Overview
overview
10Static
static
3AMI/AMIDEWINx64.exe
windows10-2004-x64
1AMI/amigendrv64.sys
windows10-2004-x64
1AMI/spoof.bat
windows10-2004-x64
1Insyde/H2O...64.exe
windows10-2004-x64
Insyde/seg...64.sys
windows10-2004-x64
1Insyde/spoof.bat
windows10-2004-x64
VHD/VHD.bat
windows10-2004-x64
3check.bat
windows10-2004-x64
5tweaks/1.bat
windows10-2004-x64
10Analysis
-
max time kernel
1s -
max time network
8s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 01:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
AMI/AMIDEWINx64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral2
Sample
AMI/amigendrv64.sys
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral3
Sample
AMI/spoof.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral4
Sample
Insyde/H2OSDE-Wx64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral5
Sample
Insyde/segwindrvx64.sys
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral6
Sample
Insyde/spoof.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral7
Sample
VHD/VHD.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
Behavioral task
behavioral8
Sample
check.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
4 signatures
150 seconds
Behavioral task
behavioral9
Sample
tweaks/1.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
11 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
Insyde/H2OSDE-Wx64.exe
-
Size
918KB
-
MD5
42aedfbe60926aac1464a62d8d1c4df6
-
SHA1
89b2cdb05a7ee068b3601311331f057b0364eedf
-
SHA256
412e058e92b2498a4dcc4bf70b9aeedc8361f97be0fc071662d5cc480fd965ae
-
SHA512
ec8a1962c37f06a8ebab527a492d30ace1fb38cfa56d2dfed20fdb79a28693a555e8c74834703e97218575319433b95ccbbff6ca1c1f01adfeec79447844e7ea
-
SSDEEP
24576:wtT0dc9f8XTEtvM6kvvJ+11u4CN5oHDsUBmT:PTovsc11sN5ojspT
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 15 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\Temp\{03b6e52a-cf6a-934b-846f-8823769a1965}\SET9D1C.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{03b6e52a-cf6a-934b-846f-8823769a1965}\segwindrv.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{03b6e52a-cf6a-934b-846f-8823769a1965}\segwindrv.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{03b6e52a-cf6a-934b-846f-8823769a1965}\SET9D0B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{03b6e52a-cf6a-934b-846f-8823769a1965}\SET9D1D.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{03b6e52a-cf6a-934b-846f-8823769a1965}\SET9D1D.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\segwindrv.inf_amd64_27984eece3494299\segwindrvx64.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\segwindrv.inf_amd64_27984eece3494299\segwindrv.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{03b6e52a-cf6a-934b-846f-8823769a1965} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{03b6e52a-cf6a-934b-846f-8823769a1965}\SET9D0B.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{03b6e52a-cf6a-934b-846f-8823769a1965}\segwindrvx64.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{03b6e52a-cf6a-934b-846f-8823769a1965}\SET9D1C.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\segwindrv.inf_amd64_27984eece3494299\segwindrv.inf DrvInst.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log H2OSDE-Wx64.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe -
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 H2OSDE-Wx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID H2OSDE-Wx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags H2OSDE-Wx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID H2OSDE-Wx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom H2OSDE-Wx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID H2OSDE-Wx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs H2OSDE-Wx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID H2OSDE-Wx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 H2OSDE-Wx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom H2OSDE-Wx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags H2OSDE-Wx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 H2OSDE-Wx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 H2OSDE-Wx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs H2OSDE-Wx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs H2OSDE-Wx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs H2OSDE-Wx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe -
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSystemEnvironmentPrivilege 3128 H2OSDE-Wx64.exe Token: SeAuditPrivilege 3988 svchost.exe Token: SeSecurityPrivilege 3988 svchost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3988 wrote to memory of 460 3988 svchost.exe 84 PID 3988 wrote to memory of 460 3988 svchost.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe"C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe"1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{53e6dce5-a4d7-f649-8936-f3e82c22f3bc}\segwindrv.inf" "9" "49f798bf3" "0000000000000140" "WinSta0\Default" "000000000000015C" "208" "c:\users\admin\appdata\local\temp\insyde"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:460
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\INSYDESEG\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca1156c0ee7a:Insyde_Device64:6.1.7600.16385:{416c2604-443b-436f-9e1d-607bdc3cc785}\segwindrv," "49f798bf3" "0000000000000140"2⤵PID:1012
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD543d3603cf918445cbd1d7253b49bf527
SHA1fabfaee55f2c4e6ca508d735b297bdb738ab1c7d
SHA256e830efe7786b0fb9dd84eb647614fa1795ec5caa605d44d9a13f0fdbd0f4d6b5
SHA512183b8498e4c86966050be324a027fc0a7f8179bb77d032ec97cf64ab91dac72c8e7fcdda36c733c2815973b72c91cee19d3263376a7e3b955c616f548690186e
-
Filesize
103KB
MD5e46dfe45c1714f4920d3fd2546f2f630
SHA128cdb0b48c1d88d71421ec9e40ce52836ab79956
SHA256b44f4384f95cc9d3f86f0c27fc0abba9a291a7cc24483f41e70c1234bc61edc6
SHA51297480d19e22ebef836e61f33d5540c41a08a9edc71af97a59fef71b3d60abd9ab78b32896ee0812cae1780da08f875e3cb32c048edf4fcae523fa04e23d2246c
-
Filesize
4KB
MD5843fb7475608ce359da7cbd48fa3ab1d
SHA1ae16643aa1756b34391e4c615958343ecb17b153
SHA256e1449864c7403b9cd3d828c6fc9710fe1fbb3f35c7b6522a5dcbcf97685f40d7
SHA5129db610ebff1ab1e24147abadf10f978eab95358f2b0806d17fb8df6e53723b0523dd26d0207430d029f5b6826a02c3a5d73ff01d8f6e28d53e82c230075f2b34