Overview

overview

10

Static

static

10

svchost_du...py.exe

windows7-x64

10

svchost_du...py.exe

windows10-1703-x64

10

svchost_du...py.exe

windows10-2004-x64

10

svchost_du...py.exe

windows11-21h2-x64

10

Resubmissions

12-04-2024 13:32

240412-qtgfpsag84 8

12-04-2024 13:32

240412-qtc4aaag83 8

12-04-2024 13:32

240412-qtcshsag82 8

12-04-2024 13:32

240412-qtb6zsag79 8

12-04-2024 13:32

240412-qtbkfsdh4s 8

09-04-2024 05:34

240409-f9mmjsbc9t 8

09-04-2024 05:33

240409-f9bkaabc8w 8

09-04-2024 05:33

240409-f86n2abc71 8

09-04-2024 05:33

240409-f8wh3afh27 8

01-02-2024 11:29

240201-nlq9tsebck 10

Analysis

  • max time kernel
    127s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01-02-2024 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost_dump_SCY - Copy.exe

  • Size

    5.2MB

  • MD5

    5fd3d21a968f4b8a1577b5405ab1c36a

  • SHA1

    710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

  • SHA256

    7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

  • SHA512

    085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

  • SSDEEP

    98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Detects BazaLoader malware 9 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies Windows Firewall 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2012
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:2808
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:2840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2948
    • C:\Windows\system32\schtasks.exe
      schtasks /delete /TN "Timer"
      2⤵
        PID:320
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        2⤵
        • Creates scheduled task(s)
        PID:1652
      • C:\Windows\System\svchost.exe
        "C:\Windows\System\svchost.exe" formal
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2340
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3052
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:2288
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1344
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:2268
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1040

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      cf2a49bed448cbd5919edaa19481f8e4

      SHA1

      b7bcabc3e290f14f7022a954c1f1c5ef32f26eda

      SHA256

      30b6699410321e8a09f2ba972644799207279b8b3802da8fc0f1842b2b63f36d

      SHA512

      935c44f738b6360bbb29b82a3b943c70e9d84f40c3d4a812a2b05e6a45af59ba08da7f5704b16623ebfe992ff9eb1cafe8b2a881bf89ff5759b5e10da0a3ed35

      Download Submit

    • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
      Filesize

      607KB

      MD5

      c90dbe1869fd177f6032a2a04d09aaba

      SHA1

      3e1807aa2a5d764d55f21bd17e589c14b761648c

      SHA256

      772c306cb64c1d8907e8cf345f097a0f634aadc551246e42eae5f50d1ad1b231

      SHA512

      6c59ebe1d8f19dd4265d8e93f6dccc8c4d033cfba68b509a5696cba65864bd18d96c6a801e10067e8ba3f5edd82b6d82b994d4e9b8a1adbf91d6eeeaa9d55de5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
      Filesize

      85KB

      MD5

      d4e9c8cf6ff80dc93b3d1ed4a07ac537

      SHA1

      8503dfad832a25ebd866bbaa1437e80173e2c769

      SHA256

      8c79ba3ab8489f3da0621452fe8a5d3dc9d8ae2a88d882a463a1f2472214a5b8

      SHA512

      c46e344e13e5181f741432c5c919099ed67b1dabdd64e13fc62389083a98b3e00d9db54a4ec6a2627ba0b2862a291064b6decb9bc616b826a1d33dce9725af47

      Download Submit

    • C:\Windows\system\svchost.exe
      Filesize

      265KB

      MD5

      5c50e536f01efd8bb291295e429084e3

      SHA1

      347f255817b6c343732d30ccef36f0130fbf551c

      SHA256

      bc4c132a2247842430ac69c6367d99db790439b46416924242d11310318a99a9

      SHA512

      3a86250d0cc74217d3b7e4a8aaab8d56c91a2aa2f13b603c51be6f2c260822dac01096772c29db9a3deef6206e640e0b1915603b67710736ce1277fe809d0730

      Download Submit

    • C:\Windows\system\svchost.exe
      Filesize

      257KB

      MD5

      0301dcafa255ec9f68d05b55c096975a

      SHA1

      8fd6a86f245ea501bb3b23e2a179c39c1167c447

      SHA256

      6294a06db536c776f109254c0b9a5a49a79bcdd3730fe830c68707cb85563ba6

      SHA512

      97c00e9d0fce2e42b80bdd8d0d7a6356ad500f22bc5b4da66beb1f355c4447df034c45c552f747144f6d5a786ba2dc90680eefd25429afe82c709b90084a956d

      Download Submit

    • \Windows\system\svchost.exe
      Filesize

      254KB

      MD5

      b47a1c8ed8734749032a531b2f004a15

      SHA1

      03e5df08d20311c8ea11a4f06ae9e2835b6f6490

      SHA256

      f7f7d47f1b5cb8eaea37ce696181a28e7280ae8edc335d78e1a50bff1543e498

      SHA512

      566584588e19954340e1a15c473e2b31105ac7b9595d1c31d9be5c8bfb4ab1ec23b244853556e3df7e83d48ef577f53998da79c679413131e27970b1e1d32a66

      Download Submit

    • \Windows\system\svchost.exe
      Filesize

      102KB

      MD5

      900fc884e9fadb18d503b47425d4d42a

      SHA1

      c4be6aef5d577698a2482f4199d0f8385109f20f

      SHA256

      a552ebe78076add367343f99cfbc00d04f66510b6dec7b81b358d0c75898e636

      SHA512

      ab4f86a227c4cc937bab7f96c4d52b147dcd2783ae3c0c759498c0e6ed152136b0510f05dafc651cff0e293b0ccb34a8dcf91feb101cdca9e2582b5ede730c96

      Download Submit

    • memory/1040-63-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1040-57-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1040-58-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1040-59-0x0000000002880000-0x0000000002900000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1040-62-0x0000000002880000-0x0000000002900000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1040-60-0x0000000002880000-0x0000000002900000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1344-47-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1344-45-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1344-61-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1344-43-0x000000001B530000-0x000000001B812000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1344-46-0x0000000002C70000-0x0000000002CF0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1344-49-0x0000000002C70000-0x0000000002CF0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1344-50-0x0000000002C70000-0x0000000002CF0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1344-48-0x0000000002C70000-0x0000000002CF0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1344-44-0x0000000002B80000-0x0000000002B88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2340-64-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2340-35-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2340-65-0x000000001ED00000-0x000000001F1E2000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2772-12-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2772-13-0x0000000002730000-0x00000000027B0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2772-16-0x0000000002734000-0x0000000002737000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2772-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2772-15-0x0000000002730000-0x00000000027B0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2772-22-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2772-6-0x00000000022C0000-0x00000000022C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2772-19-0x000000000273B000-0x00000000027A2000-memory.dmp

      Filesize

      412KB

      Download

    • memory/2772-14-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2896-24-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2896-36-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2896-0-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2896-34-0x000000001F460000-0x000000001FA96000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2896-33-0x000000001F460000-0x000000001FA96000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2948-21-0x0000000002C50000-0x0000000002CD0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2948-42-0x0000000002C50000-0x0000000002CD0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2948-17-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2948-18-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2948-20-0x0000000002C54000-0x0000000002C57000-memory.dmp

      Filesize

      12KB

      Download