022e498fe973889e1c2ad0964f0a097a87feb14ceb314a5c19c7ff5d9c7ebb36

Reason

Machine shutdown

General

Target

Insyde/spoof.bat
Size

39B
MD5

00b669e9102e6055f3ffb59c495f9590
SHA1

33663eeb1eb9dbd1fb9d7d8da05ff682a0b77817
SHA256

9a33bcec16224a280916ee5362c09e5c4b9e23b578802824250710d8cb5e3bdf
SHA512

64564a7c15c35f2a8f2f0490b015461831ceb8db1d23481b2fed6b396333d931663f2fe3684b7d54dc3ca99ea89b8527d570ee19969561a23bf71dcfee93a5f6

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5282c785-829c-9946-b39b-12a00260c04e}\segwindrv.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5282c785-829c-9946-b39b-12a00260c04e}\SET8462.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5282c785-829c-9946-b39b-12a00260c04e}\SET8462.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5282c785-829c-9946-b39b-12a00260c04e}\segwindrvx64.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5282c785-829c-9946-b39b-12a00260c04e}\SET8473.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5282c785-829c-9946-b39b-12a00260c04e}\segwindrv.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5282c785-829c-9946-b39b-12a00260c04e}\SET8474.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5282c785-829c-9946-b39b-12a00260c04e}\SET8473.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5282c785-829c-9946-b39b-12a00260c04e}\SET8474.tmp	DrvInst.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	H2OSDE-Wx64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	H2OSDE-Wx64.exe

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSystemEnvironmentPrivilege	4600	H2OSDE-Wx64.exe
Token: SeAuditPrivilege	2456	svchost.exe
Token: SeSecurityPrivilege	2456	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 4600	1932	cmd.exe	83
PID 1932 wrote to memory of 4600	1932	cmd.exe	83
PID 2456 wrote to memory of 3652	2456	svchost.exe	85
PID 2456 wrote to memory of 3652	2456	svchost.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Insyde\spoof.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe
  H2OSDE-Wx64.exe -SU AUTO
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:4600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2480c80a-5afa-f54c-a925-f6d248e272eb}\segwindrv.inf" "9" "49f798bf3" "000000000000014C" "WinSta0\Default" "0000000000000154" "208" "c:\users\admin\appdata\local\temp\insyde"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:3652
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\INSYDESEG\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca1156c0ee7a:Insyde_Device64:6.1.7600.16385:{416c2604-443b-436f-9e1d-607bdc3cc785}\segwindrv," "49f798bf3" "000000000000014C"
  2⤵
  PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{2480C~1\segwindrvx64.sys

Filesize
103KB

MD5
e46dfe45c1714f4920d3fd2546f2f630

SHA1
28cdb0b48c1d88d71421ec9e40ce52836ab79956

SHA256
b44f4384f95cc9d3f86f0c27fc0abba9a291a7cc24483f41e70c1234bc61edc6

SHA512
97480d19e22ebef836e61f33d5540c41a08a9edc71af97a59fef71b3d60abd9ab78b32896ee0812cae1780da08f875e3cb32c048edf4fcae523fa04e23d2246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2480c80a-5afa-f54c-a925-f6d248e272eb}\segwindrv.inf

Filesize
4KB

MD5
843fb7475608ce359da7cbd48fa3ab1d

SHA1
ae16643aa1756b34391e4c615958343ecb17b153

SHA256
e1449864c7403b9cd3d828c6fc9710fe1fbb3f35c7b6522a5dcbcf97685f40d7

SHA512
9db610ebff1ab1e24147abadf10f978eab95358f2b0806d17fb8df6e53723b0523dd26d0207430d029f5b6826a02c3a5d73ff01d8f6e28d53e82c230075f2b34

Download Submit
C:\Windows\System32\DriverStore\Temp\{5282c785-829c-9946-b39b-12a00260c04e}\SET8473.tmp

Filesize
10KB

MD5
43d3603cf918445cbd1d7253b49bf527

SHA1
fabfaee55f2c4e6ca508d735b297bdb738ab1c7d

SHA256
e830efe7786b0fb9dd84eb647614fa1795ec5caa605d44d9a13f0fdbd0f4d6b5

SHA512
183b8498e4c86966050be324a027fc0a7f8179bb77d032ec97cf64ab91dac72c8e7fcdda36c733c2815973b72c91cee19d3263376a7e3b955c616f548690186e

Download Submit

Analysis

Sharing

Errors