7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
127s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

10^/10

evasion trojan

Malware Config

Signatures

Detects BazaLoader malware 8 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

resource	yara_rule
behavioral3/memory/3428-0-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral3/memory/3428-34-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral3/files/0x0006000000023214-41.dat	BazaLoader
behavioral3/memory/4024-42-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral3/files/0x0006000000023214-40.dat	BazaLoader
behavioral3/files/0x0006000000023214-38.dat	BazaLoader
behavioral3/memory/3428-43-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral3/memory/4024-88-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Windows Service

T1543.003

pid	Process
5568	netsh.exe
3956	netsh.exe
428	netsh.exe
3196	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	svchost_dump_SCY - Copy.exe

Executes dropped EXE 1 IoCs

pid	Process
4024	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5324	powershell.exe
5324	powershell.exe
2756	powershell.exe
2756	powershell.exe
5324	powershell.exe
2756	powershell.exe
3428	svchost_dump_SCY - Copy.exe
3428	svchost_dump_SCY - Copy.exe
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe
5488	powershell.exe
5488	powershell.exe
5488	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	6140	WMIC.exe
Token: SeSecurityPrivilege	6140	WMIC.exe
Token: SeTakeOwnershipPrivilege	6140	WMIC.exe
Token: SeLoadDriverPrivilege	6140	WMIC.exe
Token: SeSystemProfilePrivilege	6140	WMIC.exe
Token: SeSystemtimePrivilege	6140	WMIC.exe
Token: SeProfSingleProcessPrivilege	6140	WMIC.exe
Token: SeIncBasePriorityPrivilege	6140	WMIC.exe
Token: SeCreatePagefilePrivilege	6140	WMIC.exe
Token: SeBackupPrivilege	6140	WMIC.exe
Token: SeRestorePrivilege	6140	WMIC.exe
Token: SeShutdownPrivilege	6140	WMIC.exe
Token: SeDebugPrivilege	6140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6140	WMIC.exe
Token: SeRemoteShutdownPrivilege	6140	WMIC.exe
Token: SeUndockPrivilege	6140	WMIC.exe
Token: SeManageVolumePrivilege	6140	WMIC.exe
Token: 33	6140	WMIC.exe
Token: 34	6140	WMIC.exe
Token: 35	6140	WMIC.exe
Token: 36	6140	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6140	WMIC.exe
Token: SeSecurityPrivilege	6140	WMIC.exe
Token: SeTakeOwnershipPrivilege	6140	WMIC.exe
Token: SeLoadDriverPrivilege	6140	WMIC.exe
Token: SeSystemProfilePrivilege	6140	WMIC.exe
Token: SeSystemtimePrivilege	6140	WMIC.exe
Token: SeProfSingleProcessPrivilege	6140	WMIC.exe
Token: SeIncBasePriorityPrivilege	6140	WMIC.exe
Token: SeCreatePagefilePrivilege	6140	WMIC.exe
Token: SeBackupPrivilege	6140	WMIC.exe
Token: SeRestorePrivilege	6140	WMIC.exe
Token: SeShutdownPrivilege	6140	WMIC.exe
Token: SeDebugPrivilege	6140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6140	WMIC.exe
Token: SeRemoteShutdownPrivilege	6140	WMIC.exe
Token: SeUndockPrivilege	6140	WMIC.exe
Token: SeManageVolumePrivilege	6140	WMIC.exe
Token: 33	6140	WMIC.exe
Token: 34	6140	WMIC.exe
Token: 35	6140	WMIC.exe
Token: 36	6140	WMIC.exe
Token: SeDebugPrivilege	5324	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeIncreaseQuotaPrivilege	4684	WMIC.exe
Token: SeSecurityPrivilege	4684	WMIC.exe
Token: SeTakeOwnershipPrivilege	4684	WMIC.exe
Token: SeLoadDriverPrivilege	4684	WMIC.exe
Token: SeSystemProfilePrivilege	4684	WMIC.exe
Token: SeSystemtimePrivilege	4684	WMIC.exe
Token: SeProfSingleProcessPrivilege	4684	WMIC.exe
Token: SeIncBasePriorityPrivilege	4684	WMIC.exe
Token: SeCreatePagefilePrivilege	4684	WMIC.exe
Token: SeBackupPrivilege	4684	WMIC.exe
Token: SeRestorePrivilege	4684	WMIC.exe
Token: SeShutdownPrivilege	4684	WMIC.exe
Token: SeDebugPrivilege	4684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4684	WMIC.exe
Token: SeRemoteShutdownPrivilege	4684	WMIC.exe
Token: SeUndockPrivilege	4684	WMIC.exe
Token: SeManageVolumePrivilege	4684	WMIC.exe
Token: 33	4684	WMIC.exe
Token: 34	4684	WMIC.exe
Token: 35	4684	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 6140	3428	svchost_dump_SCY - Copy.exe	75
PID 3428 wrote to memory of 6140	3428	svchost_dump_SCY - Copy.exe	75
PID 3428 wrote to memory of 5568	3428	svchost_dump_SCY - Copy.exe	96
PID 3428 wrote to memory of 5568	3428	svchost_dump_SCY - Copy.exe	96
PID 3428 wrote to memory of 3956	3428	svchost_dump_SCY - Copy.exe	98
PID 3428 wrote to memory of 3956	3428	svchost_dump_SCY - Copy.exe	98
PID 3428 wrote to memory of 5324	3428	svchost_dump_SCY - Copy.exe	100
PID 3428 wrote to memory of 5324	3428	svchost_dump_SCY - Copy.exe	100
PID 3428 wrote to memory of 2756	3428	svchost_dump_SCY - Copy.exe	103
PID 3428 wrote to memory of 2756	3428	svchost_dump_SCY - Copy.exe	103
PID 3428 wrote to memory of 1752	3428	svchost_dump_SCY - Copy.exe	107
PID 3428 wrote to memory of 1752	3428	svchost_dump_SCY - Copy.exe	107
PID 3428 wrote to memory of 1740	3428	svchost_dump_SCY - Copy.exe	109
PID 3428 wrote to memory of 1740	3428	svchost_dump_SCY - Copy.exe	109
PID 3428 wrote to memory of 4024	3428	svchost_dump_SCY - Copy.exe	110
PID 3428 wrote to memory of 4024	3428	svchost_dump_SCY - Copy.exe	110
PID 4024 wrote to memory of 4684	4024	svchost.exe	113
PID 4024 wrote to memory of 4684	4024	svchost.exe	113
PID 4024 wrote to memory of 3196	4024	svchost.exe	122
PID 4024 wrote to memory of 3196	4024	svchost.exe	122
PID 4024 wrote to memory of 428	4024	svchost.exe	121
PID 4024 wrote to memory of 428	4024	svchost.exe	121
PID 4024 wrote to memory of 2452	4024	svchost.exe	117
PID 4024 wrote to memory of 2452	4024	svchost.exe	117
PID 4024 wrote to memory of 5488	4024	svchost.exe	119
PID 4024 wrote to memory of 5488	4024	svchost.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\System32\Wbem\WMIC.exe
  WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6140
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:5568
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:3956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /delete /TN "Timer"
  2⤵
  PID:1752
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
  2⤵
  - Creates scheduled task(s)
  PID:1740
- C:\Windows\System\svchost.exe
  "C:\Windows\System\svchost.exe" formal
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5488
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:428
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iyjzdzbp.cka.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
661KB

MD5
e3e385f3774ad0994634ff612f9fd3e4

SHA1
64b855e7493f936f347d837b36413497a412cab2

SHA256
6576d6f30b88a4c41177b47764ca4be4e6c0a1dc855db7c247e8a22dd1a7f321

SHA512
928cd086265fd808c517239940640ffdf8c041a81b2cc5d3c1903893850b86921c62bfeecb6ed067637cc4edf18ea24be741a530d4e4492c7ed81e73c92125de

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
105KB

MD5
45c8ed26f169367a0eab9352a9ded343

SHA1
a343d27bdae7810462c40aab0188f47a4e6b626c

SHA256
39afb5a9d41994c6e37661064e4503e011b69fd3b17ef6eacaab588cd6d8c90a

SHA512
56902aafee4366989e322958e2b4d1836da57a716370996f6555d41381c278bd78a61d562f34a5c6f35345ea7d9a4a3d5ac0feef3984994ea5e817e4b883ff7b

Download Submit
C:\Windows\System\svchost.exe

Filesize
374KB

MD5
4ad0090e541bee359a74893e8d81636c

SHA1
8cbf47516ba8f7d8b30d258de133a7bb8e03567f

SHA256
2c43ee879fd8fb61234f6f07ee733824694b18ea22a180e641d91485bb1af866

SHA512
6fe433ff9d2acada7f0278da5dc8701c7ecd5cab6509c092a40b3c5a3b01d1c296e4c8079baef3c9753da2993991378e48cb254cc89f55c9bee609028b04c5f9

Download Submit
C:\Windows\System\svchost.exe

Filesize
200KB

MD5
d8536ffde9cd12f60620e94b0404d7f7

SHA1
c4a8626bc9e9d9d96f4a629961ba988e11e3804a

SHA256
5c5a34a05412901de5a92c2ff2316f6cd27c896e464aef2241d66e0190fb2bd7

SHA512
a77ee52f281b74fcc5b94ff52f3bdc5635fff2cabad5d04ec2537eed6720c575bc43bd1470482c41dfbf9f7cf10a63b2d9194ee768ac053016ffc713cdb43fe8

Download Submit
C:\Windows\System\svchost.exe

Filesize
213KB

MD5
f5c95b37e5ac05148f9fb25383dfcf5d

SHA1
c46661d1548c4b6b53ce9c067da69cdf083ae719

SHA256
1e1695addadce873d8f6d21cc90be5d120648d17191feb6f91b19efde427c4a1

SHA512
699214d15a7c7ec5c7f8b7765a9cbb23bd8afd2fb4509438cecff7922f3756e5639ed7d717b64e29e759ab1ca4411fc811af07c449d4121ce481173ca1632ff2

Download Submit
memory/2452-54-0x00007FF8BC040000-0x00007FF8BCB01000-memory.dmp

Filesize
10.8MB

Download
memory/2452-69-0x00007FF8BC040000-0x00007FF8BCB01000-memory.dmp

Filesize
10.8MB

Download
memory/2452-56-0x0000020E29B70000-0x0000020E29B80000-memory.dmp

Filesize
64KB

Download
memory/2452-55-0x0000020E29B70000-0x0000020E29B80000-memory.dmp

Filesize
64KB

Download
memory/2756-22-0x00007FF8BC040000-0x00007FF8BCB01000-memory.dmp

Filesize
10.8MB

Download
memory/2756-32-0x00007FF8BC040000-0x00007FF8BCB01000-memory.dmp

Filesize
10.8MB

Download
memory/2756-23-0x0000024C5B400000-0x0000024C5B410000-memory.dmp

Filesize
64KB

Download
memory/2756-24-0x0000024C5B400000-0x0000024C5B410000-memory.dmp

Filesize
64KB

Download
memory/3428-34-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3428-43-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3428-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4024-42-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4024-73-0x0000000036870000-0x0000000036D52000-memory.dmp

Filesize
4.9MB

Download
memory/4024-88-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/5324-25-0x000001F131EA0000-0x000001F131EB0000-memory.dmp

Filesize
64KB

Download
memory/5324-31-0x00007FF8BC040000-0x00007FF8BCB01000-memory.dmp

Filesize
10.8MB

Download
memory/5324-12-0x000001F131EA0000-0x000001F131EB0000-memory.dmp

Filesize
64KB

Download
memory/5324-7-0x000001F119840000-0x000001F119862000-memory.dmp

Filesize
136KB

Download
memory/5324-11-0x00007FF8BC040000-0x00007FF8BCB01000-memory.dmp

Filesize
10.8MB

Download
memory/5488-57-0x00007FF8BC040000-0x00007FF8BCB01000-memory.dmp

Filesize
10.8MB

Download
memory/5488-72-0x00007FF8BC040000-0x00007FF8BCB01000-memory.dmp

Filesize
10.8MB

Download
memory/5488-58-0x0000019C27040000-0x0000019C27050000-memory.dmp

Filesize
64KB

Download