Overview

overview

10

Static

static

3

AMI/AMIDEWINx64.exe

windows7-x64

1

AMI/AMIDEWINx64.exe

windows10-2004-x64

1

AMI/amigendrv64.sys

windows10-2004-x64

1

AMI/spoof.bat

windows7-x64

1

AMI/spoof.bat

windows10-2004-x64

1

Insyde/H2O...64.exe

windows7-x64

5

Insyde/H2O...64.exe

windows10-2004-x64

Insyde/seg...64.sys

windows7-x64

1

Insyde/seg...64.sys

windows10-2004-x64

1

Insyde/spoof.bat

windows7-x64

5

Insyde/spoof.bat

windows10-2004-x64

VHD/VHD.bat

windows7-x64

3

VHD/VHD.bat

windows10-2004-x64

3

check.bat

windows7-x64

1

check.bat

windows10-2004-x64

5

tweaks/1.bat

windows7-x64

10

tweaks/1.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    spoof2.zip

  • Size

    565KB

  • Sample

    240920-nn8a5atfne

  • MD5

    79aa575e7e2b033646f74f69e44c60d4

  • SHA1

    6feff8cad2f9ae2b831343fa7bfcb408ffe23b92

  • SHA256

    022e498fe973889e1c2ad0964f0a097a87feb14ceb314a5c19c7ff5d9c7ebb36

  • SHA512

    732e1ae4488765d0a4b5919900c548272ce932d97743a1c8adca26d437c9c4e38a78b45c5ccf15acd51d0042f33c6d132e98a6dfd92132d3bc97ff58984de006

  • SSDEEP

    12288:Bq0wZ837dYoz2ko5wLJXOKfegCEkwg+al7+fzohptnT1cbyx1fR:Y0fLdYTyLJXN2gCEV2KfzAnBcbyxJR

Score
10/10
defense_evasiondiscoveryevasionexploitpersistenceransomwaretrojan

Malware Config

Targets

    • Target

      AMI/AMIDEWINx64.EXE

    • Size

      377KB

    • MD5

      6dea36ae7a414e376b00829e16da52e0

    • SHA1

      5ddb6b72867002a03f26aed612f320e82598464e

    • SHA256

      47c16703fa7df006f9559fca8b1482b4c59111017a0530c1edac3caf0bdaaf39

    • SHA512

      f61f6a661e816ff72a91849c8363dbbbadadc24d34c25072a3cbb3be16ce9a540c8f86ae2c031fc97e5484944d8957cd7a7e3104dee2a2091b2b344422e30487

    • SSDEEP

      6144:u0lLNvLmP/LgoYG5HViOlHH7qKPUcky2FpwhPa24UW3Plqr9hUURgr:lzmP/Lgk5HViOlHH7qKPfky2FpwhyV3X

    Score
    1/10
    behavioral1behavioral2

    • Target

      AMI/amigendrv64.sys

    • Size

      35KB

    • MD5

      8d533ae1500f743a177b27c88a241163

    • SHA1

      52c25cf4c903714fa52870a16d143fb6aeb0fa99

    • SHA256

      b9e8de155fb9aabb4760034a65855130eb85aadc88963e40e2be87b049c025bf

    • SHA512

      546c9309b9b078ce4c49a3b56ec8d77b0fd4c0bd583f4bce53705f854fe2addba5c8029ed8b8da9e944b2c212d2ee0508095bf20c12632b760a5c271d19940de

    • SSDEEP

      384:mrzqfCQlZluZfnktrQsHGh1jEiI4IHith5kCN88ZGmGovy8ZpHcS8FRJvIsWAR9k:+dCluVG0zuiv1yiR89PL9zIf

    Score
    1/10
    behavioral3

    • Target

      AMI/spoof.bat

    • Size

      57B

    • MD5

      70c372a580ee13ad16ff67d3cc0ff0c6

    • SHA1

      7e92af45a827b70404573f9f8339b2c9297793ec

    • SHA256

      74975bffd064e9e27f44db7738b5f4c971ca1401b5e5d89f4aa50835801abb5c

    • SHA512

      8dd0f5cbf1e66061f11d9129b6da90046ffc36742b2884e271399f17f096dbaf5c1db80d2b4c3e4594961021c96e04c623c684c5c6511cfe6e64b5527d1e50ed

    Score
    1/10
    behavioral4behavioral5

    • Target

      Insyde/H2OSDE-Wx64.exe

    • Size

      918KB

    • MD5

      42aedfbe60926aac1464a62d8d1c4df6

    • SHA1

      89b2cdb05a7ee068b3601311331f057b0364eedf

    • SHA256

      412e058e92b2498a4dcc4bf70b9aeedc8361f97be0fc071662d5cc480fd965ae

    • SHA512

      ec8a1962c37f06a8ebab527a492d30ace1fb38cfa56d2dfed20fdb79a28693a555e8c74834703e97218575319433b95ccbbff6ca1c1f01adfeec79447844e7ea

    • SSDEEP

      24576:wtT0dc9f8XTEtvM6kvvJ+11u4CN5oHDsUBmT:PTovsc11sN5ojspT

    Score
    5/10

    • Drops file in System32 directory

    behavioral6behavioral7

    • Target

      Insyde/segwindrvx64.sys

    • Size

      103KB

    • MD5

      e46dfe45c1714f4920d3fd2546f2f630

    • SHA1

      28cdb0b48c1d88d71421ec9e40ce52836ab79956

    • SHA256

      b44f4384f95cc9d3f86f0c27fc0abba9a291a7cc24483f41e70c1234bc61edc6

    • SHA512

      97480d19e22ebef836e61f33d5540c41a08a9edc71af97a59fef71b3d60abd9ab78b32896ee0812cae1780da08f875e3cb32c048edf4fcae523fa04e23d2246c

    • SSDEEP

      1536:yALHKmz+6n3qOZhiIjyvxjSd0CG7wMLw6JSoe80/ttsw:bHKmz+C6ATjuxjSdq75w6JFstaw

    Score
    1/10
    behavioral8behavioral9

    • Target

      Insyde/spoof.bat

    • Size

      39B

    • MD5

      00b669e9102e6055f3ffb59c495f9590

    • SHA1

      33663eeb1eb9dbd1fb9d7d8da05ff682a0b77817

    • SHA256

      9a33bcec16224a280916ee5362c09e5c4b9e23b578802824250710d8cb5e3bdf

    • SHA512

      64564a7c15c35f2a8f2f0490b015461831ceb8db1d23481b2fed6b396333d931663f2fe3684b7d54dc3ca99ea89b8527d570ee19969561a23bf71dcfee93a5f6

    Score
    5/10

    • Drops file in System32 directory

    behavioral10behavioral11

    • Target

      VHD/VHD.bat

    • Size

      82B

    • MD5

      945e0ff83a6f23cf0568ba1444af9384

    • SHA1

      184d295e43c244bb4891b79927e45049f9a1b8fe

    • SHA256

      569a3ea35752c5f848269f90cc8fd72f3e587e44c987e9986af242ba3cbc93d8

    • SHA512

      00991d10ec9fb366288b1a025eac20e2986ed31a09853dacc47dca21b420213d251c72c6006b32c02f77611284496d4ce2e4511e818de67d82e87342fd9b7789

    Score
    3/10
    discovery
    behavioral12behavioral13

    • Target

      check.bat

    • Size

      274B

    • MD5

      e8db7ba2184c7b20e20182d01522e6c6

    • SHA1

      877be10ebd8d6281da715d96b4741dddbbd258c3

    • SHA256

      3c36f73644642fa71c86fe48d24cc47f5293cedcec8bd0981d111e5823bda3ea

    • SHA512

      1024d79d1b3f6208c577b7c45ac8e3a985887736af0712fbec2e54c837c4d6de14afa7dfbe58266d157490952c9a857a402ec3ec393d560d6611273aac55d529

    Score
    5/10

    • Drops file in System32 directory

    behavioral14behavioral15

    • Target

      tweaks/1.bat

    • Size

      253B

    • MD5

      ce17bbdf67566edb48a72c10dc53aa19

    • SHA1

      5463f627871b844a098871aa5dbe43ef9f39d09e

    • SHA256

      9ee833b3b341ab2fbbc1b215c2613a3cb947aa5174122f69c87068c54d3b6f8a

    • SHA512

      6c76ccb6b1bf9c40c62c50ab04fe053f7358496eafa0345f14dc0a5f2e29cf58a3f87e301efe876ba9d2ac9f3ca5471d7af991d3f4c7097fd1f55dc9976360da

    Score
    10/10
    defense_evasiondiscoveryevasionexploitpersistenceransomwaretrojan

    • Modifies visibility of file extensions in Explorer

      evasion

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • UAC bypass

      evasiontrojan

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Modify Registry: Disable Windows Driver Blocklist

      Disable Windows Driver Blocklist via Registry.

      defense_evasion

    • Possible privilege escalation attempt

      exploit

    • Modifies file permissions

      discovery

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral16behavioral17

MITRE ATT&CK Enterprise v15

Tasks