Overview
overview
10Static
static
3AMI/AMIDEWINx64.exe
windows10-2004-x64
1AMI/amigendrv64.sys
windows10-2004-x64
1AMI/spoof.bat
windows10-2004-x64
1Insyde/H2O...64.exe
windows10-2004-x64
Insyde/seg...64.sys
windows10-2004-x64
1Insyde/spoof.bat
windows10-2004-x64
VHD/VHD.bat
windows10-2004-x64
3check.bat
windows10-2004-x64
5tweaks/1.bat
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 01:54
Static task
static1
Behavioral task
behavioral1
Sample
AMI/AMIDEWINx64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
AMI/amigendrv64.sys
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
AMI/spoof.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
Insyde/H2OSDE-Wx64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Insyde/segwindrvx64.sys
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
Insyde/spoof.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
VHD/VHD.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
check.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
tweaks/1.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
check.bat
-
Size
274B
-
MD5
e8db7ba2184c7b20e20182d01522e6c6
-
SHA1
877be10ebd8d6281da715d96b4741dddbbd258c3
-
SHA256
3c36f73644642fa71c86fe48d24cc47f5293cedcec8bd0981d111e5823bda3ea
-
SHA512
1024d79d1b3f6208c577b7c45ac8e3a985887736af0712fbec2e54c837c4d6de14afa7dfbe58266d157490952c9a857a402ec3ec393d560d6611273aac55d529
Malware Config
Signatures
-
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3484 WMIC.exe Token: SeSecurityPrivilege 3484 WMIC.exe Token: SeTakeOwnershipPrivilege 3484 WMIC.exe Token: SeLoadDriverPrivilege 3484 WMIC.exe Token: SeSystemProfilePrivilege 3484 WMIC.exe Token: SeSystemtimePrivilege 3484 WMIC.exe Token: SeProfSingleProcessPrivilege 3484 WMIC.exe Token: SeIncBasePriorityPrivilege 3484 WMIC.exe Token: SeCreatePagefilePrivilege 3484 WMIC.exe Token: SeBackupPrivilege 3484 WMIC.exe Token: SeRestorePrivilege 3484 WMIC.exe Token: SeShutdownPrivilege 3484 WMIC.exe Token: SeDebugPrivilege 3484 WMIC.exe Token: SeSystemEnvironmentPrivilege 3484 WMIC.exe Token: SeRemoteShutdownPrivilege 3484 WMIC.exe Token: SeUndockPrivilege 3484 WMIC.exe Token: SeManageVolumePrivilege 3484 WMIC.exe Token: 33 3484 WMIC.exe Token: 34 3484 WMIC.exe Token: 35 3484 WMIC.exe Token: 36 3484 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1424 svchost.exe Token: SeIncreaseQuotaPrivilege 1424 svchost.exe Token: SeSecurityPrivilege 1424 svchost.exe Token: SeTakeOwnershipPrivilege 1424 svchost.exe Token: SeLoadDriverPrivilege 1424 svchost.exe Token: SeSystemtimePrivilege 1424 svchost.exe Token: SeBackupPrivilege 1424 svchost.exe Token: SeRestorePrivilege 1424 svchost.exe Token: SeShutdownPrivilege 1424 svchost.exe Token: SeSystemEnvironmentPrivilege 1424 svchost.exe Token: SeUndockPrivilege 1424 svchost.exe Token: SeManageVolumePrivilege 1424 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1424 svchost.exe Token: SeIncreaseQuotaPrivilege 1424 svchost.exe Token: SeSecurityPrivilege 1424 svchost.exe Token: SeTakeOwnershipPrivilege 1424 svchost.exe Token: SeLoadDriverPrivilege 1424 svchost.exe Token: SeSystemtimePrivilege 1424 svchost.exe Token: SeBackupPrivilege 1424 svchost.exe Token: SeRestorePrivilege 1424 svchost.exe Token: SeShutdownPrivilege 1424 svchost.exe Token: SeSystemEnvironmentPrivilege 1424 svchost.exe Token: SeUndockPrivilege 1424 svchost.exe Token: SeManageVolumePrivilege 1424 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1424 svchost.exe Token: SeIncreaseQuotaPrivilege 1424 svchost.exe Token: SeSecurityPrivilege 1424 svchost.exe Token: SeTakeOwnershipPrivilege 1424 svchost.exe Token: SeLoadDriverPrivilege 1424 svchost.exe Token: SeSystemtimePrivilege 1424 svchost.exe Token: SeBackupPrivilege 1424 svchost.exe Token: SeRestorePrivilege 1424 svchost.exe Token: SeShutdownPrivilege 1424 svchost.exe Token: SeSystemEnvironmentPrivilege 1424 svchost.exe Token: SeUndockPrivilege 1424 svchost.exe Token: SeManageVolumePrivilege 1424 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1424 svchost.exe Token: SeIncreaseQuotaPrivilege 1424 svchost.exe Token: SeSecurityPrivilege 1424 svchost.exe Token: SeTakeOwnershipPrivilege 1424 svchost.exe Token: SeLoadDriverPrivilege 1424 svchost.exe Token: SeSystemtimePrivilege 1424 svchost.exe Token: SeBackupPrivilege 1424 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2336 wrote to memory of 4612 2336 cmd.exe 83 PID 2336 wrote to memory of 4612 2336 cmd.exe 83 PID 4612 wrote to memory of 2584 4612 net.exe 84 PID 4612 wrote to memory of 2584 4612 net.exe 84 PID 2336 wrote to memory of 3484 2336 cmd.exe 87 PID 2336 wrote to memory of 3484 2336 cmd.exe 87 PID 2336 wrote to memory of 4536 2336 cmd.exe 90 PID 2336 wrote to memory of 4536 2336 cmd.exe 90 PID 2336 wrote to memory of 4248 2336 cmd.exe 91 PID 2336 wrote to memory of 4248 2336 cmd.exe 91 PID 2336 wrote to memory of 1680 2336 cmd.exe 93 PID 2336 wrote to memory of 1680 2336 cmd.exe 93
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\check.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\system32\net.exenet stop winmgmt /y2⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /y3⤵PID:2584
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get manufacturer, product, serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get manufacturer, releasedate, serialnumber2⤵PID:4536
-
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get name, uuid2⤵PID:4248
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵PID:1680
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1424