7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
141s
max time network
150s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
23-01-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

10^/10

evasion trojan

Malware Config

Signatures

Detects BazaLoader malware 7 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

resource	yara_rule
behavioral2/memory/224-0-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral2/memory/224-10-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral2/files/0x000800000001abbc-111.dat	BazaLoader
behavioral2/files/0x000800000001abbc-110.dat	BazaLoader
behavioral2/memory/704-112-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral2/memory/224-113-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral2/memory/704-196-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Windows Service

T1543.003

pid	Process
1700	netsh.exe
4108	netsh.exe
4184	netsh.exe
3528	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
704	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3692	powershell.exe
3692	powershell.exe
1528	powershell.exe
1528	powershell.exe
1528	powershell.exe
3692	powershell.exe
224	svchost_dump_SCY - Copy.exe
224	svchost_dump_SCY - Copy.exe
2404	powershell.exe
2404	powershell.exe
5092	powershell.exe
5092	powershell.exe
2404	powershell.exe
5092	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2484	WMIC.exe
Token: SeSecurityPrivilege	2484	WMIC.exe
Token: SeTakeOwnershipPrivilege	2484	WMIC.exe
Token: SeLoadDriverPrivilege	2484	WMIC.exe
Token: SeSystemProfilePrivilege	2484	WMIC.exe
Token: SeSystemtimePrivilege	2484	WMIC.exe
Token: SeProfSingleProcessPrivilege	2484	WMIC.exe
Token: SeIncBasePriorityPrivilege	2484	WMIC.exe
Token: SeCreatePagefilePrivilege	2484	WMIC.exe
Token: SeBackupPrivilege	2484	WMIC.exe
Token: SeRestorePrivilege	2484	WMIC.exe
Token: SeShutdownPrivilege	2484	WMIC.exe
Token: SeDebugPrivilege	2484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2484	WMIC.exe
Token: SeRemoteShutdownPrivilege	2484	WMIC.exe
Token: SeUndockPrivilege	2484	WMIC.exe
Token: SeManageVolumePrivilege	2484	WMIC.exe
Token: 33	2484	WMIC.exe
Token: 34	2484	WMIC.exe
Token: 35	2484	WMIC.exe
Token: 36	2484	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2484	WMIC.exe
Token: SeSecurityPrivilege	2484	WMIC.exe
Token: SeTakeOwnershipPrivilege	2484	WMIC.exe
Token: SeLoadDriverPrivilege	2484	WMIC.exe
Token: SeSystemProfilePrivilege	2484	WMIC.exe
Token: SeSystemtimePrivilege	2484	WMIC.exe
Token: SeProfSingleProcessPrivilege	2484	WMIC.exe
Token: SeIncBasePriorityPrivilege	2484	WMIC.exe
Token: SeCreatePagefilePrivilege	2484	WMIC.exe
Token: SeBackupPrivilege	2484	WMIC.exe
Token: SeRestorePrivilege	2484	WMIC.exe
Token: SeShutdownPrivilege	2484	WMIC.exe
Token: SeDebugPrivilege	2484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2484	WMIC.exe
Token: SeRemoteShutdownPrivilege	2484	WMIC.exe
Token: SeUndockPrivilege	2484	WMIC.exe
Token: SeManageVolumePrivilege	2484	WMIC.exe
Token: 33	2484	WMIC.exe
Token: 34	2484	WMIC.exe
Token: 35	2484	WMIC.exe
Token: 36	2484	WMIC.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeIncreaseQuotaPrivilege	3692	powershell.exe
Token: SeSecurityPrivilege	3692	powershell.exe
Token: SeTakeOwnershipPrivilege	3692	powershell.exe
Token: SeLoadDriverPrivilege	3692	powershell.exe
Token: SeSystemProfilePrivilege	3692	powershell.exe
Token: SeSystemtimePrivilege	3692	powershell.exe
Token: SeProfSingleProcessPrivilege	3692	powershell.exe
Token: SeIncBasePriorityPrivilege	3692	powershell.exe
Token: SeCreatePagefilePrivilege	3692	powershell.exe
Token: SeBackupPrivilege	3692	powershell.exe
Token: SeRestorePrivilege	3692	powershell.exe
Token: SeShutdownPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeSystemEnvironmentPrivilege	3692	powershell.exe
Token: SeRemoteShutdownPrivilege	3692	powershell.exe
Token: SeUndockPrivilege	3692	powershell.exe
Token: SeManageVolumePrivilege	3692	powershell.exe
Token: 33	3692	powershell.exe
Token: 34	3692	powershell.exe
Token: 35	3692	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 2484	224	svchost_dump_SCY - Copy.exe	21
PID 224 wrote to memory of 2484	224	svchost_dump_SCY - Copy.exe	21
PID 224 wrote to memory of 3528	224	svchost_dump_SCY - Copy.exe	83
PID 224 wrote to memory of 3528	224	svchost_dump_SCY - Copy.exe	83
PID 224 wrote to memory of 4184	224	svchost_dump_SCY - Copy.exe	81
PID 224 wrote to memory of 4184	224	svchost_dump_SCY - Copy.exe	81
PID 224 wrote to memory of 3692	224	svchost_dump_SCY - Copy.exe	77
PID 224 wrote to memory of 3692	224	svchost_dump_SCY - Copy.exe	77
PID 224 wrote to memory of 1528	224	svchost_dump_SCY - Copy.exe	79
PID 224 wrote to memory of 1528	224	svchost_dump_SCY - Copy.exe	79
PID 224 wrote to memory of 2544	224	svchost_dump_SCY - Copy.exe	86
PID 224 wrote to memory of 2544	224	svchost_dump_SCY - Copy.exe	86
PID 224 wrote to memory of 2216	224	svchost_dump_SCY - Copy.exe	88
PID 224 wrote to memory of 2216	224	svchost_dump_SCY - Copy.exe	88
PID 224 wrote to memory of 704	224	svchost_dump_SCY - Copy.exe	89
PID 224 wrote to memory of 704	224	svchost_dump_SCY - Copy.exe	89
PID 704 wrote to memory of 936	704	svchost.exe	92
PID 704 wrote to memory of 936	704	svchost.exe	92
PID 704 wrote to memory of 4108	704	svchost.exe	100
PID 704 wrote to memory of 4108	704	svchost.exe	100
PID 704 wrote to memory of 1700	704	svchost.exe	96
PID 704 wrote to memory of 1700	704	svchost.exe	96
PID 704 wrote to memory of 2404	704	svchost.exe	94
PID 704 wrote to memory of 2404	704	svchost.exe	94
PID 704 wrote to memory of 5092	704	svchost.exe	99
PID 704 wrote to memory of 5092	704	svchost.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\System32\Wbem\WMIC.exe
  WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:4184
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:3528
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /delete /TN "Timer"
  2⤵
  PID:2544
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
  2⤵
  - Creates scheduled task(s)
  PID:2216
- C:\Windows\System\svchost.exe
  "C:\Windows\System\svchost.exe" formal
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
    3⤵
    PID:936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2404
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5092
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
268b890dae39e430e8b127909067ed96

SHA1
35939515965c0693ef46e021254c3e73ea8c4a2b

SHA256
7643d492a6f1e035b63b2e16c9c21d974a77dfd2d8e90b9c15ee412625e88c4c

SHA512
abc4b2ce10a6566f38c00ad55e433791dd45fca47deec70178daf0763578ff019fb0ec70792d5e9ecde4eb6778a35ba8a8c7ecd07550597d9bbb13521c9b98fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
52a93f8e57b0824304c14cbc05c2deaa

SHA1
03f2211b40a8da8b21cf5656373fae0e3fcad506

SHA256
62d546a176742124313c4765f6c0b3f8e68a7c91c67d280cb3b08fd9d7a5fdd9

SHA512
abe8139a585d81d055f6b2661ce87399db6622c038c68affd67b623932f96d6397382b2a5a91ba7b7f51e514ce3de0f123af382c5a8f6f92369b9bf4631b1742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5cb3d645989f2ae36e0d516934f06aa6

SHA1
9fdf8d923d54afe3b7ecea9d98964ce1223671ad

SHA256
ef5e682495aed27653ce2c882f01f08c4a49a9bc6b8328004846c84eb9b31283

SHA512
9f5b082afa852c39ee6361214bb9249227429f7c865298e3926a8becce67de7d437d28b9ba25bf1346cf28180aebc35dbd8b56a59f26886ee0247400f3807993

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nnbmfqbf.h4s.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
195KB

MD5
30df7ffadb9cb1eabd13ba6619a50f95

SHA1
7461d225c22ff27786c533fba354b0e10639ef7c

SHA256
c54a4a19a41030b5d5fc691cd7341e897f1e1371f93f93ef272b21b01cfc8a20

SHA512
e0b696e84c9c27606ca0358680e8f134c2b8e55f67da3c8b8132f6db563b24aeca233b95df82421c82f9053358b915d9f490fc8f31737fc8bd81d7ffb93820da

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
433KB

MD5
49d8a8ae74667e8f5f7308dd9a0da679

SHA1
a4e5d52041acd879b292a1f5f154eb2fcdfe2cab

SHA256
2e262896b79e5fbdc37b0fa05a5fe853aa2f7f3c74ffd3b4790a256ccd70f244

SHA512
7e2ec1a3bba05aff46e1dd087c29b9e5acd1ed3098058bed3158c86b4bb2509bf53cf3d3ea481ed405030bfad4ae088bec4d86c55ae96bc9eb9190dd54ad0ab0

Download Submit
C:\Windows\System\svchost.exe

Filesize
82KB

MD5
ad4fa63f62058fdf189554b21a33fb39

SHA1
83719437593e3fe0d47b606aeb23d5922e67af2a

SHA256
3f7b2b5dac6f68fc79223e96f09a9ba3ebc6878e010ae1cb6cf438d02eb1ba7c

SHA512
a85526066159b7203e5685c99c6e6616ec245b569a17175b24f92c62d9a1370b7a1fcbe7236823917cf61ff4db4d05d8e460e186c117915e74970b73a9776578

Download Submit
C:\Windows\System\svchost.exe

Filesize
197KB

MD5
ef7aeb5900828e738077ccf70376d8bc

SHA1
076e714f9698fee626f562db458bd7eb1f1bb9a7

SHA256
4631539ebec06d9cc3aa69470b316397a12dcff1804c9e580a88cbe9987045c1

SHA512
ad938a19e7e567d2d18650b31b309661f4a83295eec327eed767418a6b931be3d0f2d968c009b5121c2f8ba91ef058abf43ce59d11b50cc53728593d14af9e98

Download Submit
memory/224-113-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/224-10-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/224-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/704-217-0x0000000036B10000-0x0000000036FF2000-memory.dmp

Filesize
4.9MB

Download
memory/704-112-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/704-196-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1528-48-0x000001D9E3A20000-0x000001D9E3A30000-memory.dmp

Filesize
64KB

Download
memory/1528-15-0x000001D9E3A20000-0x000001D9E3A30000-memory.dmp

Filesize
64KB

Download
memory/1528-12-0x00007FFB90DE0000-0x00007FFB917CC000-memory.dmp

Filesize
9.9MB

Download
memory/1528-16-0x000001D9E3A20000-0x000001D9E3A30000-memory.dmp

Filesize
64KB

Download
memory/1528-95-0x000001D9E3A20000-0x000001D9E3A30000-memory.dmp

Filesize
64KB

Download
memory/1528-105-0x00007FFB90DE0000-0x00007FFB917CC000-memory.dmp

Filesize
9.9MB

Download
memory/2404-207-0x00007FFB909A0000-0x00007FFB9138C000-memory.dmp

Filesize
9.9MB

Download
memory/2404-119-0x000001E5EC610000-0x000001E5EC620000-memory.dmp

Filesize
64KB

Download
memory/2404-198-0x000001E5EC610000-0x000001E5EC620000-memory.dmp

Filesize
64KB

Download
memory/2404-120-0x000001E5EC610000-0x000001E5EC620000-memory.dmp

Filesize
64KB

Download
memory/2404-117-0x00007FFB909A0000-0x00007FFB9138C000-memory.dmp

Filesize
9.9MB

Download
memory/2404-145-0x000001E5EC610000-0x000001E5EC620000-memory.dmp

Filesize
64KB

Download
memory/3692-7-0x0000017DEC870000-0x0000017DEC880000-memory.dmp

Filesize
64KB

Download
memory/3692-100-0x0000017DEC870000-0x0000017DEC880000-memory.dmp

Filesize
64KB

Download
memory/3692-5-0x00007FFB90DE0000-0x00007FFB917CC000-memory.dmp

Filesize
9.9MB

Download
memory/3692-8-0x0000017DEC870000-0x0000017DEC880000-memory.dmp

Filesize
64KB

Download
memory/3692-106-0x00007FFB90DE0000-0x00007FFB917CC000-memory.dmp

Filesize
9.9MB

Download
memory/3692-20-0x0000017DEC980000-0x0000017DEC9F6000-memory.dmp

Filesize
472KB

Download
memory/3692-46-0x0000017DEC870000-0x0000017DEC880000-memory.dmp

Filesize
64KB

Download
memory/3692-6-0x0000017DEC1E0000-0x0000017DEC202000-memory.dmp

Filesize
136KB

Download
memory/5092-174-0x000001A2586D0000-0x000001A2586E0000-memory.dmp

Filesize
64KB

Download
memory/5092-216-0x00007FFB909A0000-0x00007FFB9138C000-memory.dmp

Filesize
9.9MB

Download
memory/5092-212-0x000001A2586D0000-0x000001A2586E0000-memory.dmp

Filesize
64KB

Download
memory/5092-128-0x000001A2586D0000-0x000001A2586E0000-memory.dmp

Filesize
64KB

Download
memory/5092-125-0x00007FFB909A0000-0x00007FFB9138C000-memory.dmp

Filesize
9.9MB

Download
memory/5092-130-0x000001A2586D0000-0x000001A2586E0000-memory.dmp

Filesize
64KB

Download