Overview

overview

10

Static

static

10

svchost_du...py.exe

windows7-x64

10

svchost_du...py.exe

windows10-1703-x64

10

svchost_du...py.exe

windows10-2004-x64

10

svchost_du...py.exe

windows11-21h2-x64

10

Resubmissions

12-04-2024 13:32

240412-qtgfpsag84 8

12-04-2024 13:32

240412-qtc4aaag83 8

12-04-2024 13:32

240412-qtcshsag82 8

12-04-2024 13:32

240412-qtb6zsag79 8

12-04-2024 13:32

240412-qtbkfsdh4s 8

09-04-2024 05:34

240409-f9mmjsbc9t 8

09-04-2024 05:33

240409-f9bkaabc8w 8

09-04-2024 05:33

240409-f86n2abc71 8

09-04-2024 05:33

240409-f8wh3afh27 8

01-02-2024 11:29

240201-nlq9tsebck 10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-1703_x64
  • resource
    win10-20231220-en
  • resource tags

    arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01-02-2024 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost_dump_SCY - Copy.exe

  • Size

    5.2MB

  • MD5

    5fd3d21a968f4b8a1577b5405ab1c36a

  • SHA1

    710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

  • SHA256

    7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

  • SHA512

    085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

  • SSDEEP

    98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Detects BazaLoader malware 7 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies Windows Firewall 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:352
    • C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:200
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:4088
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:3724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1452
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /TN "Timer"
      2⤵
        PID:1084
      • C:\Windows\System\svchost.exe
        "C:\Windows\System\svchost.exe" formal
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:520
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
          3⤵
            PID:5008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3768
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
            3⤵
            • Modifies Windows Firewall
            PID:4116
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2624
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
            3⤵
            • Modifies Windows Firewall
            PID:2268
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
          2⤵
          • Creates scheduled task(s)
          PID:2848

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        268b890dae39e430e8b127909067ed96

        SHA1

        35939515965c0693ef46e021254c3e73ea8c4a2b

        SHA256

        7643d492a6f1e035b63b2e16c9c21d974a77dfd2d8e90b9c15ee412625e88c4c

        SHA512

        abc4b2ce10a6566f38c00ad55e433791dd45fca47deec70178daf0763578ff019fb0ec70792d5e9ecde4eb6778a35ba8a8c7ecd07550597d9bbb13521c9b98fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        204aa71e32e977dbe10984fc8d6df62d

        SHA1

        bf8120a05f5475bd2835f56d64a6b270f8b70b22

        SHA256

        5b5bb82ffe764ffe7507e523cee292b2acdd7db44449a1c8b4373d91bc2341bc

        SHA512

        bf882721a5ced6ba3f3e4daf77fe48f219fe0ae48e10a0bf30509449aece7601b67f7157b80f91516e9d24984facc61058eaf56817fa994dbf05a134cb2e264a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        3f78f8d8ce2924679c823b12b4d90e53

        SHA1

        866afbec8d101b9d05bda56fe8116e965fc9a410

        SHA256

        8913e9df4798d40cc8e6219fada6bf79582e1b6d356fbdaad20c8dc84a815caf

        SHA512

        eb9d20b01d3750a591256be6b83a95012a85518f2932fdb7d3e9e3d11e05fa1e93e30fb0f210145d4574258f2d5cb3596abe19c5c60bfa07dd1a6a402ee93982

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5joz2bxl.cb4.ps1
        Filesize

        1B

        MD5

        c4ca4238a0b923820dcc509a6f75849b

        SHA1

        356a192b7913b04c54574d18c28d46e6395428ab

        SHA256

        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

        SHA512

        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
        Filesize

        576KB

        MD5

        e835b96012a08bf33ac69afe278e01e1

        SHA1

        e0d4d4acb7fdf38268f4442cceb155fec580a1c2

        SHA256

        642d913810363c97b562c31bbc329ed448db7076b973c66c9ed8d582e9fa2258

        SHA512

        06f8efe9d5e5184d68aa9056662b2c90f8d8b5bc4cd6f98b2174d348e17800f3d481cdec024775ca3f91b2de31161d77f9e0f107915bfe2113dd03cc4c7c9342

        Download Submit

      • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
        Filesize

        1.1MB

        MD5

        ff22ef978794626b48921938fa9ad5d5

        SHA1

        db2d90f99834047d2ee79069dff0c3c9f60be50f

        SHA256

        b5f54b6414f1e986ce00b7a72297203d40b24c330538c56ab08bc31aa5c948a0

        SHA512

        21a97834b2857002c8d1f57463a25de0785f2f451b0c6f01c32b4b5efa7fd084cbd9b38e661c978629e4b8da8e71a588f17aca6835e949904adb32e98404862d

        Download Submit

      • C:\Windows\System\svchost.exe
        Filesize

        498KB

        MD5

        e2e3a89fcbd45696b9647f9f8d1bb9e8

        SHA1

        61d4225a7eeb64c72cba365c873c34664c0e6a2f

        SHA256

        2652125c030a2d9f442cb57054ff520ebf6c049034342a5cef03767748742faa

        SHA512

        f39125358fa4fed1d1b400a105332b57fbdc8dc78e23a4aabb8fcf8938bb27a2f29d38e99db203197d81a787693b7d6cb775c1a0d4ab949c8b226df0508e17ae

        Download Submit

      • C:\Windows\System\svchost.exe
        Filesize

        490KB

        MD5

        b990693b53a03b781feaa9d4a2f7e199

        SHA1

        df508f5d7d3dfe5f1863492fd741c77162108bbd

        SHA256

        36cba39253bb837de0cee057326e2992b5fe2bd975016d3410792baa4054381f

        SHA512

        0f00e2b5795d988d059c0b224ea86d652846bcce3ab0df1719c351051f349dc153ab6a63962bb25a34e238300f2bad15ea4ef96c1afd97cc708f480711acaef1

        Download Submit

      • memory/352-0-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/352-119-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/352-113-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/520-204-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/520-118-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/520-223-0x0000000036B10000-0x0000000036FF2000-memory.dmp

        Filesize

        4.9MB

        Download

      • memory/916-13-0x0000027ACD090000-0x0000027ACD0A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/916-15-0x0000027AE57C0000-0x0000027AE57E2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/916-105-0x0000027ACD090000-0x0000027ACD0A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/916-111-0x00007FF940170000-0x00007FF940B5C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/916-24-0x0000027AE5B80000-0x0000027AE5BF6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/916-5-0x00007FF940170000-0x00007FF940B5C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/916-52-0x0000027ACD090000-0x0000027ACD0A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/916-8-0x0000027ACD090000-0x0000027ACD0A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1452-51-0x000001845F6E0000-0x000001845F6F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1452-99-0x000001845F6E0000-0x000001845F6F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1452-10-0x00007FF940170000-0x00007FF940B5C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1452-12-0x000001845F6E0000-0x000001845F6F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1452-14-0x000001845F6E0000-0x000001845F6F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1452-110-0x00007FF940170000-0x00007FF940B5C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2624-131-0x00007FF93FFF0000-0x00007FF9409DC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2624-136-0x000001A5ED170000-0x000001A5ED180000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2624-135-0x000001A5ED170000-0x000001A5ED180000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2624-180-0x000001A5ED170000-0x000001A5ED180000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2624-222-0x00007FF93FFF0000-0x00007FF9409DC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2624-218-0x000001A5ED170000-0x000001A5ED180000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3768-206-0x00000175CD960000-0x00000175CD970000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3768-213-0x00007FF93FFF0000-0x00007FF9409DC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3768-126-0x00000175CD960000-0x00000175CD970000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3768-152-0x00000175CD960000-0x00000175CD970000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3768-124-0x00007FF93FFF0000-0x00007FF9409DC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3768-125-0x00000175CD960000-0x00000175CD970000-memory.dmp

        Filesize

        64KB

        Download