Analysis
-
max time kernel
121s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20231222-en -
resource tags
arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-01-2024 14:03
Behavioral task
behavioral1
Sample
svchost_dump_SCY - Copy.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
svchost_dump_SCY - Copy.exe
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
svchost_dump_SCY - Copy.exe
Resource
win10v2004-20231215-en
General
-
Target
svchost_dump_SCY - Copy.exe
-
Size
5.2MB
-
MD5
5fd3d21a968f4b8a1577b5405ab1c36a
-
SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
-
SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
-
SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
-
SSDEEP
98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs
Malware Config
Signatures
-
Detects BazaLoader malware 8 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
Processes:
resource yara_rule behavioral4/memory/1984-0-0x0000000140000000-0x0000000140636000-memory.dmp BazaLoader behavioral4/memory/1984-31-0x0000000140000000-0x0000000140636000-memory.dmp BazaLoader C:\Windows\System\svchost.exe BazaLoader C:\Windows\System\svchost.exe BazaLoader C:\Windows\System\svchost.exe BazaLoader behavioral4/memory/2296-43-0x0000000140000000-0x0000000140636000-memory.dmp BazaLoader behavioral4/memory/1984-44-0x0000000140000000-0x0000000140636000-memory.dmp BazaLoader behavioral4/memory/2296-70-0x0000000140000000-0x0000000140636000-memory.dmp BazaLoader -
Modifies Windows Firewall 1 TTPs 4 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exepid process 5068 netsh.exe 4644 netsh.exe 1232 netsh.exe 1616 netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2296 svchost.exe -
Drops file in Windows directory 4 IoCs
Processes:
svchost_dump_SCY - Copy.exesvchost.exedescription ioc process File created C:\Windows\System\xxx1.bak svchost_dump_SCY - Copy.exe File created C:\Windows\System\svchost.exe svchost_dump_SCY - Copy.exe File opened for modification C:\Windows\System\svchost.exe svchost_dump_SCY - Copy.exe File created C:\Windows\System\xxx1.bak svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exepid process 280 powershell.exe 280 powershell.exe 2860 powershell.exe 2860 powershell.exe 1984 svchost_dump_SCY - Copy.exe 1984 svchost_dump_SCY - Copy.exe 3596 powershell.exe 3596 powershell.exe 1488 powershell.exe 1488 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exepowershell.exepowershell.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 4688 WMIC.exe Token: SeSecurityPrivilege 4688 WMIC.exe Token: SeTakeOwnershipPrivilege 4688 WMIC.exe Token: SeLoadDriverPrivilege 4688 WMIC.exe Token: SeSystemProfilePrivilege 4688 WMIC.exe Token: SeSystemtimePrivilege 4688 WMIC.exe Token: SeProfSingleProcessPrivilege 4688 WMIC.exe Token: SeIncBasePriorityPrivilege 4688 WMIC.exe Token: SeCreatePagefilePrivilege 4688 WMIC.exe Token: SeBackupPrivilege 4688 WMIC.exe Token: SeRestorePrivilege 4688 WMIC.exe Token: SeShutdownPrivilege 4688 WMIC.exe Token: SeDebugPrivilege 4688 WMIC.exe Token: SeSystemEnvironmentPrivilege 4688 WMIC.exe Token: SeRemoteShutdownPrivilege 4688 WMIC.exe Token: SeUndockPrivilege 4688 WMIC.exe Token: SeManageVolumePrivilege 4688 WMIC.exe Token: 33 4688 WMIC.exe Token: 34 4688 WMIC.exe Token: 35 4688 WMIC.exe Token: 36 4688 WMIC.exe Token: SeIncreaseQuotaPrivilege 4688 WMIC.exe Token: SeSecurityPrivilege 4688 WMIC.exe Token: SeTakeOwnershipPrivilege 4688 WMIC.exe Token: SeLoadDriverPrivilege 4688 WMIC.exe Token: SeSystemProfilePrivilege 4688 WMIC.exe Token: SeSystemtimePrivilege 4688 WMIC.exe Token: SeProfSingleProcessPrivilege 4688 WMIC.exe Token: SeIncBasePriorityPrivilege 4688 WMIC.exe Token: SeCreatePagefilePrivilege 4688 WMIC.exe Token: SeBackupPrivilege 4688 WMIC.exe Token: SeRestorePrivilege 4688 WMIC.exe Token: SeShutdownPrivilege 4688 WMIC.exe Token: SeDebugPrivilege 4688 WMIC.exe Token: SeSystemEnvironmentPrivilege 4688 WMIC.exe Token: SeRemoteShutdownPrivilege 4688 WMIC.exe Token: SeUndockPrivilege 4688 WMIC.exe Token: SeManageVolumePrivilege 4688 WMIC.exe Token: 33 4688 WMIC.exe Token: 34 4688 WMIC.exe Token: 35 4688 WMIC.exe Token: 36 4688 WMIC.exe Token: SeDebugPrivilege 280 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeIncreaseQuotaPrivilege 5004 WMIC.exe Token: SeSecurityPrivilege 5004 WMIC.exe Token: SeTakeOwnershipPrivilege 5004 WMIC.exe Token: SeLoadDriverPrivilege 5004 WMIC.exe Token: SeSystemProfilePrivilege 5004 WMIC.exe Token: SeSystemtimePrivilege 5004 WMIC.exe Token: SeProfSingleProcessPrivilege 5004 WMIC.exe Token: SeIncBasePriorityPrivilege 5004 WMIC.exe Token: SeCreatePagefilePrivilege 5004 WMIC.exe Token: SeBackupPrivilege 5004 WMIC.exe Token: SeRestorePrivilege 5004 WMIC.exe Token: SeShutdownPrivilege 5004 WMIC.exe Token: SeDebugPrivilege 5004 WMIC.exe Token: SeSystemEnvironmentPrivilege 5004 WMIC.exe Token: SeRemoteShutdownPrivilege 5004 WMIC.exe Token: SeUndockPrivilege 5004 WMIC.exe Token: SeManageVolumePrivilege 5004 WMIC.exe Token: 33 5004 WMIC.exe Token: 34 5004 WMIC.exe Token: 35 5004 WMIC.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
svchost_dump_SCY - Copy.exesvchost.exedescription pid process target process PID 1984 wrote to memory of 4688 1984 svchost_dump_SCY - Copy.exe WMIC.exe PID 1984 wrote to memory of 4688 1984 svchost_dump_SCY - Copy.exe WMIC.exe PID 1984 wrote to memory of 5068 1984 svchost_dump_SCY - Copy.exe netsh.exe PID 1984 wrote to memory of 5068 1984 svchost_dump_SCY - Copy.exe netsh.exe PID 1984 wrote to memory of 4644 1984 svchost_dump_SCY - Copy.exe netsh.exe PID 1984 wrote to memory of 4644 1984 svchost_dump_SCY - Copy.exe netsh.exe PID 1984 wrote to memory of 280 1984 svchost_dump_SCY - Copy.exe powershell.exe PID 1984 wrote to memory of 280 1984 svchost_dump_SCY - Copy.exe powershell.exe PID 1984 wrote to memory of 2860 1984 svchost_dump_SCY - Copy.exe powershell.exe PID 1984 wrote to memory of 2860 1984 svchost_dump_SCY - Copy.exe powershell.exe PID 1984 wrote to memory of 1448 1984 svchost_dump_SCY - Copy.exe schtasks.exe PID 1984 wrote to memory of 1448 1984 svchost_dump_SCY - Copy.exe schtasks.exe PID 1984 wrote to memory of 4848 1984 svchost_dump_SCY - Copy.exe schtasks.exe PID 1984 wrote to memory of 4848 1984 svchost_dump_SCY - Copy.exe schtasks.exe PID 1984 wrote to memory of 2296 1984 svchost_dump_SCY - Copy.exe svchost.exe PID 1984 wrote to memory of 2296 1984 svchost_dump_SCY - Copy.exe svchost.exe PID 2296 wrote to memory of 5004 2296 svchost.exe WMIC.exe PID 2296 wrote to memory of 5004 2296 svchost.exe WMIC.exe PID 2296 wrote to memory of 1616 2296 svchost.exe netsh.exe PID 2296 wrote to memory of 1616 2296 svchost.exe netsh.exe PID 2296 wrote to memory of 1232 2296 svchost.exe netsh.exe PID 2296 wrote to memory of 1232 2296 svchost.exe netsh.exe PID 2296 wrote to memory of 3596 2296 svchost.exe powershell.exe PID 2296 wrote to memory of 3596 2296 svchost.exe powershell.exe PID 2296 wrote to memory of 1488 2296 svchost.exe powershell.exe PID 2296 wrote to memory of 1488 2296 svchost.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4688 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:5068 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:4644 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:280 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /TN "Timer"2⤵PID:1448
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
PID:4848 -
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5004 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3596 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:1232 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:1616 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
944B
MD5e07eea85a8893f23fb814cf4b3ed974c
SHA18a8125b2890bbddbfc3531d0ee4393dbbf5936fe
SHA25683387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea
SHA5129d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df
-
Filesize
944B
MD50b59f3fa12628f63b5713c4833570d7f
SHA1badcf18f1fdc94b1eadf63f27c09ad092c4a6ccb
SHA2562332e52881483559d787508831c00192c4f0a4fedc232b0309e566a30247af1d
SHA51201724fd9f7a20ec5ff3d2686593d5d95069135834e9b156ced36985067fb36e7b3ec2a0018e41fa125ad5d1e42c80be9e148632a9b655f2d41c1400a4320abe7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.7MB
MD51a54941e69d95e9a46d184486f32ff9f
SHA1fa94366a0032895f00742ef06e5663c888245847
SHA2562553820f11ff6d383401860b42b7ce8168950d72a9cef7434dfd4b372f0a10da
SHA512ddbdefd03d9d669c4e958542be9b87ed05c83289c17f4364858b4d412c7d91946d0b1f97e9279edded849d012b2e8bbc9db8af32bf32a22d8466d7caf253727b
-
Filesize
871KB
MD592f306539a39a11c44906493e2ba2b12
SHA16d2db71dfa42a9edc7018e14299b6eb246b87e5e
SHA25658463ac4719a8493bf38cceaabba8a352da4203d9ea8766a70137e38e17acf0a
SHA51247afdd9176d384864a65906545c6230190a5dccd46592ebd81a8f8b96599247e32a2f412892b7f1f3ae2a5f111fa49f020f99a3c2ba4bf86b49ba1f378488adc
-
Filesize
277KB
MD5860246c417ad0f21043f236e397d34c4
SHA1cb37b7c2fec68a476421a1cee66beb0a1484d085
SHA256003a0ecaea4f76a5be44485cbfb3a5e7661266c920c3d2a52a7c7f1ebb3e5855
SHA512ce1853854c15dbf498c97ccebba1c5e48122634f59193245d578b8f121d424e17cca5c06c8218fa34430a7f40e46c4a3cc9b532b11e6f1ff4f85f4940331ab27
-
Filesize
161KB
MD57209bf5b2d09ff2a4b51a199588bdb63
SHA176719d52ab52f19f8223c2d762ca2d96488924f5
SHA256494a6d5cd0bcaf3bb8e5a0f1053d1991a1b901460e0f9b6e29fe2319a3e2d41b
SHA512018d45241399b79dce2451fe7c349c78c6f765d1a687d9e9bf8b2bc106f06c578b74488bafe7ff05af7d9b399db138e7e7107fdaf896573d9c05e07cb48c9c74
-
Filesize
212KB
MD5cb8895db5b6aaccb68a5a944414a1c1f
SHA13e6997cf427620ce6e42e23911b29eed450b9628
SHA2569c7bc70e59e20dd910ed612d4008e9b194841c89b9bae9f3a5072ea988890f51
SHA51259fe52c5959b9ca3bc5247dcbfd4df60942bea8b339332a7ea754ee3529144ffe71b1b146244f0c65cf8c7824a7c95e93f7f4605c66438dcdf43b022052613cc