Overview

overview

10

Static

static

10

svchost_du...py.exe

windows7-x64

10

svchost_du...py.exe

windows10-1703-x64

10

svchost_du...py.exe

windows10-2004-x64

10

svchost_du...py.exe

windows11-21h2-x64

10

Resubmissions

12-04-2024 13:32

240412-qtgfpsag84 8

12-04-2024 13:32

240412-qtc4aaag83 8

12-04-2024 13:32

240412-qtcshsag82 8

12-04-2024 13:32

240412-qtb6zsag79 8

12-04-2024 13:32

240412-qtbkfsdh4s 8

09-04-2024 05:34

240409-f9mmjsbc9t 8

09-04-2024 05:33

240409-f9bkaabc8w 8

09-04-2024 05:33

240409-f86n2abc71 8

09-04-2024 05:33

240409-f8wh3afh27 8

01-02-2024 11:29

240201-nlq9tsebck 10

Analysis

  • max time kernel
    123s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2024 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost_dump_SCY - Copy.exe

  • Size

    5.2MB

  • MD5

    5fd3d21a968f4b8a1577b5405ab1c36a

  • SHA1

    710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

  • SHA256

    7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

  • SHA512

    085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

  • SSDEEP

    98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Detects BazaLoader malware 8 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies Windows Firewall 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2692
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:1576
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:3264
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4556
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /TN "Timer"
      2⤵
        PID:4116
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        2⤵
        • Creates scheduled task(s)
        PID:1532
      • C:\Windows\System\svchost.exe
        "C:\Windows\System\svchost.exe" formal
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4040
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2188
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:4936
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2064
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:4564

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      77d622bb1a5b250869a3238b9bc1402b

      SHA1

      d47f4003c2554b9dfc4c16f22460b331886b191b

      SHA256

      f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

      SHA512

      d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      9c740b7699e2363ac4ecdf496520ca35

      SHA1

      aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

      SHA256

      be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

      SHA512

      8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dqw32asy.lf0.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
      Filesize

      378KB

      MD5

      ed99645a6cae3019994f14ddf8a8d595

      SHA1

      1fba55ff1582ce0241dc9116740d082328d1728c

      SHA256

      8a04f7717947fc56da10d1b3410ffc6cd53ed011c88a39de20ab22ff2d4a928f

      SHA512

      62acd51ec4c799a9fb3148b2dfc9545ec45772599d9965273dddf98c349a7549f60e96d9e1d97634a53653a30909c736165de2109698052534a5fe271579cac0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
      Filesize

      20KB

      MD5

      47c28f47e76f63fb8521d429025e2793

      SHA1

      8212c5eacc3a8bb7c4085711eb3da0b1af337c23

      SHA256

      26b8c57ce56a979b15d8de9b5b23935fdb2e9f1e2ef74c5f448c40f3ed83efa3

      SHA512

      d71a18057a8777879a35358f9a57ca7be30a01e120aa95d4a16bdc74490555505b7b3edb139f6aac7c15be4f40ffd1af7a590efbdcd1e600e2fbf3043c6c7802

      Download Submit

    • C:\Windows\System\svchost.exe
      Filesize

      461KB

      MD5

      0ddc1e704346b9e86510deca84f5c67a

      SHA1

      81bf23f7aad4d0eee7691a88c55a8262c4dd5a53

      SHA256

      1a7524b65e44ae67ea33be3fe061b0caa808916caeb781ca02daa0d8fff51ed3

      SHA512

      8de737bf1e6b1bc32b74f23c3fe537e05177ad0cd77ced9195ce945385e4efe5f337a061e0a4e07eff661f270c2bbd08613ba0280e64fe28dd3dab5e00d9f718

      Download Submit

    • C:\Windows\System\svchost.exe
      Filesize

      614KB

      MD5

      fd5086f174a65053aee7aa695b437475

      SHA1

      098353729088b6323dac6c2de07ae6136db5be00

      SHA256

      6ab38ff9876f25ba9fe69d6fab998698a3b36647bf548c5909054244419ddc12

      SHA512

      873082269c523de4583ef900a2fa5691df9fcdd4bda0a8ffd99ba24c7d045ccd0f144be6613836e7957ebeefabcba437b759d19b8a30989baa10d0f8a9b41fd8

      Download Submit

    • C:\Windows\System\svchost.exe
      Filesize

      362KB

      MD5

      fad71148eabb89f0c0bb0463b5f2fefe

      SHA1

      1692fd921c79a0373ad23493c373e11c340ba7aa

      SHA256

      794977fbed8a31b079e134bbfec59c5da65e86eb838561b38c7af0756e4aa50f

      SHA512

      7b66f2bee9d5b6a49de3e0e960b447e09b46ed4bf9405a9e2fe99676d815c00c0b399738b7d4cbbc57a3277ddc4d49e1adab11418decad21e6001aa69cb774e0

      Download Submit

    • memory/1236-1-0x00000205EBAE0000-0x00000205EBB02000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1236-30-0x00007FFAE4210000-0x00007FFAE4CD1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1236-12-0x00000205EC020000-0x00000205EC030000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1236-11-0x00007FFAE4210000-0x00007FFAE4CD1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1620-0-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1620-40-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1620-42-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2064-66-0x0000018363E10000-0x0000018363E20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2064-65-0x00007FFAE4000000-0x00007FFAE4AC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2064-71-0x00007FFAE4000000-0x00007FFAE4AC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2188-68-0x00007FFAE4000000-0x00007FFAE4AC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2188-44-0x0000022E19ED0000-0x0000022E19EE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2188-50-0x0000022E19ED0000-0x0000022E19EE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2188-43-0x00007FFAE4000000-0x00007FFAE4AC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2812-41-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2812-72-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2812-73-0x0000000036870000-0x0000000036D52000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4556-31-0x00007FFAE4210000-0x00007FFAE4CD1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4556-23-0x000001AE78500000-0x000001AE78510000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4556-24-0x000001AE78500000-0x000001AE78510000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4556-22-0x00007FFAE4210000-0x00007FFAE4CD1000-memory.dmp

      Filesize

      10.8MB

      Download