7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
131s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23-01-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

10^/10

evasion trojan

Malware Config

Signatures

Detects BazaLoader malware 8 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

resource	yara_rule
behavioral1/memory/2264-0-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral1/memory/640-35-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral1/files/0x0005000000019235-32.dat	BazaLoader
behavioral1/files/0x0005000000019235-30.dat	BazaLoader
behavioral1/files/0x0005000000019235-27.dat	BazaLoader
behavioral1/files/0x0005000000019235-26.dat	BazaLoader
behavioral1/memory/2264-36-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral1/memory/640-63-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Windows Service

T1543.003

pid	Process
2792	netsh.exe
2020	netsh.exe
2320	netsh.exe
2652	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
640	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2264	svchost_dump_SCY - Copy.exe
2264	svchost_dump_SCY - Copy.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2556	powershell.exe
3008	powershell.exe
2264	svchost_dump_SCY - Copy.exe
1736	powershell.exe
2896	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2884	WMIC.exe
Token: SeSecurityPrivilege	2884	WMIC.exe
Token: SeTakeOwnershipPrivilege	2884	WMIC.exe
Token: SeLoadDriverPrivilege	2884	WMIC.exe
Token: SeSystemProfilePrivilege	2884	WMIC.exe
Token: SeSystemtimePrivilege	2884	WMIC.exe
Token: SeProfSingleProcessPrivilege	2884	WMIC.exe
Token: SeIncBasePriorityPrivilege	2884	WMIC.exe
Token: SeCreatePagefilePrivilege	2884	WMIC.exe
Token: SeBackupPrivilege	2884	WMIC.exe
Token: SeRestorePrivilege	2884	WMIC.exe
Token: SeShutdownPrivilege	2884	WMIC.exe
Token: SeDebugPrivilege	2884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2884	WMIC.exe
Token: SeRemoteShutdownPrivilege	2884	WMIC.exe
Token: SeUndockPrivilege	2884	WMIC.exe
Token: SeManageVolumePrivilege	2884	WMIC.exe
Token: 33	2884	WMIC.exe
Token: 34	2884	WMIC.exe
Token: 35	2884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2884	WMIC.exe
Token: SeSecurityPrivilege	2884	WMIC.exe
Token: SeTakeOwnershipPrivilege	2884	WMIC.exe
Token: SeLoadDriverPrivilege	2884	WMIC.exe
Token: SeSystemProfilePrivilege	2884	WMIC.exe
Token: SeSystemtimePrivilege	2884	WMIC.exe
Token: SeProfSingleProcessPrivilege	2884	WMIC.exe
Token: SeIncBasePriorityPrivilege	2884	WMIC.exe
Token: SeCreatePagefilePrivilege	2884	WMIC.exe
Token: SeBackupPrivilege	2884	WMIC.exe
Token: SeRestorePrivilege	2884	WMIC.exe
Token: SeShutdownPrivilege	2884	WMIC.exe
Token: SeDebugPrivilege	2884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2884	WMIC.exe
Token: SeRemoteShutdownPrivilege	2884	WMIC.exe
Token: SeUndockPrivilege	2884	WMIC.exe
Token: SeManageVolumePrivilege	2884	WMIC.exe
Token: 33	2884	WMIC.exe
Token: 34	2884	WMIC.exe
Token: 35	2884	WMIC.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeIncreaseQuotaPrivilege	2984	WMIC.exe
Token: SeSecurityPrivilege	2984	WMIC.exe
Token: SeTakeOwnershipPrivilege	2984	WMIC.exe
Token: SeLoadDriverPrivilege	2984	WMIC.exe
Token: SeSystemProfilePrivilege	2984	WMIC.exe
Token: SeSystemtimePrivilege	2984	WMIC.exe
Token: SeProfSingleProcessPrivilege	2984	WMIC.exe
Token: SeIncBasePriorityPrivilege	2984	WMIC.exe
Token: SeCreatePagefilePrivilege	2984	WMIC.exe
Token: SeBackupPrivilege	2984	WMIC.exe
Token: SeRestorePrivilege	2984	WMIC.exe
Token: SeShutdownPrivilege	2984	WMIC.exe
Token: SeDebugPrivilege	2984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2984	WMIC.exe
Token: SeRemoteShutdownPrivilege	2984	WMIC.exe
Token: SeUndockPrivilege	2984	WMIC.exe
Token: SeManageVolumePrivilege	2984	WMIC.exe
Token: 33	2984	WMIC.exe
Token: 34	2984	WMIC.exe
Token: 35	2984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2984	WMIC.exe
Token: SeSecurityPrivilege	2984	WMIC.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2884	2264	svchost_dump_SCY - Copy.exe	30
PID 2264 wrote to memory of 2884	2264	svchost_dump_SCY - Copy.exe	30
PID 2264 wrote to memory of 2884	2264	svchost_dump_SCY - Copy.exe	30
PID 2264 wrote to memory of 2792	2264	svchost_dump_SCY - Copy.exe	35
PID 2264 wrote to memory of 2792	2264	svchost_dump_SCY - Copy.exe	35
PID 2264 wrote to memory of 2792	2264	svchost_dump_SCY - Copy.exe	35
PID 2264 wrote to memory of 2652	2264	svchost_dump_SCY - Copy.exe	33
PID 2264 wrote to memory of 2652	2264	svchost_dump_SCY - Copy.exe	33
PID 2264 wrote to memory of 2652	2264	svchost_dump_SCY - Copy.exe	33
PID 2264 wrote to memory of 2556	2264	svchost_dump_SCY - Copy.exe	31
PID 2264 wrote to memory of 2556	2264	svchost_dump_SCY - Copy.exe	31
PID 2264 wrote to memory of 2556	2264	svchost_dump_SCY - Copy.exe	31
PID 2264 wrote to memory of 3008	2264	svchost_dump_SCY - Copy.exe	38
PID 2264 wrote to memory of 3008	2264	svchost_dump_SCY - Copy.exe	38
PID 2264 wrote to memory of 3008	2264	svchost_dump_SCY - Copy.exe	38
PID 2264 wrote to memory of 1556	2264	svchost_dump_SCY - Copy.exe	40
PID 2264 wrote to memory of 1556	2264	svchost_dump_SCY - Copy.exe	40
PID 2264 wrote to memory of 1556	2264	svchost_dump_SCY - Copy.exe	40
PID 2264 wrote to memory of 1648	2264	svchost_dump_SCY - Copy.exe	42
PID 2264 wrote to memory of 1648	2264	svchost_dump_SCY - Copy.exe	42
PID 2264 wrote to memory of 1648	2264	svchost_dump_SCY - Copy.exe	42
PID 2264 wrote to memory of 640	2264	svchost_dump_SCY - Copy.exe	45
PID 2264 wrote to memory of 640	2264	svchost_dump_SCY - Copy.exe	45
PID 2264 wrote to memory of 640	2264	svchost_dump_SCY - Copy.exe	45
PID 640 wrote to memory of 2984	640	svchost.exe	44
PID 640 wrote to memory of 2984	640	svchost.exe	44
PID 640 wrote to memory of 2984	640	svchost.exe	44
PID 640 wrote to memory of 2020	640	svchost.exe	49
PID 640 wrote to memory of 2020	640	svchost.exe	49
PID 640 wrote to memory of 2020	640	svchost.exe	49
PID 640 wrote to memory of 2320	640	svchost.exe	53
PID 640 wrote to memory of 2320	640	svchost.exe	53
PID 640 wrote to memory of 2320	640	svchost.exe	53
PID 640 wrote to memory of 1736	640	svchost.exe	51
PID 640 wrote to memory of 1736	640	svchost.exe	51
PID 640 wrote to memory of 1736	640	svchost.exe	51
PID 640 wrote to memory of 2896	640	svchost.exe	56
PID 640 wrote to memory of 2896	640	svchost.exe	56
PID 640 wrote to memory of 2896	640	svchost.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\System32\Wbem\WMIC.exe
  WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:2652
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\system32\schtasks.exe
  schtasks /delete /TN "Timer"
  2⤵
  PID:1556
- C:\Windows\system32\schtasks.exe
  schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
  2⤵
  - Creates scheduled task(s)
  PID:1648
- C:\Windows\System\svchost.exe
  "C:\Windows\System\svchost.exe" formal
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1736
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2896

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3b22ee5bf0da54ddb955d02e6ab98746

SHA1
a05cfe9d5729a9cf5c6b115698e9c845e4bf6f13

SHA256
b42411752b750b7e8832189f7ae6ae7e738df2cdc02ca7de70c02c7e0cdb0756

SHA512
1ddc2b2f47500c49581f6b75eee2180b28c29731de73a68b97e571cb2c84199154c495baea95b7559c2d32d65c8e0be2e68214422850fe0c26caee95fbc33a80

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
209KB

MD5
bf411f9013ccf90d0d378c0908480f24

SHA1
6f60c97d72d22eab07d42b16b00aab6808d39ae5

SHA256
37846869faa7ddda55b2bcd9dd1fdd706d310afab8a7735e88c6fa0e3e43e9bf

SHA512
797a0928ba9ba02fe63917bccc878f9cad82259f41fd4435233015a804f587397774218af345978fc3e2778d94ab8f0f2331b2370846498fa7f560784d270849

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
186KB

MD5
a30cb833cc4b10fcb877fc016a5068bb

SHA1
7e29abdfddae94294f9d8eca67d0da4139ea4674

SHA256
9b79f430777880b1a188ddf2fcfd859f39689706bc6ff8055b611304586bd958

SHA512
e54d6c095a7d5ed2e9c41e9559eccff0c0f04394744912252789dff4fe9c190ef2f08c49da2193cbf28fbef24591e64abf900f557ebf081bd2adfa1fb5ea3cb7

Download Submit
C:\Windows\system\svchost.exe

Filesize
109KB

MD5
37d3fc7a6c5b0e62e7788c7cc7a2ddd0

SHA1
6b254362ea152dcc1f6e7cf1409b39573cb54a98

SHA256
0c25d6e7f7865ac604040fa1e0edbb49b1452dda52556abf18662feac772db1a

SHA512
c913c1ccd440229ad98bc1e30295ac674d9d9dbb1b485098230036d23366c422f40951525577bfe79896136784394e844eee3072abacd39e21fe87aaee0106bd

Download Submit
C:\Windows\system\svchost.exe

Filesize
125KB

MD5
b4d50f5616061419845acd7bc3b4c054

SHA1
f016945371e02e5613b216db2b4d58a3d456f9e7

SHA256
9bf77cd065d974f5e08bea0f85685df853f0b806bf66c83f9985af8739c2156e

SHA512
0059cf972afc1f64a89f114bca402482a2b1b842fff9e05fe4db3872ee610a60ac6432e982a330c18bc4f6434e70e84d93b20cab86eb0703e4dbceed44a048b7

Download Submit
\Windows\system\svchost.exe

Filesize
168KB

MD5
3176ed1f1f93e9f6ee14375b4eb556a2

SHA1
57ecab4d6328810e21503c9ec58f50992833be8c

SHA256
fcb145cb0e2087cf72fbec4311b03189d56b8064fd3788382e99c66447286faf

SHA512
7867a2c3d77f23f10a0bdd86f96fee1038f68189dc55732f7d21f000d28846d94058db41728dde6c4d293442adb187558da2972c5e2913237161c2ca8704adba

Download Submit
\Windows\system\svchost.exe

Filesize
141KB

MD5
844501f91114541ba697f3b3b76b0768

SHA1
d9dedfb1d8b3e85775afe43fbbcfe49267ec7a79

SHA256
2c78ee199991592de93568c004d9bc1f248fbedd5f9e37923d64c5ba173c98d6

SHA512
0246422670acd920c6c89e031db3e6e5718c5bdeb106c93799eaedfb729b720d440cd8bd3dcea34985afe667231387723612d642dbd975efcf233285d325bb53

Download Submit
memory/640-64-0x000000001ED50000-0x000000001F232000-memory.dmp

Filesize
4.9MB

Download
memory/640-35-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/640-63-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1736-46-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/1736-44-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1736-43-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/1736-45-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/1736-42-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/1736-48-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1736-47-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1736-49-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1736-59-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2264-33-0x000000001F4C0000-0x000000001FAF6000-memory.dmp

Filesize
6.2MB

Download
memory/2264-34-0x000000001F4C0000-0x000000001FAF6000-memory.dmp

Filesize
6.2MB

Download
memory/2264-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2264-36-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2556-13-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/2556-15-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/2556-23-0x000007FEF3FA0000-0x000007FEF493D000-memory.dmp

Filesize
9.6MB

Download
memory/2556-22-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/2556-21-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/2556-14-0x000007FEF3FA0000-0x000007FEF493D000-memory.dmp

Filesize
9.6MB

Download
memory/2556-12-0x000007FEF3FA0000-0x000007FEF493D000-memory.dmp

Filesize
9.6MB

Download
memory/2556-6-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2556-5-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2896-62-0x000000000230B000-0x0000000002372000-memory.dmp

Filesize
412KB

Download
memory/2896-61-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2896-60-0x0000000002300000-0x0000000002380000-memory.dmp

Filesize
512KB

Download
memory/2896-57-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2896-58-0x0000000002300000-0x0000000002380000-memory.dmp

Filesize
512KB

Download
memory/2896-56-0x0000000002300000-0x0000000002380000-memory.dmp

Filesize
512KB

Download
memory/3008-16-0x000007FEF3FA0000-0x000007FEF493D000-memory.dmp

Filesize
9.6MB

Download
memory/3008-17-0x0000000002CD0000-0x0000000002D50000-memory.dmp

Filesize
512KB

Download
memory/3008-19-0x000007FEF3FA0000-0x000007FEF493D000-memory.dmp

Filesize
9.6MB

Download
memory/3008-20-0x0000000002CDB000-0x0000000002D42000-memory.dmp

Filesize
412KB

Download
memory/3008-18-0x0000000002CD4000-0x0000000002CD7000-memory.dmp

Filesize
12KB

Download