Overview

overview

10

Static

static

3

5e0c522ddb...5c.exe

windows7-x64

10

5e0c522ddb...5c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 00:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exe

  • Size

    65KB

  • MD5

    29a482d6aa05e9603c7e42b1cfac8830

  • SHA1

    8b6c749d3ef41a17b79722cfef5a4f3c63c7ef87

  • SHA256

    5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c

  • SHA512

    0d4bea29df7993c6318057eb08c7a2001f851d2620c5cbf3e20629087e7ab4527918a1e1c99e297cffe7d0498bbfbfe474ea8d26a2cd5210d4ec97c57fc0569d

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ou7:7WNqkOJWmo1HpM0MkTUmu7

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Detects BazaLoader malware 1 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exe
    "C:\Users\Admin\AppData\Local\Temp\5e0c522ddbdfa11823523f092ee8c31f20a50db180afacab887e6d9badc9525c.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1236
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1932
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3620
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2184
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2404
          • C:\Windows\SysWOW64\at.exe
            at 00:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:4876
            • C:\Windows\SysWOW64\at.exe
              at 00:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1612
              • C:\Windows\SysWOW64\at.exe
                at 00:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4176

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Privilege Escalation

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Defense Evasion

        Modify Registry

        4
        T1112

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          65KB

          MD5

          7e41a1d1ceddfd211a48faceea3701c8

          SHA1

          8982690c0001c22524afb29ad95e7b3ee01b8f4a

          SHA256

          6a1bd1ff11ee5a071c0e518e072cf0dbaf67434178a152410d1e6f842ff3b009

          SHA512

          53843b71210f9a062eda1a5a874b1f209e2529dbda28fd6fd366a5a41ac17862d3fb2730d0ddf9ff412690482a2dbf7e0496eb3609e288bfa5732d341c8dd5e1

          Download Submit
        • C:\Windows\System\explorer.exe
          Filesize

          65KB

          MD5

          c1186ae7a442ee360250cc713e56114b

          SHA1

          980de9d930825cc0d8f49166b1a7e04c0bf925e3

          SHA256

          f9e86e0fa5ccb42f4ca31bc551155ccb7c5b96faeb33b5c79648fbe426e577fb

          SHA512

          5a5802129b8333b668fb86ee21d9d93cdea790a6ed923cc6da4413d883fa1be722090c79d6c64a4ff63ade129c99367273c5d3a49f485d29c0c13eb11b34da0f

          Download Submit
        • C:\Windows\System\spoolsv.exe
          Filesize

          65KB

          MD5

          6171d6f9711a147931fa599eee206861

          SHA1

          07b7fcb105b5ce7b70487c39c85172da45eeede7

          SHA256

          2c9860783f57146f5c4ef7482591ac195630c0ea8aed43e5723301f0d7169f9a

          SHA512

          0fe106d26489c415f6f1dc2b9b880b125f59f88d5974daa5a56f224052353ba254cfcdebe6190226a4f49474d33bd4438f3ce98ec41c98f2be5300de8659aa7c

          Download Submit
        • C:\Windows\System\svchost.exe
          Filesize

          65KB

          MD5

          63e3387c20c911b55eafbd7b89532a00

          SHA1

          4e3cf1ea3854b8374d2124e12114ece972807aff

          SHA256

          232d4f94e3a596cb8e06e1d9d99114169b4f95679cf4eaad660c8c73366b83d4

          SHA512

          2a4d160f71efa0c3a1caf97479c4c2015e6734969761d013805612612db0d68001cffa941dcaf6969d00ace678424812c6773724773ebf9c44cd87ea5fe96d56

          Download Submit
        • \??\PIPE\atsvc
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          Download Submit
        • memory/1236-1-0x00000000001C0000-0x00000000001C4000-memory.dmp
          Filesize

          16KB

          Download
        • memory/1236-3-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1236-2-0x0000000074D90000-0x0000000074EED000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1236-4-0x0000000000401000-0x000000000042E000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1236-0-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1236-54-0x0000000000401000-0x000000000042E000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1236-52-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1932-13-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1932-15-0x0000000074D90000-0x0000000074EED000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1932-17-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1932-55-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1932-66-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1932-14-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/2184-37-0x0000000074D90000-0x0000000074EED000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/2184-57-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/2404-43-0x0000000074D90000-0x0000000074EED000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/2404-50-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/3620-28-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/3620-51-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/3620-26-0x0000000074D90000-0x0000000074EED000-memory.dmp
          Filesize

          1.4MB

          Download