7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
138s
max time network
151s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
23/01/2024, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

10^/10

evasion trojan

Malware Config

Signatures

Detects BazaLoader malware 6 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

resource	yara_rule
behavioral2/memory/4888-0-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral2/memory/4888-98-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral2/files/0x000700000001ab7f-113.dat	BazaLoader
behavioral2/files/0x000700000001ab7f-114.dat	BazaLoader
behavioral2/memory/4888-115-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral2/memory/596-147-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Windows Service

T1543.003

pid	Process
168	netsh.exe
1748	netsh.exe
2684	netsh.exe
2088	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
596	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2148	powershell.exe
2148	powershell.exe
3028	powershell.exe
3028	powershell.exe
2148	powershell.exe
3028	powershell.exe
4888	svchost_dump_SCY - Copy.exe
4888	svchost_dump_SCY - Copy.exe
2184	powershell.exe
2184	powershell.exe
2184	powershell.exe
428	powershell.exe
428	powershell.exe
428	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2704	WMIC.exe
Token: SeSecurityPrivilege	2704	WMIC.exe
Token: SeTakeOwnershipPrivilege	2704	WMIC.exe
Token: SeLoadDriverPrivilege	2704	WMIC.exe
Token: SeSystemProfilePrivilege	2704	WMIC.exe
Token: SeSystemtimePrivilege	2704	WMIC.exe
Token: SeProfSingleProcessPrivilege	2704	WMIC.exe
Token: SeIncBasePriorityPrivilege	2704	WMIC.exe
Token: SeCreatePagefilePrivilege	2704	WMIC.exe
Token: SeBackupPrivilege	2704	WMIC.exe
Token: SeRestorePrivilege	2704	WMIC.exe
Token: SeShutdownPrivilege	2704	WMIC.exe
Token: SeDebugPrivilege	2704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2704	WMIC.exe
Token: SeRemoteShutdownPrivilege	2704	WMIC.exe
Token: SeUndockPrivilege	2704	WMIC.exe
Token: SeManageVolumePrivilege	2704	WMIC.exe
Token: 33	2704	WMIC.exe
Token: 34	2704	WMIC.exe
Token: 35	2704	WMIC.exe
Token: 36	2704	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2704	WMIC.exe
Token: SeSecurityPrivilege	2704	WMIC.exe
Token: SeTakeOwnershipPrivilege	2704	WMIC.exe
Token: SeLoadDriverPrivilege	2704	WMIC.exe
Token: SeSystemProfilePrivilege	2704	WMIC.exe
Token: SeSystemtimePrivilege	2704	WMIC.exe
Token: SeProfSingleProcessPrivilege	2704	WMIC.exe
Token: SeIncBasePriorityPrivilege	2704	WMIC.exe
Token: SeCreatePagefilePrivilege	2704	WMIC.exe
Token: SeBackupPrivilege	2704	WMIC.exe
Token: SeRestorePrivilege	2704	WMIC.exe
Token: SeShutdownPrivilege	2704	WMIC.exe
Token: SeDebugPrivilege	2704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2704	WMIC.exe
Token: SeRemoteShutdownPrivilege	2704	WMIC.exe
Token: SeUndockPrivilege	2704	WMIC.exe
Token: SeManageVolumePrivilege	2704	WMIC.exe
Token: 33	2704	WMIC.exe
Token: 34	2704	WMIC.exe
Token: 35	2704	WMIC.exe
Token: 36	2704	WMIC.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeIncreaseQuotaPrivilege	2148	powershell.exe
Token: SeSecurityPrivilege	2148	powershell.exe
Token: SeTakeOwnershipPrivilege	2148	powershell.exe
Token: SeLoadDriverPrivilege	2148	powershell.exe
Token: SeSystemProfilePrivilege	2148	powershell.exe
Token: SeSystemtimePrivilege	2148	powershell.exe
Token: SeProfSingleProcessPrivilege	2148	powershell.exe
Token: SeIncBasePriorityPrivilege	2148	powershell.exe
Token: SeCreatePagefilePrivilege	2148	powershell.exe
Token: SeBackupPrivilege	2148	powershell.exe
Token: SeRestorePrivilege	2148	powershell.exe
Token: SeShutdownPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeSystemEnvironmentPrivilege	2148	powershell.exe
Token: SeRemoteShutdownPrivilege	2148	powershell.exe
Token: SeUndockPrivilege	2148	powershell.exe
Token: SeManageVolumePrivilege	2148	powershell.exe
Token: 33	2148	powershell.exe
Token: 34	2148	powershell.exe
Token: 35	2148	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 2704	4888	svchost_dump_SCY - Copy.exe	75
PID 4888 wrote to memory of 2704	4888	svchost_dump_SCY - Copy.exe	75
PID 4888 wrote to memory of 168	4888	svchost_dump_SCY - Copy.exe	76
PID 4888 wrote to memory of 168	4888	svchost_dump_SCY - Copy.exe	76
PID 4888 wrote to memory of 1748	4888	svchost_dump_SCY - Copy.exe	77
PID 4888 wrote to memory of 1748	4888	svchost_dump_SCY - Copy.exe	77
PID 4888 wrote to memory of 2148	4888	svchost_dump_SCY - Copy.exe	79
PID 4888 wrote to memory of 2148	4888	svchost_dump_SCY - Copy.exe	79
PID 4888 wrote to memory of 3028	4888	svchost_dump_SCY - Copy.exe	82
PID 4888 wrote to memory of 3028	4888	svchost_dump_SCY - Copy.exe	82
PID 4888 wrote to memory of 5076	4888	svchost_dump_SCY - Copy.exe	85
PID 4888 wrote to memory of 5076	4888	svchost_dump_SCY - Copy.exe	85
PID 4888 wrote to memory of 3884	4888	svchost_dump_SCY - Copy.exe	87
PID 4888 wrote to memory of 3884	4888	svchost_dump_SCY - Copy.exe	87
PID 4888 wrote to memory of 596	4888	svchost_dump_SCY - Copy.exe	89
PID 4888 wrote to memory of 596	4888	svchost_dump_SCY - Copy.exe	89
PID 596 wrote to memory of 1460	596	svchost.exe	92
PID 596 wrote to memory of 1460	596	svchost.exe	92
PID 596 wrote to memory of 2684	596	svchost.exe	93
PID 596 wrote to memory of 2684	596	svchost.exe	93
PID 596 wrote to memory of 2088	596	svchost.exe	95
PID 596 wrote to memory of 2088	596	svchost.exe	95
PID 596 wrote to memory of 2184	596	svchost.exe	97
PID 596 wrote to memory of 2184	596	svchost.exe	97
PID 596 wrote to memory of 428	596	svchost.exe	99
PID 596 wrote to memory of 428	596	svchost.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\System32\Wbem\WMIC.exe
  WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:168
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /delete /TN "Timer"
  2⤵
  PID:5076
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
  2⤵
  - Creates scheduled task(s)
  PID:3884
- C:\Windows\System\svchost.exe
  "C:\Windows\System\svchost.exe" formal
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
    3⤵
    PID:1460
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2684
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
268b890dae39e430e8b127909067ed96

SHA1
35939515965c0693ef46e021254c3e73ea8c4a2b

SHA256
7643d492a6f1e035b63b2e16c9c21d974a77dfd2d8e90b9c15ee412625e88c4c

SHA512
abc4b2ce10a6566f38c00ad55e433791dd45fca47deec70178daf0763578ff019fb0ec70792d5e9ecde4eb6778a35ba8a8c7ecd07550597d9bbb13521c9b98fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1eecdf947f7da295f59fc4d89b5d79c7

SHA1
5bda122547dc38753a94d5ffd182fa1807a59e5c

SHA256
e97cba0eb49d8cce3c6535c580d99cb9081938a4e71400f1544e77fc84f2f0d8

SHA512
f7860479b762c464c9fe3ca3fe50b40c65fec9b89028cf0fc000ac484ef7cd786af7038f3a401d9c2a419e4546327906806df5a66ca1661c3af016ca80fae868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
be166ac2d24c3200a7307efbdc505950

SHA1
982f5d9b77895350a7ed77fe6b6aeb1140892cc5

SHA256
fa1135a9e7458237cd87b066bfa6416a30b6ca511ba96a50aee914e30cd5a632

SHA512
224437cefd78fbb678499367697ad54b23d5ef8f2c1593efb32bf521911176f788226946cebb9a66ab68a495b68a2e25f31f4a0dceb62c020f0dedd3a74b44e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_epy5j2yl.4ws.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
85KB

MD5
5620c2f1f9a6916d946e1198bff8b9cd

SHA1
d9fc06ef9d008f7d22b7e11bf4aacf3d37baacf3

SHA256
5863c9a62d7a4ad4cf7d1a18eef9d41a2e93ab309a5f451d622c7ba250f12f44

SHA512
ae66d2524895a7dfc02f931d9dd62944a58082c9bf3a17f37ebc4e5574dbce399438554c67bef3b3748b5fdbf7a0082a837bccb544d845f61f20da21bb6fbcf7

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
466KB

MD5
b2a67775a11d216c2449bd4277861ede

SHA1
bcafeba7df1ee28d36012590a479145e380d9920

SHA256
00066e3afc259324922b4fa020e9ac5d7da479d196c0383bc13892653356cfda

SHA512
805b29c1561cbc5e6a2dc6e81f97da024e1f10edf47f1f4fc6cfb5009933644ba9285faabad8d4e0134dcd7b9f808e11c145f82297de4119988346b4fc417ca2

Download Submit
C:\Windows\System\svchost.exe

Filesize
2.0MB

MD5
1fb6a954c91c26d86144e381e3a5f952

SHA1
625fd8cc6315c6c4c0224a5924416dbf3daff585

SHA256
2e09a0602879168c7e395f80e5391ad29bb31497b194aef5498bc40a1336e9f4

SHA512
6f52a51314a7ed82977f26a9e93f526e3931a83a6b4d87f3950dbc77cd3ed6ee25b4d8e54a7ec387c9d031ea29e32290232daf56fc891d8b276e097d6b8cf914

Download Submit
C:\Windows\System\svchost.exe

Filesize
1.6MB

MD5
45c6324243337f6c4715784c11b96ff2

SHA1
98156bc22c5ec657abf8363044a7361d138242eb

SHA256
af41e99b8cf51005741b0c4cab801b104ebe1f854fe88b4c88f17528712f9788

SHA512
79bbe8b1ed0c195e93c5ff5b797b1622e3385ed5549ef276884930bd02ae365d861710930b637bd4efe8ea1fee9e649d341a2adf799e94dd2593069793ebd157

Download Submit
memory/428-140-0x0000022C64240000-0x0000022C64250000-memory.dmp

Filesize
64KB

Download
memory/428-214-0x0000022C64240000-0x0000022C64250000-memory.dmp

Filesize
64KB

Download
memory/428-139-0x0000022C64240000-0x0000022C64250000-memory.dmp

Filesize
64KB

Download
memory/428-127-0x00007FF9A0CB0000-0x00007FF9A169C000-memory.dmp

Filesize
9.9MB

Download
memory/428-177-0x0000022C64240000-0x0000022C64250000-memory.dmp

Filesize
64KB

Download
memory/428-218-0x00007FF9A0CB0000-0x00007FF9A169C000-memory.dmp

Filesize
9.9MB

Download
memory/596-147-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/596-219-0x00000000369D0000-0x0000000036EB2000-memory.dmp

Filesize
4.9MB

Download
memory/2148-7-0x000001EC26930000-0x000001EC26940000-memory.dmp

Filesize
64KB

Download
memory/2148-6-0x000001EC26930000-0x000001EC26940000-memory.dmp

Filesize
64KB

Download
memory/2148-109-0x00007FF9A1010000-0x00007FF9A19FC000-memory.dmp

Filesize
9.9MB

Download
memory/2148-13-0x000001EC26970000-0x000001EC26992000-memory.dmp

Filesize
136KB

Download
memory/2148-103-0x000001EC26930000-0x000001EC26940000-memory.dmp

Filesize
64KB

Download
memory/2148-5-0x00007FF9A1010000-0x00007FF9A19FC000-memory.dmp

Filesize
9.9MB

Download
memory/2148-48-0x000001EC26930000-0x000001EC26940000-memory.dmp

Filesize
64KB

Download
memory/2148-19-0x000001EC26D50000-0x000001EC26DC6000-memory.dmp

Filesize
472KB

Download
memory/2184-121-0x0000022869170000-0x0000022869180000-memory.dmp

Filesize
64KB

Download
memory/2184-199-0x0000022869170000-0x0000022869180000-memory.dmp

Filesize
64KB

Download
memory/2184-118-0x00007FF9A0CB0000-0x00007FF9A169C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-122-0x0000022869170000-0x0000022869180000-memory.dmp

Filesize
64KB

Download
memory/2184-208-0x00007FF9A0CB0000-0x00007FF9A169C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-149-0x0000022869170000-0x0000022869180000-memory.dmp

Filesize
64KB

Download
memory/3028-15-0x00000224001F0000-0x0000022400200000-memory.dmp

Filesize
64KB

Download
memory/3028-10-0x00007FF9A1010000-0x00007FF9A19FC000-memory.dmp

Filesize
9.9MB

Download
memory/3028-108-0x00007FF9A1010000-0x00007FF9A19FC000-memory.dmp

Filesize
9.9MB

Download
memory/3028-14-0x00000224001F0000-0x0000022400200000-memory.dmp

Filesize
64KB

Download
memory/3028-99-0x00000224001F0000-0x0000022400200000-memory.dmp

Filesize
64KB

Download
memory/3028-53-0x00000224001F0000-0x0000022400200000-memory.dmp

Filesize
64KB

Download
memory/4888-115-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4888-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4888-98-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download