5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c

General

Target

5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exe
Size

65KB
MD5

29a482d6aa05e9603c7e42b1cfac8830
SHA1

8b6c749d3ef41a17b79722cfef5a4f3c63c7ef87
SHA256

5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c
SHA512

0d4bea29df7993c6318057eb08c7a2001f851d2620c5cbf3e20629087e7ab4527918a1e1c99e297cffe7d0498bbfbfe474ea8d26a2cd5210d4ec97c57fc0569d
SSDEEP

1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ou7:7WNqkOJWmo1HpM0MkTUmu7

Score

10^/10

Malware Config

Signatures

Detects BazaLoader malware 1 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral1/memory/2720-55-0x0000000072940000-0x0000000072A93000-memory.dmp	BazaLoader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2968 explorer.exe
2576 spoolsv.exe
2720 svchost.exe
2500 spoolsv.exe

pid	process
2968	explorer.exe
2576	spoolsv.exe
2720	svchost.exe
2500	spoolsv.exe

Loads dropped DLL 8 IoCs

Processes:

5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exeexplorer.exespoolsv.exesvchost.exe

pid	process
2932	5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exe
2932	5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exe
2968	explorer.exe
2968	explorer.exe
2576	spoolsv.exe
2576	spoolsv.exe
2720	svchost.exe
2720	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

explorer.exespoolsv.exesvchost.exe5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exeexplorer.exesvchost.exe

pid	process
2932	5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2720	svchost.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe
2720	svchost.exe
2968	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2968 explorer.exe
2720 svchost.exe

pid	process
2968	explorer.exe
2720	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2932	5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exe
2932	5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exe
2968	explorer.exe
2968	explorer.exe
2576	spoolsv.exe
2576	spoolsv.exe
2720	svchost.exe
2720	svchost.exe
2500	spoolsv.exe
2500	spoolsv.exe
2968	explorer.exe
2968	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2932 wrote to memory of 2968	2932	5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exe	explorer.exe
PID 2932 wrote to memory of 2968	2932	5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exe	explorer.exe
PID 2932 wrote to memory of 2968	2932	5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exe	explorer.exe
PID 2932 wrote to memory of 2968	2932	5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exe	explorer.exe
PID 2968 wrote to memory of 2576	2968	explorer.exe	spoolsv.exe
PID 2968 wrote to memory of 2576	2968	explorer.exe	spoolsv.exe
PID 2968 wrote to memory of 2576	2968	explorer.exe	spoolsv.exe
PID 2968 wrote to memory of 2576	2968	explorer.exe	spoolsv.exe
PID 2576 wrote to memory of 2720	2576	spoolsv.exe	svchost.exe
PID 2576 wrote to memory of 2720	2576	spoolsv.exe	svchost.exe
PID 2576 wrote to memory of 2720	2576	spoolsv.exe	svchost.exe
PID 2576 wrote to memory of 2720	2576	spoolsv.exe	svchost.exe
PID 2720 wrote to memory of 2500	2720	svchost.exe	spoolsv.exe
PID 2720 wrote to memory of 2500	2720	svchost.exe	spoolsv.exe
PID 2720 wrote to memory of 2500	2720	svchost.exe	spoolsv.exe
PID 2720 wrote to memory of 2500	2720	svchost.exe	spoolsv.exe
PID 2720 wrote to memory of 2692	2720	svchost.exe	at.exe
PID 2720 wrote to memory of 2692	2720	svchost.exe	at.exe
PID 2720 wrote to memory of 2692	2720	svchost.exe	at.exe
PID 2720 wrote to memory of 2692	2720	svchost.exe	at.exe
PID 2720 wrote to memory of 2212	2720	svchost.exe	at.exe
PID 2720 wrote to memory of 2212	2720	svchost.exe	at.exe
PID 2720 wrote to memory of 2212	2720	svchost.exe	at.exe
PID 2720 wrote to memory of 2212	2720	svchost.exe	at.exe
PID 2720 wrote to memory of 3000	2720	svchost.exe	at.exe
PID 2720 wrote to memory of 3000	2720	svchost.exe	at.exe
PID 2720 wrote to memory of 3000	2720	svchost.exe	at.exe
PID 2720 wrote to memory of 3000	2720	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exe
"C:\Users\Admin\AppData\Local\Temp\5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Windows\SysWOW64\at.exe
at 00:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:2692

C:\Windows\SysWOW64\at.exe
at 00:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:2212

C:\Windows\SysWOW64\at.exe
at 00:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:3000

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
65KB

MD5
244669f0ab3917126f43f705bce12620

SHA1
ff287442aae5b71924f9c7cd179d987dcdf4f564

SHA256
c862b4d796e2be9321f939441797b6f9bec7513a49011009105f124c06fd804a

SHA512
cfb89b3aa98a7117340700a06e1eefdcaf67f218833c22ff1aaa8e09a2104e01d2b0f9ad1187e2f26e35f1c64cce05935b5ef4cf4608454718879d8066438731

Download Submit
\??\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\system\explorer.exe
Filesize
65KB

MD5
c868458b5af512d56a8f7554c3f46fa6

SHA1
e7ab77053f0b2428fbd8354d2a0f585f8d5673c6

SHA256
7eede8c7f390b156dfebdf3d00390d542b963a307786ed41f637625ad9e1e433

SHA512
3f658d0be5ae62b01b3b24e2662f6e36e8c398435460dbd81776df719b28380560f67fdb7c9b1f5233e73145e1add4dd240d254a5348b7074a47b2177d910d28

Download Submit
\Windows\system\spoolsv.exe
Filesize
65KB

MD5
5d35b86f540c5805eab9fec566844338

SHA1
ca033b67d9e135c0bfca939c461f80940212e33c

SHA256
4cc4ac5813a7c0b0906a2bb8957f3003adc6aa3d484c1974a59bcc579c245b40

SHA512
83eac98e3750409a52caf7a7942f72e02a9a36ffb4c476ee4d7f50a40b0f8becd96c78ae1709a10dbefe735284fd1c749c57311f0f3445797767d38932b95f91

Download Submit
\Windows\system\svchost.exe
Filesize
65KB

MD5
cdbc4914f013a2657fa9a285f5a34009

SHA1
5650155354ee0577e87f7a0c8682ac37aef830dd

SHA256
3b6cd2c782a10122531338f47c8aa3bd051cf20f6ff05cb45c347f845d4eb7a7

SHA512
7a7f8436d8a5152afd2c4b06fdbd75d93e52a7e7010b81b352845cb0523fa1c846b6ffa121aab8c0e0b6cad58f4919eb7dd82b938664e97373c0e4640ca77405

Download Submit
memory/2500-70-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2500-76-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2576-36-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2576-80-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2576-52-0x0000000002620000-0x0000000002651000-memory.dmp

Filesize
196KB

Download
memory/2576-40-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2576-53-0x0000000002620000-0x0000000002651000-memory.dmp

Filesize
196KB

Download
memory/2720-67-0x0000000000390000-0x00000000003C1000-memory.dmp

Filesize
196KB

Download
memory/2720-68-0x0000000000390000-0x00000000003C1000-memory.dmp

Filesize
196KB

Download
memory/2720-60-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2720-87-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2720-55-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2720-56-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2720-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2932-64-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2932-12-0x0000000003260000-0x0000000003291000-memory.dmp

Filesize
196KB

Download
memory/2932-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2932-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2932-66-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2932-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2932-4-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2932-82-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2932-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2932-83-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2968-34-0x0000000001D00000-0x0000000001D31000-memory.dmp

Filesize
196KB

Download
memory/2968-20-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2968-85-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2968-18-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2968-96-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2968-35-0x0000000001D00000-0x0000000001D31000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads