f04d11a1c4811492e397bc151c65ea1958eab6cbcf279ece7bd59160bfbea3d8

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

10^/10

Malware Config

Signatures

Detects BazaLoader malware 7 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral2/memory/2752-0-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral2/memory/2752-94-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
behavioral2/memory/788-112-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral2/memory/2752-113-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral2/memory/788-154-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader

Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

60 netsh.exe
2668 netsh.exe
1344 netsh.exe
4976 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

788 svchost.exe

pid	process
60	netsh.exe
2668	netsh.exe
1344	netsh.exe
4976	netsh.exe

pid	process
788	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

844 schtasks.exe

pid	process
844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe

pid	process
1292	powershell.exe
1292	powershell.exe
4776	powershell.exe
4776	powershell.exe
1292	powershell.exe
4776	powershell.exe
2752	svchost_dump_SCY - Copy.exe
2752	svchost_dump_SCY - Copy.exe
1208	powershell.exe
1208	powershell.exe
2608	powershell.exe
1208	powershell.exe
2608	powershell.exe
2608	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3120	WMIC.exe
Token: SeSecurityPrivilege	3120	WMIC.exe
Token: SeTakeOwnershipPrivilege	3120	WMIC.exe
Token: SeLoadDriverPrivilege	3120	WMIC.exe
Token: SeSystemProfilePrivilege	3120	WMIC.exe
Token: SeSystemtimePrivilege	3120	WMIC.exe
Token: SeProfSingleProcessPrivilege	3120	WMIC.exe
Token: SeIncBasePriorityPrivilege	3120	WMIC.exe
Token: SeCreatePagefilePrivilege	3120	WMIC.exe
Token: SeBackupPrivilege	3120	WMIC.exe
Token: SeRestorePrivilege	3120	WMIC.exe
Token: SeShutdownPrivilege	3120	WMIC.exe
Token: SeDebugPrivilege	3120	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3120	WMIC.exe
Token: SeRemoteShutdownPrivilege	3120	WMIC.exe
Token: SeUndockPrivilege	3120	WMIC.exe
Token: SeManageVolumePrivilege	3120	WMIC.exe
Token: 33	3120	WMIC.exe
Token: 34	3120	WMIC.exe
Token: 35	3120	WMIC.exe
Token: 36	3120	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3120	WMIC.exe
Token: SeSecurityPrivilege	3120	WMIC.exe
Token: SeTakeOwnershipPrivilege	3120	WMIC.exe
Token: SeLoadDriverPrivilege	3120	WMIC.exe
Token: SeSystemProfilePrivilege	3120	WMIC.exe
Token: SeSystemtimePrivilege	3120	WMIC.exe
Token: SeProfSingleProcessPrivilege	3120	WMIC.exe
Token: SeIncBasePriorityPrivilege	3120	WMIC.exe
Token: SeCreatePagefilePrivilege	3120	WMIC.exe
Token: SeBackupPrivilege	3120	WMIC.exe
Token: SeRestorePrivilege	3120	WMIC.exe
Token: SeShutdownPrivilege	3120	WMIC.exe
Token: SeDebugPrivilege	3120	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3120	WMIC.exe
Token: SeRemoteShutdownPrivilege	3120	WMIC.exe
Token: SeUndockPrivilege	3120	WMIC.exe
Token: SeManageVolumePrivilege	3120	WMIC.exe
Token: 33	3120	WMIC.exe
Token: 34	3120	WMIC.exe
Token: 35	3120	WMIC.exe
Token: 36	3120	WMIC.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeIncreaseQuotaPrivilege	1292	powershell.exe
Token: SeSecurityPrivilege	1292	powershell.exe
Token: SeTakeOwnershipPrivilege	1292	powershell.exe
Token: SeLoadDriverPrivilege	1292	powershell.exe
Token: SeSystemProfilePrivilege	1292	powershell.exe
Token: SeSystemtimePrivilege	1292	powershell.exe
Token: SeProfSingleProcessPrivilege	1292	powershell.exe
Token: SeIncBasePriorityPrivilege	1292	powershell.exe
Token: SeCreatePagefilePrivilege	1292	powershell.exe
Token: SeBackupPrivilege	1292	powershell.exe
Token: SeRestorePrivilege	1292	powershell.exe
Token: SeShutdownPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeSystemEnvironmentPrivilege	1292	powershell.exe
Token: SeRemoteShutdownPrivilege	1292	powershell.exe
Token: SeUndockPrivilege	1292	powershell.exe
Token: SeManageVolumePrivilege	1292	powershell.exe
Token: 33	1292	powershell.exe
Token: 34	1292	powershell.exe
Token: 35	1292	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	pid	process	target process
PID 2752 wrote to memory of 3120	2752	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2752 wrote to memory of 3120	2752	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2752 wrote to memory of 2668	2752	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2752 wrote to memory of 2668	2752	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2752 wrote to memory of 1344	2752	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2752 wrote to memory of 1344	2752	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2752 wrote to memory of 1292	2752	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2752 wrote to memory of 1292	2752	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2752 wrote to memory of 4776	2752	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2752 wrote to memory of 4776	2752	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2752 wrote to memory of 4292	2752	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2752 wrote to memory of 4292	2752	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2752 wrote to memory of 844	2752	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2752 wrote to memory of 844	2752	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2752 wrote to memory of 788	2752	svchost_dump_SCY - Copy.exe	svchost.exe
PID 2752 wrote to memory of 788	2752	svchost_dump_SCY - Copy.exe	svchost.exe
PID 788 wrote to memory of 3960	788	svchost.exe	WMIC.exe
PID 788 wrote to memory of 3960	788	svchost.exe	WMIC.exe
PID 788 wrote to memory of 60	788	svchost.exe	netsh.exe
PID 788 wrote to memory of 60	788	svchost.exe	netsh.exe
PID 788 wrote to memory of 4976	788	svchost.exe	netsh.exe
PID 788 wrote to memory of 4976	788	svchost.exe	netsh.exe
PID 788 wrote to memory of 1208	788	svchost.exe	powershell.exe
PID 788 wrote to memory of 1208	788	svchost.exe	powershell.exe
PID 788 wrote to memory of 2608	788	svchost.exe	powershell.exe
PID 788 wrote to memory of 2608	788	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2668

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:4292

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:844

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
PID:3960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1208

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4976

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:60

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
268b890dae39e430e8b127909067ed96

SHA1
35939515965c0693ef46e021254c3e73ea8c4a2b

SHA256
7643d492a6f1e035b63b2e16c9c21d974a77dfd2d8e90b9c15ee412625e88c4c

SHA512
abc4b2ce10a6566f38c00ad55e433791dd45fca47deec70178daf0763578ff019fb0ec70792d5e9ecde4eb6778a35ba8a8c7ecd07550597d9bbb13521c9b98fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
36714f5f9ca060122d89e8e7ff102339

SHA1
7e83181dff892c48016d16da90acb7bf98684d25

SHA256
3f6ea6e3b26ca9a2e2b8a315838db6dc35154a7cf111c38d2710d6dbe428a5fe

SHA512
9e46f09831a399104a402783a236dc0a618342ee489a2459a92309e3ac31e5a45a9178ddb2500c8a52fcdd4ca31c8800bb5993b8ef3402b7bb94dfa9f56e2a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4f20ac0ce784dfb05aa364509a5c26ca

SHA1
f5eb53bb43b7d2c006db9e82e59a2459402e3a7a

SHA256
f6e697e9cb5ae763332e8e187415357c63614ee044e3302dd27cf9339dce8ebf

SHA512
6666a8bfb7649dd25f105c9bd1612796ddff84073405941a59ac2101b5b745370739bbc2def5c058471866ecc8dab610ac708787064dfdd7dc7cdaad1eb59b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f3lj0ooi.mjc.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
Filesize
2.7MB

MD5
399e885091f433c306661eee1cd438db

SHA1
d148192a1880432eb6a46fbf73777223fa279f5c

SHA256
e5ab202452cbbc9629ee9ad360da834e860e5650b490b60e63ffc1825772a1e3

SHA512
899863701065a827dd0b29f3e5f9dfa18ff6ac4683e5da16175f233bbb98895c224d7e391085d06106dd7d6ec2505449db4ad3fa242c9309e0c88889361935e0

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
5.0MB

MD5
69ecc403aed5fdd4faea172c40a35cd9

SHA1
81d808db2091f2d0b40c8ea81e41e88b28ea4c90

SHA256
6f56f12b65ba454c044df33307bde97498c53c5072e1cbfa4cd57d7827c29406

SHA512
a5b6f8dfecbea74a83f115ea5fcf78da367e9d4da50266219b27698718c896c5f970971d36ccd03f9c2e7674b83b12ba7ec85109494aba26b6f19ebb947852e8

Download Submit
C:\Windows\System\svchost.exe
Filesize
143KB

MD5
74c671705cd47f9c8c8dfed13422257b

SHA1
ca2f718fa9e262519769f45aa6a1fb37d3b50e41

SHA256
e2575c89c9eab4465883c42d08efe670c5bb4d7e5cac57df1321e2ff45c037ce

SHA512
edb25ea09b026b5ed060c6b9b2c43f717b3e09522ed63985562090176404697aed03c4832c3c785f8264d7beeea488ffb3a26ef973d69274bd132945e7da1b52

Download Submit
C:\Windows\System\svchost.exe
Filesize
306KB

MD5
729ec1f3df554e161ff9f186f12c5c7a

SHA1
860a1437f72aa4f4ed28ea057bb7b283c762737b

SHA256
f49cd8ac09d328b6548b6400e23091ab5896eb76476e2749d84e2e72b6d278aa

SHA512
71952a96d26a6324ea656570d6cc923a1b9f8b624df92f394b400706ad233ff2ce91fe4cbe926a36b131258da30cabb11d6e2fa0b4962becec716aa4aa76cbef

Download Submit
memory/788-217-0x0000000036A60000-0x0000000036F42000-memory.dmp

Filesize
4.9MB

Download
memory/788-154-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/788-112-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1208-157-0x000002E530EF0000-0x000002E530F00000-memory.dmp

Filesize
64KB

Download
memory/1208-212-0x00007FFF7BA40000-0x00007FFF7C42C000-memory.dmp

Filesize
9.9MB

Download
memory/1208-120-0x000002E530EF0000-0x000002E530F00000-memory.dmp

Filesize
64KB

Download
memory/1208-118-0x00007FFF7BA40000-0x00007FFF7C42C000-memory.dmp

Filesize
9.9MB

Download
memory/1208-119-0x000002E530EF0000-0x000002E530F00000-memory.dmp

Filesize
64KB

Download
memory/1208-204-0x000002E530EF0000-0x000002E530F00000-memory.dmp

Filesize
64KB

Download
memory/1292-6-0x00000250553F0000-0x0000025055400000-memory.dmp

Filesize
64KB

Download
memory/1292-106-0x00007FFF7BD00000-0x00007FFF7C6EC000-memory.dmp

Filesize
9.9MB

Download
memory/1292-18-0x0000025055580000-0x00000250555F6000-memory.dmp

Filesize
472KB

Download
memory/1292-11-0x000002503CEE0000-0x000002503CF02000-memory.dmp

Filesize
136KB

Download
memory/1292-103-0x00000250553F0000-0x0000025055400000-memory.dmp

Filesize
64KB

Download
memory/1292-7-0x00000250553F0000-0x0000025055400000-memory.dmp

Filesize
64KB

Download
memory/1292-46-0x00000250553F0000-0x0000025055400000-memory.dmp

Filesize
64KB

Download
memory/1292-5-0x00007FFF7BD00000-0x00007FFF7C6EC000-memory.dmp

Filesize
9.9MB

Download
memory/2608-124-0x00007FFF7BA40000-0x00007FFF7C42C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-216-0x00007FFF7BA40000-0x00007FFF7C42C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-126-0x000001DE8E510000-0x000001DE8E520000-memory.dmp

Filesize
64KB

Download
memory/2608-129-0x000001DE8E510000-0x000001DE8E520000-memory.dmp

Filesize
64KB

Download
memory/2608-166-0x000001DE8E510000-0x000001DE8E520000-memory.dmp

Filesize
64KB

Download
memory/2608-211-0x000001DE8E510000-0x000001DE8E520000-memory.dmp

Filesize
64KB

Download
memory/2752-94-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2752-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2752-113-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4776-10-0x00007FFF7BD00000-0x00007FFF7C6EC000-memory.dmp

Filesize
9.9MB

Download
memory/4776-13-0x0000024A31390000-0x0000024A313A0000-memory.dmp

Filesize
64KB

Download
memory/4776-15-0x0000024A31390000-0x0000024A313A0000-memory.dmp

Filesize
64KB

Download
memory/4776-104-0x00007FFF7BD00000-0x00007FFF7C6EC000-memory.dmp

Filesize
9.9MB

Download
memory/4776-45-0x0000024A31390000-0x0000024A313A0000-memory.dmp

Filesize
64KB

Download
memory/4776-96-0x0000024A31390000-0x0000024A313A0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads