f04d11a1c4811492e397bc151c65ea1958eab6cbcf279ece7bd59160bfbea3d8

Resubmissions

23-01-2024 14:03

240123-rcwpqsbff3 10

23-01-2024 13:44

240123-q13yaabef7 10

Analysis

max time kernel
150s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
23-01-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

10^/10

evasion trojan

Malware Config

Signatures

Detects BazaLoader malware 8 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral4/memory/2300-0-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral4/memory/2300-25-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
behavioral4/memory/916-41-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
behavioral4/memory/2300-42-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral4/memory/916-54-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader

Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

4820 netsh.exe
2132 netsh.exe
4068 netsh.exe
3096 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

916 svchost.exe

pid	process
4820	netsh.exe
2132	netsh.exe
4068	netsh.exe
3096	netsh.exe

pid	process
916	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2024 schtasks.exe

pid	process
2024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe

pid	process
4980	powershell.exe
2492	powershell.exe
4980	powershell.exe
2492	powershell.exe
2300	svchost_dump_SCY - Copy.exe
2300	svchost_dump_SCY - Copy.exe
4856	powershell.exe
2336	powershell.exe
4856	powershell.exe
2336	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2284	WMIC.exe
Token: SeSecurityPrivilege	2284	WMIC.exe
Token: SeTakeOwnershipPrivilege	2284	WMIC.exe
Token: SeLoadDriverPrivilege	2284	WMIC.exe
Token: SeSystemProfilePrivilege	2284	WMIC.exe
Token: SeSystemtimePrivilege	2284	WMIC.exe
Token: SeProfSingleProcessPrivilege	2284	WMIC.exe
Token: SeIncBasePriorityPrivilege	2284	WMIC.exe
Token: SeCreatePagefilePrivilege	2284	WMIC.exe
Token: SeBackupPrivilege	2284	WMIC.exe
Token: SeRestorePrivilege	2284	WMIC.exe
Token: SeShutdownPrivilege	2284	WMIC.exe
Token: SeDebugPrivilege	2284	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2284	WMIC.exe
Token: SeRemoteShutdownPrivilege	2284	WMIC.exe
Token: SeUndockPrivilege	2284	WMIC.exe
Token: SeManageVolumePrivilege	2284	WMIC.exe
Token: 33	2284	WMIC.exe
Token: 34	2284	WMIC.exe
Token: 35	2284	WMIC.exe
Token: 36	2284	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2284	WMIC.exe
Token: SeSecurityPrivilege	2284	WMIC.exe
Token: SeTakeOwnershipPrivilege	2284	WMIC.exe
Token: SeLoadDriverPrivilege	2284	WMIC.exe
Token: SeSystemProfilePrivilege	2284	WMIC.exe
Token: SeSystemtimePrivilege	2284	WMIC.exe
Token: SeProfSingleProcessPrivilege	2284	WMIC.exe
Token: SeIncBasePriorityPrivilege	2284	WMIC.exe
Token: SeCreatePagefilePrivilege	2284	WMIC.exe
Token: SeBackupPrivilege	2284	WMIC.exe
Token: SeRestorePrivilege	2284	WMIC.exe
Token: SeShutdownPrivilege	2284	WMIC.exe
Token: SeDebugPrivilege	2284	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2284	WMIC.exe
Token: SeRemoteShutdownPrivilege	2284	WMIC.exe
Token: SeUndockPrivilege	2284	WMIC.exe
Token: SeManageVolumePrivilege	2284	WMIC.exe
Token: 33	2284	WMIC.exe
Token: 34	2284	WMIC.exe
Token: 35	2284	WMIC.exe
Token: 36	2284	WMIC.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeIncreaseQuotaPrivilege	4252	WMIC.exe
Token: SeSecurityPrivilege	4252	WMIC.exe
Token: SeTakeOwnershipPrivilege	4252	WMIC.exe
Token: SeLoadDriverPrivilege	4252	WMIC.exe
Token: SeSystemProfilePrivilege	4252	WMIC.exe
Token: SeSystemtimePrivilege	4252	WMIC.exe
Token: SeProfSingleProcessPrivilege	4252	WMIC.exe
Token: SeIncBasePriorityPrivilege	4252	WMIC.exe
Token: SeCreatePagefilePrivilege	4252	WMIC.exe
Token: SeBackupPrivilege	4252	WMIC.exe
Token: SeRestorePrivilege	4252	WMIC.exe
Token: SeShutdownPrivilege	4252	WMIC.exe
Token: SeDebugPrivilege	4252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4252	WMIC.exe
Token: SeRemoteShutdownPrivilege	4252	WMIC.exe
Token: SeUndockPrivilege	4252	WMIC.exe
Token: SeManageVolumePrivilege	4252	WMIC.exe
Token: 33	4252	WMIC.exe
Token: 34	4252	WMIC.exe
Token: 35	4252	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	pid	process	target process
PID 2300 wrote to memory of 2284	2300	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2300 wrote to memory of 2284	2300	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2300 wrote to memory of 4068	2300	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2300 wrote to memory of 4068	2300	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2300 wrote to memory of 3096	2300	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2300 wrote to memory of 3096	2300	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2300 wrote to memory of 2492	2300	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2300 wrote to memory of 2492	2300	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2300 wrote to memory of 4980	2300	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2300 wrote to memory of 4980	2300	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2300 wrote to memory of 2620	2300	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2300 wrote to memory of 2620	2300	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2300 wrote to memory of 2024	2300	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2300 wrote to memory of 2024	2300	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2300 wrote to memory of 916	2300	svchost_dump_SCY - Copy.exe	svchost.exe
PID 2300 wrote to memory of 916	2300	svchost_dump_SCY - Copy.exe	svchost.exe
PID 916 wrote to memory of 4252	916	svchost.exe	WMIC.exe
PID 916 wrote to memory of 4252	916	svchost.exe	WMIC.exe
PID 916 wrote to memory of 4820	916	svchost.exe	netsh.exe
PID 916 wrote to memory of 4820	916	svchost.exe	netsh.exe
PID 916 wrote to memory of 2132	916	svchost.exe	netsh.exe
PID 916 wrote to memory of 2132	916	svchost.exe	netsh.exe
PID 916 wrote to memory of 4856	916	svchost.exe	powershell.exe
PID 916 wrote to memory of 4856	916	svchost.exe	powershell.exe
PID 916 wrote to memory of 2336	916	svchost.exe	powershell.exe
PID 916 wrote to memory of 2336	916	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4068

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:2620

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:2024

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4820

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3fca72bce0a730023d4632708575f791

SHA1
2e61ed866852bde74593b6fc435cf50ac277c045

SHA256
c3d6f5f1c6a7b910fba87e5298c97d2541dcf36b2e0df334cbd084afde040ae8

SHA512
3c62214fa7260fc85d1cd231db1266f12a569b4c393c0af0ce1b27f5b2acc9c5497a171348d64d68af0e2f87ac86a52b7f982842e3b3d2c89b9ff9ef791708e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yerzlfqj.feg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus

Filesize
692KB

MD5
4741838d7178e033d8c40cbb99522c39

SHA1
a47d318d8bd32a8721bebc55189fddd565a0d6c8

SHA256
170596093b2592bc173488e6bad942f475f4f4b70e6f1399b071d790dfdf66b4

SHA512
09a075223b7e2e8927e7bb7065fddd857b3c9c31aa998e77fe66456c0db43a695220768ea02d733a473c8feb2f2aae2a009e5aef8f2d2620552bcc6612bbfc90

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
7.7MB

MD5
bd1a26ddb159f9ad9eb126c5bceab89f

SHA1
9be5fb9b9a4593ce2fae2ed8e351adfbe4280827

SHA256
69ed9c96254b1cf93ee4606a182271af7e09221ad38e16a090d31881cf4c9fbe

SHA512
9cec9af9832cb0e37a665c90bd4da40f9a218376c0e773d5f3781471375cb6dfe0590c546aef465014c769120b704a21206c83afd7f0f4f2de174c27a632abf9

Download Submit
C:\Windows\System\svchost.exe

Filesize
170KB

MD5
58a0d32e4c7103a86313bb3542036aca

SHA1
00b60918a753a3b314f145bc695ff2efc4357a7e

SHA256
709b2e932f761c8b5dbac7d61681be58ec6d3e7a0083e731baf8d0043359a023

SHA512
61e9e7294d206acaf4c84e05740458c64cd22894215c46966d5c095a3ccf83d570224117e656e042308cda3cc284516720153c04b9de5918f73919bb9c2dcd33

Download Submit
C:\Windows\System\svchost.exe

Filesize
179KB

MD5
7b2f118300be150ea2f846157fe1779f

SHA1
a9e9bfb6e41836846ab65424de6efd4bc6ec2b34

SHA256
d2eeb84b25b59307d4f66bd174c084696bc61e9339c51ffdc94e10805443c56a

SHA512
b6cb45c31df83cca23c0a06e6a8f0dfc5efdcd812fc2147f2e0e4d000ef8ace55f3d8908e2068b5d9d5009481706fcd6482309823dc76524b9a11a2db00bce4b

Download Submit
C:\Windows\System\svchost.exe

Filesize
271KB

MD5
6ffa473c836fb400e217d0951cffdea9

SHA1
527db66a35e34ff53bc05420eca5e965edffdf58

SHA256
1d69282b9f88259f2a676a171adb17cc80b21f3b5af2e05594720efd42dbdf6b

SHA512
9c5d7524294a22cbc33bef1c251ff633a31c21f3acee03a2da3303d55af96d1d44a844b57a5a0a60caa16eed34645a166bdcc6de99361e6bab9b926a4ad734ce

Download Submit
memory/916-54-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/916-41-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/916-73-0x00000000368E0000-0x0000000036DC2000-memory.dmp

Filesize
4.9MB

Download
memory/2300-42-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2300-25-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2300-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2336-64-0x000001548D240000-0x000001548D250000-memory.dmp

Filesize
64KB

Download
memory/2336-65-0x000001548D240000-0x000001548D250000-memory.dmp

Filesize
64KB

Download
memory/2336-72-0x00007FF8508B0000-0x00007FF851372000-memory.dmp

Filesize
10.8MB

Download
memory/2336-63-0x00007FF8508B0000-0x00007FF851372000-memory.dmp

Filesize
10.8MB

Download
memory/2492-6-0x00007FF8508B0000-0x00007FF851372000-memory.dmp

Filesize
10.8MB

Download
memory/2492-24-0x00000192782F0000-0x0000019278300000-memory.dmp

Filesize
64KB

Download
memory/2492-16-0x00000192782F0000-0x0000019278300000-memory.dmp

Filesize
64KB

Download
memory/2492-31-0x00007FF8508B0000-0x00007FF851372000-memory.dmp

Filesize
10.8MB

Download
memory/2492-20-0x00000192782F0000-0x0000019278300000-memory.dmp

Filesize
64KB

Download
memory/2492-15-0x0000019277D60000-0x0000019277D82000-memory.dmp

Filesize
136KB

Download
memory/4856-52-0x00000231606F0000-0x0000023160700000-memory.dmp

Filesize
64KB

Download
memory/4856-66-0x00000231606F0000-0x0000023160700000-memory.dmp

Filesize
64KB

Download
memory/4856-67-0x00000231606F0000-0x0000023160700000-memory.dmp

Filesize
64KB

Download
memory/4856-71-0x00007FF8508B0000-0x00007FF851372000-memory.dmp

Filesize
10.8MB

Download
memory/4856-43-0x00007FF8508B0000-0x00007FF851372000-memory.dmp

Filesize
10.8MB

Download
memory/4980-22-0x00007FF8508B0000-0x00007FF851372000-memory.dmp

Filesize
10.8MB

Download
memory/4980-21-0x00000137CE2D0000-0x00000137CE2E0000-memory.dmp

Filesize
64KB

Download
memory/4980-23-0x00000137CE2D0000-0x00000137CE2E0000-memory.dmp

Filesize
64KB

Download
memory/4980-32-0x00007FF8508B0000-0x00007FF851372000-memory.dmp

Filesize
10.8MB

Download