7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
01-02-2024 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

10^/10

evasion trojan

Malware Config

Signatures

Detects BazaLoader malware 8 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral4/memory/3776-0-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral4/memory/3776-23-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
behavioral4/memory/3088-41-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral4/memory/3776-42-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral4/memory/3088-73-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader

Modifies Windows Firewall 2 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

2244 netsh.exe
4028 netsh.exe
1180 netsh.exe
3356 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

3088 svchost.exe

pid	process
2244	netsh.exe
4028	netsh.exe
1180	netsh.exe
3356	netsh.exe

pid	process
3088	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2252 schtasks.exe

pid	process
2252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe

pid	process
3624	powershell.exe
3944	powershell.exe
3624	powershell.exe
3944	powershell.exe
3776	svchost_dump_SCY - Copy.exe
3776	svchost_dump_SCY - Copy.exe
1504	powershell.exe
1504	powershell.exe
4852	powershell.exe
4852	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3344	WMIC.exe
Token: SeSecurityPrivilege	3344	WMIC.exe
Token: SeTakeOwnershipPrivilege	3344	WMIC.exe
Token: SeLoadDriverPrivilege	3344	WMIC.exe
Token: SeSystemProfilePrivilege	3344	WMIC.exe
Token: SeSystemtimePrivilege	3344	WMIC.exe
Token: SeProfSingleProcessPrivilege	3344	WMIC.exe
Token: SeIncBasePriorityPrivilege	3344	WMIC.exe
Token: SeCreatePagefilePrivilege	3344	WMIC.exe
Token: SeBackupPrivilege	3344	WMIC.exe
Token: SeRestorePrivilege	3344	WMIC.exe
Token: SeShutdownPrivilege	3344	WMIC.exe
Token: SeDebugPrivilege	3344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3344	WMIC.exe
Token: SeRemoteShutdownPrivilege	3344	WMIC.exe
Token: SeUndockPrivilege	3344	WMIC.exe
Token: SeManageVolumePrivilege	3344	WMIC.exe
Token: 33	3344	WMIC.exe
Token: 34	3344	WMIC.exe
Token: 35	3344	WMIC.exe
Token: 36	3344	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3344	WMIC.exe
Token: SeSecurityPrivilege	3344	WMIC.exe
Token: SeTakeOwnershipPrivilege	3344	WMIC.exe
Token: SeLoadDriverPrivilege	3344	WMIC.exe
Token: SeSystemProfilePrivilege	3344	WMIC.exe
Token: SeSystemtimePrivilege	3344	WMIC.exe
Token: SeProfSingleProcessPrivilege	3344	WMIC.exe
Token: SeIncBasePriorityPrivilege	3344	WMIC.exe
Token: SeCreatePagefilePrivilege	3344	WMIC.exe
Token: SeBackupPrivilege	3344	WMIC.exe
Token: SeRestorePrivilege	3344	WMIC.exe
Token: SeShutdownPrivilege	3344	WMIC.exe
Token: SeDebugPrivilege	3344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3344	WMIC.exe
Token: SeRemoteShutdownPrivilege	3344	WMIC.exe
Token: SeUndockPrivilege	3344	WMIC.exe
Token: SeManageVolumePrivilege	3344	WMIC.exe
Token: 33	3344	WMIC.exe
Token: 34	3344	WMIC.exe
Token: 35	3344	WMIC.exe
Token: 36	3344	WMIC.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeIncreaseQuotaPrivilege	5064	WMIC.exe
Token: SeSecurityPrivilege	5064	WMIC.exe
Token: SeTakeOwnershipPrivilege	5064	WMIC.exe
Token: SeLoadDriverPrivilege	5064	WMIC.exe
Token: SeSystemProfilePrivilege	5064	WMIC.exe
Token: SeSystemtimePrivilege	5064	WMIC.exe
Token: SeProfSingleProcessPrivilege	5064	WMIC.exe
Token: SeIncBasePriorityPrivilege	5064	WMIC.exe
Token: SeCreatePagefilePrivilege	5064	WMIC.exe
Token: SeBackupPrivilege	5064	WMIC.exe
Token: SeRestorePrivilege	5064	WMIC.exe
Token: SeShutdownPrivilege	5064	WMIC.exe
Token: SeDebugPrivilege	5064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5064	WMIC.exe
Token: SeRemoteShutdownPrivilege	5064	WMIC.exe
Token: SeUndockPrivilege	5064	WMIC.exe
Token: SeManageVolumePrivilege	5064	WMIC.exe
Token: 33	5064	WMIC.exe
Token: 34	5064	WMIC.exe
Token: 35	5064	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	pid	process	target process
PID 3776 wrote to memory of 3344	3776	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 3776 wrote to memory of 3344	3776	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 3776 wrote to memory of 2244	3776	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3776 wrote to memory of 2244	3776	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3776 wrote to memory of 4028	3776	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3776 wrote to memory of 4028	3776	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3776 wrote to memory of 3624	3776	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3776 wrote to memory of 3624	3776	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3776 wrote to memory of 3944	3776	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3776 wrote to memory of 3944	3776	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3776 wrote to memory of 4984	3776	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3776 wrote to memory of 4984	3776	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3776 wrote to memory of 2252	3776	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3776 wrote to memory of 2252	3776	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3776 wrote to memory of 3088	3776	svchost_dump_SCY - Copy.exe	svchost.exe
PID 3776 wrote to memory of 3088	3776	svchost_dump_SCY - Copy.exe	svchost.exe
PID 3088 wrote to memory of 5064	3088	svchost.exe	WMIC.exe
PID 3088 wrote to memory of 5064	3088	svchost.exe	WMIC.exe
PID 3088 wrote to memory of 1180	3088	svchost.exe	netsh.exe
PID 3088 wrote to memory of 1180	3088	svchost.exe	netsh.exe
PID 3088 wrote to memory of 3356	3088	svchost.exe	netsh.exe
PID 3088 wrote to memory of 3356	3088	svchost.exe	netsh.exe
PID 3088 wrote to memory of 1504	3088	svchost.exe	powershell.exe
PID 3088 wrote to memory of 1504	3088	svchost.exe	powershell.exe
PID 3088 wrote to memory of 4852	3088	svchost.exe	powershell.exe
PID 3088 wrote to memory of 4852	3088	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2244

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:4984

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:2252

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1180

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4a7f03a7ad1cae046d8ceac04256e5ae

SHA1
ef0bf767c91cba32b33c0b48f74f5eb153ae43d3

SHA256
e8aa3162f519e3670b0fc79dfbeeca68ea2b65a17900cf3aafc6a48de3296d60

SHA512
382a91848be121734bce9f533bcb4747e5f21db5b1ea5dfc8cc567005f5be0f1dcc73a55516b83feb931cdc90601ed4d36fb890687f08e1056ff98da2365f01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4fevz4qa.myz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus

Filesize
2.7MB

MD5
ee535c4a91908a3cb7a9ac18ce3ca262

SHA1
4d728fae27c745b018af0c65eda99d6defc45709

SHA256
6c74979ae79943ed676feb14668c3e93a69db92f227ad81d6ac50b346279895a

SHA512
ccad1ec57948eb4dc728278cd807b33bcfa3109bcd4d76beb175d9048e2f3e419fca36649101dc190cd3c8039fe58d991ae63ec2aa5d853dd58fd8403c46449f

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
2.0MB

MD5
52fbef00841d518a9b597b86dde50a45

SHA1
08261abc567b28ecf72d70d3d674019928f733a4

SHA256
852be8ad2018e4d43018f99c8083628a867f7890b76be8c0c92938e5bac1fe53

SHA512
f923925ebca6586ef8425b5659190c7f9ba36ceea85325b1f8514f3e40fb6419dc4f3a2ee83de54a944204c008346198467da3607fb982ceb4df45712a268ca0

Download Submit
C:\Windows\System\svchost.exe

Filesize
1.3MB

MD5
8abd9e40fe39aca4f14ac420a1ed5458

SHA1
aba86e95fb06c23226f7c345da07ed3f536682ea

SHA256
acb112ed02fd20ace0e90ba65d9e07148e2147881d5d08125b1c05f07303e842

SHA512
e933ea4115ffb2198bdb57df8aac9b42ad07e88e2ea1cf0911774b6e05d7e632178c85b9d0f748bbae89c23b43d426af5b649fbcce2ed5484080bf41ee14a32b

Download Submit
C:\Windows\System\svchost.exe

Filesize
4.0MB

MD5
822780b7e2b6e3683480a69896b10e96

SHA1
a55e5279307d1d5979cc7b2e44366155af2a1583

SHA256
2f847251c3e1c33974d96ac4e06fdacc5ff79c7fabad145e492e7c4ae38021ce

SHA512
899e7a1f5de7250b30b86367891d80afd652d0956d733207d267e86eed487f88a3427eb045d65ec479905c68efc33f76c35c00fa71698229ca92bf6f40bbaf8d

Download Submit
C:\Windows\System\svchost.exe

Filesize
4.3MB

MD5
874d1a1e859d6b02398cb36697098376

SHA1
a9d0cc735e1449159bb8a26da0506ee19e725ac5

SHA256
a103068e9c69f72ba74a4bfab92cc234393fba8801997da5ceb65fd3f6155978

SHA512
d15f30e1a799895f93b48896e983f1672f5254e9fb38270e173d41f3cb4637020bb00758a895a8ce99f3230cf361cadd67a9733b588fff2c86f60a641ed012f8

Download Submit
memory/1504-52-0x0000025F6A700000-0x0000025F6A710000-memory.dmp

Filesize
64KB

Download
memory/1504-53-0x0000025F6A700000-0x0000025F6A710000-memory.dmp

Filesize
64KB

Download
memory/1504-69-0x00007FFB440C0000-0x00007FFB44B82000-memory.dmp

Filesize
10.8MB

Download
memory/1504-43-0x00007FFB440C0000-0x00007FFB44B82000-memory.dmp

Filesize
10.8MB

Download
memory/3088-74-0x000000003B530000-0x000000003BA12000-memory.dmp

Filesize
4.9MB

Download
memory/3088-73-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3088-41-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3624-12-0x000001B594DD0000-0x000001B594DE0000-memory.dmp

Filesize
64KB

Download
memory/3624-32-0x00007FFB44170000-0x00007FFB44C32000-memory.dmp

Filesize
10.8MB

Download
memory/3624-9-0x00007FFB44170000-0x00007FFB44C32000-memory.dmp

Filesize
10.8MB

Download
memory/3624-11-0x000001B594DD0000-0x000001B594DE0000-memory.dmp

Filesize
64KB

Download
memory/3624-10-0x000001B5AD4A0000-0x000001B5AD4C2000-memory.dmp

Filesize
136KB

Download
memory/3776-23-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3776-42-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3776-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3944-25-0x00000262B6A10000-0x00000262B6A20000-memory.dmp

Filesize
64KB

Download
memory/3944-13-0x00007FFB44170000-0x00007FFB44C32000-memory.dmp

Filesize
10.8MB

Download
memory/3944-14-0x00000262B6A10000-0x00000262B6A20000-memory.dmp

Filesize
64KB

Download
memory/3944-31-0x00007FFB44170000-0x00007FFB44C32000-memory.dmp

Filesize
10.8MB

Download
memory/3944-24-0x00000262B6A10000-0x00000262B6A20000-memory.dmp

Filesize
64KB

Download
memory/4852-57-0x000001DBDF250000-0x000001DBDF260000-memory.dmp

Filesize
64KB

Download
memory/4852-72-0x00007FFB440C0000-0x00007FFB44B82000-memory.dmp

Filesize
10.8MB

Download
memory/4852-68-0x000001DBDF250000-0x000001DBDF260000-memory.dmp

Filesize
64KB

Download
memory/4852-66-0x000001DBDF250000-0x000001DBDF260000-memory.dmp

Filesize
64KB

Download
memory/4852-55-0x00007FFB440C0000-0x00007FFB44B82000-memory.dmp

Filesize
10.8MB

Download
memory/4852-56-0x000001DBDF250000-0x000001DBDF260000-memory.dmp

Filesize
64KB

Download