc0f1c3885f28830a5603a2ef4524d0c68c8a91f56c4d33131a0f62653fdc326256f275a
-
Filesize
507KB
MD5c428877c787b0c17234a2e3293b70d5c
SHA13fa59af9a980a9746cbb8f78b3af2057a6834bc1
SHA25600549815095049678074d93784eb5e53803575873be167f8419f61b5eea9020e
SHA5125568a24551f35f2a394e2cbed58b6af801f99accac84242858f6b90c14f9a2a3d356198ba681015e7eef7548b92b8185184cd2ac34d6f49c9c102e159c51317d
-
Filesize
510KB
MD5c3db33307069f604f94ea806c21d71e7
SHA18530f9426538086d66763ec7ace42093c62651e1
SHA256fd2f135353c8cfd3d27cdacfca1846717f47bfc9bb5609e49096f1178c5b6883
SHA51205ebda2ad5500e1cc9e44542dcd1eebb9597def3ae1d4a5556c48c12d56902efa29cdbd5ad1db8ea6ddf6a5d02afe22bcea8a5da96e8a591184e00f323b88a72
-
Filesize
139KB
MD5c557f5903b026a289ca7625257d8399e
SHA1e9e4ca538545bb6fc0466894500d8bf85dd50c54
SHA25600197545c6cc4a761a6896fa63bda0fe64ca30b9f28e218dc8ae092d6786ecb6
SHA5128f9c4af3e00715ceb05e96a5a74f6b0cfc5f3b90fff422c2862d49379efe59d2db6dce17c563b2e1f2e5a269cd1fd658ce84c2e984a3f59726f80cedf4f8855f