7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
136s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2024 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

10^/10

evasion trojan

Malware Config

Signatures

Detects BazaLoader malware 8 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral3/memory/4540-0-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral3/memory/4540-34-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
behavioral3/memory/4932-42-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
behavioral3/memory/4540-43-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral3/memory/4932-88-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader

Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

1400 netsh.exe
316 netsh.exe
4576 netsh.exe
3336 netsh.exe

pid	process
1400	netsh.exe
316	netsh.exe
4576	netsh.exe
3336	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	svchost_dump_SCY - Copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

4932 svchost.exe

pid	process
4932	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

868 schtasks.exe

pid	process
868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe

pid	process
1492	powershell.exe
1492	powershell.exe
4140	powershell.exe
4140	powershell.exe
4140	powershell.exe
1492	powershell.exe
4540	svchost_dump_SCY - Copy.exe
4540	svchost_dump_SCY - Copy.exe
2772	powershell.exe
2772	powershell.exe
2772	powershell.exe
636	powershell.exe
636	powershell.exe
636	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4648	WMIC.exe
Token: SeSecurityPrivilege	4648	WMIC.exe
Token: SeTakeOwnershipPrivilege	4648	WMIC.exe
Token: SeLoadDriverPrivilege	4648	WMIC.exe
Token: SeSystemProfilePrivilege	4648	WMIC.exe
Token: SeSystemtimePrivilege	4648	WMIC.exe
Token: SeProfSingleProcessPrivilege	4648	WMIC.exe
Token: SeIncBasePriorityPrivilege	4648	WMIC.exe
Token: SeCreatePagefilePrivilege	4648	WMIC.exe
Token: SeBackupPrivilege	4648	WMIC.exe
Token: SeRestorePrivilege	4648	WMIC.exe
Token: SeShutdownPrivilege	4648	WMIC.exe
Token: SeDebugPrivilege	4648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4648	WMIC.exe
Token: SeRemoteShutdownPrivilege	4648	WMIC.exe
Token: SeUndockPrivilege	4648	WMIC.exe
Token: SeManageVolumePrivilege	4648	WMIC.exe
Token: 33	4648	WMIC.exe
Token: 34	4648	WMIC.exe
Token: 35	4648	WMIC.exe
Token: 36	4648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4648	WMIC.exe
Token: SeSecurityPrivilege	4648	WMIC.exe
Token: SeTakeOwnershipPrivilege	4648	WMIC.exe
Token: SeLoadDriverPrivilege	4648	WMIC.exe
Token: SeSystemProfilePrivilege	4648	WMIC.exe
Token: SeSystemtimePrivilege	4648	WMIC.exe
Token: SeProfSingleProcessPrivilege	4648	WMIC.exe
Token: SeIncBasePriorityPrivilege	4648	WMIC.exe
Token: SeCreatePagefilePrivilege	4648	WMIC.exe
Token: SeBackupPrivilege	4648	WMIC.exe
Token: SeRestorePrivilege	4648	WMIC.exe
Token: SeShutdownPrivilege	4648	WMIC.exe
Token: SeDebugPrivilege	4648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4648	WMIC.exe
Token: SeRemoteShutdownPrivilege	4648	WMIC.exe
Token: SeUndockPrivilege	4648	WMIC.exe
Token: SeManageVolumePrivilege	4648	WMIC.exe
Token: 33	4648	WMIC.exe
Token: 34	4648	WMIC.exe
Token: 35	4648	WMIC.exe
Token: 36	4648	WMIC.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeIncreaseQuotaPrivilege	4212	WMIC.exe
Token: SeSecurityPrivilege	4212	WMIC.exe
Token: SeTakeOwnershipPrivilege	4212	WMIC.exe
Token: SeLoadDriverPrivilege	4212	WMIC.exe
Token: SeSystemProfilePrivilege	4212	WMIC.exe
Token: SeSystemtimePrivilege	4212	WMIC.exe
Token: SeProfSingleProcessPrivilege	4212	WMIC.exe
Token: SeIncBasePriorityPrivilege	4212	WMIC.exe
Token: SeCreatePagefilePrivilege	4212	WMIC.exe
Token: SeBackupPrivilege	4212	WMIC.exe
Token: SeRestorePrivilege	4212	WMIC.exe
Token: SeShutdownPrivilege	4212	WMIC.exe
Token: SeDebugPrivilege	4212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4212	WMIC.exe
Token: SeRemoteShutdownPrivilege	4212	WMIC.exe
Token: SeUndockPrivilege	4212	WMIC.exe
Token: SeManageVolumePrivilege	4212	WMIC.exe
Token: 33	4212	WMIC.exe
Token: 34	4212	WMIC.exe
Token: 35	4212	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	pid	process	target process
PID 4540 wrote to memory of 4648	4540	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 4540 wrote to memory of 4648	4540	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 4540 wrote to memory of 3336	4540	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4540 wrote to memory of 3336	4540	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4540 wrote to memory of 1400	4540	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4540 wrote to memory of 1400	4540	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4540 wrote to memory of 1492	4540	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4540 wrote to memory of 1492	4540	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4540 wrote to memory of 4140	4540	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4540 wrote to memory of 4140	4540	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4540 wrote to memory of 5040	4540	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4540 wrote to memory of 5040	4540	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4540 wrote to memory of 868	4540	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4540 wrote to memory of 868	4540	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4540 wrote to memory of 4932	4540	svchost_dump_SCY - Copy.exe	svchost.exe
PID 4540 wrote to memory of 4932	4540	svchost_dump_SCY - Copy.exe	svchost.exe
PID 4932 wrote to memory of 4212	4932	svchost.exe	WMIC.exe
PID 4932 wrote to memory of 4212	4932	svchost.exe	WMIC.exe
PID 4932 wrote to memory of 4576	4932	svchost.exe	netsh.exe
PID 4932 wrote to memory of 4576	4932	svchost.exe	netsh.exe
PID 4932 wrote to memory of 316	4932	svchost.exe	netsh.exe
PID 4932 wrote to memory of 316	4932	svchost.exe	netsh.exe
PID 4932 wrote to memory of 2772	4932	svchost.exe	powershell.exe
PID 4932 wrote to memory of 2772	4932	svchost.exe	powershell.exe
PID 4932 wrote to memory of 636	4932	svchost.exe	powershell.exe
PID 4932 wrote to memory of 636	4932	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3336

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:5040

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:868

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2772

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ada3bbf645850fada48785399a44c2e9

SHA1
0421c13b7bb2120e078e18a9d4f5118743c1c8bd

SHA256
cff75b20b3479f35242de2571318472607db1aa0a52db62c1c01a89bccb8491d

SHA512
6e0b2753850b1da38dddba4059a6ab2261a244e25bd078afc1bfb78743505dcc405caef08753134faa30bf9f4c8cd5d862405407aeb5c73ae7e86072da366c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ck1bnfk2.p4v.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
Filesize
229KB

MD5
99ab995b9aa45eb29af0d3b8ec01d8cb

SHA1
dee0abf70c6fbda2ec817101c1aed16af9393618

SHA256
ae4f87558a52a188dc6d424291284afc237223e3f2f3aa4412c13a4c67dc82dd

SHA512
01d2dddddbc8378ba1b78e2f6b1ed6444d6a75d3d4c0664838efc167f927227f04ce810ded87623c06630714a288a0e75d3a5f0fab7309e459ccb7d1adc575c6

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
537KB

MD5
60bf94dd886bbadc34c44115e5f95e82

SHA1
a1940a5002ac3a5fd2fca216a376029de51c1111

SHA256
011be9d62b4ad330a7c58991c7e2380e81688feac359c251d9eb8b06a48957a6

SHA512
477c8e882016f9b95842cd17c5e99860e46e631c9cb2f932959d25e16c5b6378148e18909c38a1ce4885513d02d372cbba855fd908656083739a85bc201b343d

Download Submit
C:\Windows\System\svchost.exe
Filesize
373KB

MD5
d5bdaef096a58480f7f3b3a1bcb67c42

SHA1
9c43756fee29399984e97f3b00ab1fe210f62dd1

SHA256
d8218f7d60758cdcb9acca40666339ba19fdfd9082ef00a5d6649e313d1041fb

SHA512
0479c147ac81c8116c93c3a1d81c755c2724c94bd52237630e4e249d4c9da04596bd518a2f2d3e27eebad400a45b3ba0b36e7ae9c3534da1bf5b2788c8f8059c

Download Submit
C:\Windows\System\svchost.exe
Filesize
292KB

MD5
07bcab37133633d43441a2160db6c8a6

SHA1
641ca2c11fd3b50439f44a51d4755a8af40b06f3

SHA256
1ebf19f3346c3f519291e386cd5ad62618547b7c115019c05ec8b8eb47684f2f

SHA512
302f24202d9a838d0e3642404f7e53cf50c4d2e0555a5e262a2bcd6c2166e6acc024708abaeb994ab40425d12868bcaf7643075893dc8b3373ffddb5b76e40bc

Download Submit
C:\Windows\System\svchost.exe
Filesize
219KB

MD5
cd2daab3a528a5d4bae2a03449ffeba3

SHA1
b8dd9167fd4c17a6c8dbea2bf741187d9798e9e1

SHA256
fbd9874a0094b4c5e682ed11acf84f82a8f7505974f5d837ce1b5d702219f7ec

SHA512
c79fb9bdcff5840bfdc7fc324a4d1703abf3792018b13921ca31c483ee5a45f5907222523068234d540af206cf064eb672ad899a347e9ce5fdb724c6e7a4e495

Download Submit
memory/636-58-0x000002236D9D0000-0x000002236D9E0000-memory.dmp

Filesize
64KB

Download
memory/636-56-0x00007FFA750A0000-0x00007FFA75B61000-memory.dmp

Filesize
10.8MB

Download
memory/636-72-0x00007FFA750A0000-0x00007FFA75B61000-memory.dmp

Filesize
10.8MB

Download
memory/636-57-0x000002236D9D0000-0x000002236D9E0000-memory.dmp

Filesize
64KB

Download
memory/1492-11-0x00007FFA750A0000-0x00007FFA75B61000-memory.dmp

Filesize
10.8MB

Download
memory/1492-32-0x00007FFA750A0000-0x00007FFA75B61000-memory.dmp

Filesize
10.8MB

Download
memory/1492-10-0x00000221309E0000-0x0000022130A02000-memory.dmp

Filesize
136KB

Download
memory/1492-12-0x0000022130A20000-0x0000022130A30000-memory.dmp

Filesize
64KB

Download
memory/1492-13-0x0000022130A20000-0x0000022130A30000-memory.dmp

Filesize
64KB

Download
memory/2772-54-0x000001A629C00000-0x000001A629C10000-memory.dmp

Filesize
64KB

Download
memory/2772-53-0x00007FFA750A0000-0x00007FFA75B61000-memory.dmp

Filesize
10.8MB

Download
memory/2772-70-0x00007FFA750A0000-0x00007FFA75B61000-memory.dmp

Filesize
10.8MB

Download
memory/4140-14-0x00000206DE200000-0x00000206DE210000-memory.dmp

Filesize
64KB

Download
memory/4140-31-0x00007FFA750A0000-0x00007FFA75B61000-memory.dmp

Filesize
10.8MB

Download
memory/4140-15-0x00000206DE200000-0x00000206DE210000-memory.dmp

Filesize
64KB

Download
memory/4140-25-0x00007FFA750A0000-0x00007FFA75B61000-memory.dmp

Filesize
10.8MB

Download
memory/4540-43-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4540-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4540-34-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4932-42-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4932-73-0x0000000036870000-0x0000000036D52000-memory.dmp

Filesize
4.9MB

Download
memory/4932-88-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download