7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
146s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
23/01/2024, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

10^/10

evasion trojan

Malware Config

Signatures

Detects BazaLoader malware 8 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

resource	yara_rule
behavioral4/memory/4352-0-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral4/memory/4352-33-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral4/files/0x0002000000025ca2-40.dat	BazaLoader
behavioral4/memory/4608-41-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral4/files/0x0002000000025ca2-39.dat	BazaLoader
behavioral4/files/0x0002000000025ca2-37.dat	BazaLoader
behavioral4/memory/4352-42-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral4/memory/4608-71-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Windows Service

T1543.003

pid	Process
4840	netsh.exe
3720	netsh.exe
5024	netsh.exe
3396	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
4608	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1624	powershell.exe
4136	powershell.exe
4136	powershell.exe
1624	powershell.exe
4352	svchost_dump_SCY - Copy.exe
4352	svchost_dump_SCY - Copy.exe
1740	powershell.exe
1740	powershell.exe
4768	powershell.exe
4768	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2344	WMIC.exe
Token: SeSecurityPrivilege	2344	WMIC.exe
Token: SeTakeOwnershipPrivilege	2344	WMIC.exe
Token: SeLoadDriverPrivilege	2344	WMIC.exe
Token: SeSystemProfilePrivilege	2344	WMIC.exe
Token: SeSystemtimePrivilege	2344	WMIC.exe
Token: SeProfSingleProcessPrivilege	2344	WMIC.exe
Token: SeIncBasePriorityPrivilege	2344	WMIC.exe
Token: SeCreatePagefilePrivilege	2344	WMIC.exe
Token: SeBackupPrivilege	2344	WMIC.exe
Token: SeRestorePrivilege	2344	WMIC.exe
Token: SeShutdownPrivilege	2344	WMIC.exe
Token: SeDebugPrivilege	2344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2344	WMIC.exe
Token: SeRemoteShutdownPrivilege	2344	WMIC.exe
Token: SeUndockPrivilege	2344	WMIC.exe
Token: SeManageVolumePrivilege	2344	WMIC.exe
Token: 33	2344	WMIC.exe
Token: 34	2344	WMIC.exe
Token: 35	2344	WMIC.exe
Token: 36	2344	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2344	WMIC.exe
Token: SeSecurityPrivilege	2344	WMIC.exe
Token: SeTakeOwnershipPrivilege	2344	WMIC.exe
Token: SeLoadDriverPrivilege	2344	WMIC.exe
Token: SeSystemProfilePrivilege	2344	WMIC.exe
Token: SeSystemtimePrivilege	2344	WMIC.exe
Token: SeProfSingleProcessPrivilege	2344	WMIC.exe
Token: SeIncBasePriorityPrivilege	2344	WMIC.exe
Token: SeCreatePagefilePrivilege	2344	WMIC.exe
Token: SeBackupPrivilege	2344	WMIC.exe
Token: SeRestorePrivilege	2344	WMIC.exe
Token: SeShutdownPrivilege	2344	WMIC.exe
Token: SeDebugPrivilege	2344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2344	WMIC.exe
Token: SeRemoteShutdownPrivilege	2344	WMIC.exe
Token: SeUndockPrivilege	2344	WMIC.exe
Token: SeManageVolumePrivilege	2344	WMIC.exe
Token: 33	2344	WMIC.exe
Token: 34	2344	WMIC.exe
Token: 35	2344	WMIC.exe
Token: 36	2344	WMIC.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeIncreaseQuotaPrivilege	2520	WMIC.exe
Token: SeSecurityPrivilege	2520	WMIC.exe
Token: SeTakeOwnershipPrivilege	2520	WMIC.exe
Token: SeLoadDriverPrivilege	2520	WMIC.exe
Token: SeSystemProfilePrivilege	2520	WMIC.exe
Token: SeSystemtimePrivilege	2520	WMIC.exe
Token: SeProfSingleProcessPrivilege	2520	WMIC.exe
Token: SeIncBasePriorityPrivilege	2520	WMIC.exe
Token: SeCreatePagefilePrivilege	2520	WMIC.exe
Token: SeBackupPrivilege	2520	WMIC.exe
Token: SeRestorePrivilege	2520	WMIC.exe
Token: SeShutdownPrivilege	2520	WMIC.exe
Token: SeDebugPrivilege	2520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2520	WMIC.exe
Token: SeRemoteShutdownPrivilege	2520	WMIC.exe
Token: SeUndockPrivilege	2520	WMIC.exe
Token: SeManageVolumePrivilege	2520	WMIC.exe
Token: 33	2520	WMIC.exe
Token: 34	2520	WMIC.exe
Token: 35	2520	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 2344	4352	svchost_dump_SCY - Copy.exe	77
PID 4352 wrote to memory of 2344	4352	svchost_dump_SCY - Copy.exe	77
PID 4352 wrote to memory of 4840	4352	svchost_dump_SCY - Copy.exe	79
PID 4352 wrote to memory of 4840	4352	svchost_dump_SCY - Copy.exe	79
PID 4352 wrote to memory of 3720	4352	svchost_dump_SCY - Copy.exe	81
PID 4352 wrote to memory of 3720	4352	svchost_dump_SCY - Copy.exe	81
PID 4352 wrote to memory of 1624	4352	svchost_dump_SCY - Copy.exe	83
PID 4352 wrote to memory of 1624	4352	svchost_dump_SCY - Copy.exe	83
PID 4352 wrote to memory of 4136	4352	svchost_dump_SCY - Copy.exe	85
PID 4352 wrote to memory of 4136	4352	svchost_dump_SCY - Copy.exe	85
PID 4352 wrote to memory of 4856	4352	svchost_dump_SCY - Copy.exe	88
PID 4352 wrote to memory of 4856	4352	svchost_dump_SCY - Copy.exe	88
PID 4352 wrote to memory of 3740	4352	svchost_dump_SCY - Copy.exe	90
PID 4352 wrote to memory of 3740	4352	svchost_dump_SCY - Copy.exe	90
PID 4352 wrote to memory of 4608	4352	svchost_dump_SCY - Copy.exe	91
PID 4352 wrote to memory of 4608	4352	svchost_dump_SCY - Copy.exe	91
PID 4608 wrote to memory of 2520	4608	svchost.exe	95
PID 4608 wrote to memory of 2520	4608	svchost.exe	95
PID 4608 wrote to memory of 5024	4608	svchost.exe	96
PID 4608 wrote to memory of 5024	4608	svchost.exe	96
PID 4608 wrote to memory of 3396	4608	svchost.exe	102
PID 4608 wrote to memory of 3396	4608	svchost.exe	102
PID 4608 wrote to memory of 1740	4608	svchost.exe	101
PID 4608 wrote to memory of 1740	4608	svchost.exe	101
PID 4608 wrote to memory of 4768	4608	svchost.exe	100
PID 4608 wrote to memory of 4768	4608	svchost.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Windows\System32\Wbem\WMIC.exe
  WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:4840
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:3720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /delete /TN "Timer"
  2⤵
  PID:4856
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
  2⤵
  - Creates scheduled task(s)
  PID:3740
- C:\Windows\System\svchost.exe
  "C:\Windows\System\svchost.exe" formal
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:5024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1740
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yyuyumfe.tmj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus

Filesize
2.7MB

MD5
1a54941e69d95e9a46d184486f32ff9f

SHA1
fa94366a0032895f00742ef06e5663c888245847

SHA256
2553820f11ff6d383401860b42b7ce8168950d72a9cef7434dfd4b372f0a10da

SHA512
ddbdefd03d9d669c4e958542be9b87ed05c83289c17f4364858b4d412c7d91946d0b1f97e9279edded849d012b2e8bbc9db8af32bf32a22d8466d7caf253727b

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
2.2MB

MD5
dad3f30853691fc951fce4e897db8b51

SHA1
c5a7bb1f956ad0a618e0f9846bea9d85cac57678

SHA256
62ec82ccbe51987bb938d36060a6db8af4f5c335ff799a0602646f790f6b251e

SHA512
d57e53ecf47998ad466390e60eef5cf549259125355a1423550d1db77375e00af6c08c8eab4596d108bca8a4b81002f9c7c7d341bc21d8fd6a47709c84eb9838

Download Submit
C:\Windows\System\svchost.exe

Filesize
255KB

MD5
c21c341b79bc98787f919267c6bc6107

SHA1
d2da7c15320be9d1eca2368dd96ffb6720ccb540

SHA256
08e771ed1495a3b000b53a5d6f53a14c8c232db79e1dfd00fef4e122a848ef89

SHA512
7a2f620406b202785e987bf662c89c513584ca26ad4f88aa48fe130dc3373e4dafb109eddbef0622f18590cb071f2d547c2241ea17dd031ba111ae89ca0517e5

Download Submit
C:\Windows\System\svchost.exe

Filesize
70KB

MD5
b5d426c164f728b9733ba5b1bb291e65

SHA1
e731b3a136b51caba50a2b52f5f6face4af53298

SHA256
7f149e4696e49afe7e8ad3ea8d4598ae5e5f48831637a4d539a3d880a6409e8c

SHA512
46de8c3d9538a20991f19e9901fb08bbb403b45dbe640d5d9be82c2da9239c6329dc446af826b7ad3af055ebbfeb9a3a02504bd60fd7152877f68026d14727bb

Download Submit
C:\Windows\System\svchost.exe

Filesize
351KB

MD5
0810536bc2840c128e20cb2db6a4ef5f

SHA1
f36f13848cc3f55a9df839a04fa356bf82910282

SHA256
e993a665ed75521434c1673bf701b8eeb49fd3b24f496552e730f4797eb40053

SHA512
dafa90323090cb6a0116ca8612f223151d34247d5630ce66a94d33d18b7fd8820a55096a931a86134a713dd80eedcad8c31284e7836b3d09cfe2c6003e62d2a9

Download Submit
memory/1624-30-0x00007FFC4FE70000-0x00007FFC50932000-memory.dmp

Filesize
10.8MB

Download
memory/1624-12-0x000001582E130000-0x000001582E140000-memory.dmp

Filesize
64KB

Download
memory/1624-9-0x000001582E2E0000-0x000001582E302000-memory.dmp

Filesize
136KB

Download
memory/1624-10-0x00007FFC4FE70000-0x00007FFC50932000-memory.dmp

Filesize
10.8MB

Download
memory/1624-24-0x000001582E130000-0x000001582E140000-memory.dmp

Filesize
64KB

Download
memory/1624-11-0x000001582E130000-0x000001582E140000-memory.dmp

Filesize
64KB

Download
memory/1740-53-0x00000254FC8B0000-0x00000254FC8C0000-memory.dmp

Filesize
64KB

Download
memory/1740-44-0x00000254FC8B0000-0x00000254FC8C0000-memory.dmp

Filesize
64KB

Download
memory/1740-69-0x00007FFC4F9C0000-0x00007FFC50482000-memory.dmp

Filesize
10.8MB

Download
memory/1740-43-0x00007FFC4F9C0000-0x00007FFC50482000-memory.dmp

Filesize
10.8MB

Download
memory/4136-21-0x00007FFC4FE70000-0x00007FFC50932000-memory.dmp

Filesize
10.8MB

Download
memory/4136-31-0x00007FFC4FE70000-0x00007FFC50932000-memory.dmp

Filesize
10.8MB

Download
memory/4136-23-0x0000027EFC1C0000-0x0000027EFC1D0000-memory.dmp

Filesize
64KB

Download
memory/4136-22-0x0000027EFC1C0000-0x0000027EFC1D0000-memory.dmp

Filesize
64KB

Download
memory/4352-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4352-33-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4352-42-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4608-41-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4608-71-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4608-72-0x00000000368E0000-0x0000000036DC2000-memory.dmp

Filesize
4.9MB

Download
memory/4768-67-0x000001F12E3E0000-0x000001F12E3F0000-memory.dmp

Filesize
64KB

Download
memory/4768-63-0x00007FFC4F9C0000-0x00007FFC50482000-memory.dmp

Filesize
10.8MB

Download
memory/4768-64-0x000001F12E3E0000-0x000001F12E3F0000-memory.dmp

Filesize
64KB

Download
memory/4768-70-0x00007FFC4F9C0000-0x00007FFC50482000-memory.dmp

Filesize
10.8MB

Download
memory/4768-66-0x000001F12E3E0000-0x000001F12E3F0000-memory.dmp

Filesize
64KB

Download
memory/4768-65-0x000001F12E3E0000-0x000001F12E3F0000-memory.dmp

Filesize
64KB

Download