022e498fe973889e1c2ad0964f0a097a87feb14ceb314a5c19c7ff5d9c7ebb36

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Insyde/spoof.bat
Size

39B
MD5

00b669e9102e6055f3ffb59c495f9590
SHA1

33663eeb1eb9dbd1fb9d7d8da05ff682a0b77817
SHA256

9a33bcec16224a280916ee5362c09e5c4b9e23b578802824250710d8cb5e3bdf
SHA512

64564a7c15c35f2a8f2f0490b015461831ceb8db1d23481b2fed6b396333d931663f2fe3684b7d54dc3ca99ea89b8527d570ee19969561a23bf71dcfee93a5f6

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3b8f4165-0abd-29df-3d66-3557b6719229}\SETC64B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3b8f4165-0abd-29df-3d66-3557b6719229}\segwindrvx64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3b8f4165-0abd-29df-3d66-3557b6719229}\SETC64C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3b8f4165-0abd-29df-3d66-3557b6719229}\SETC64C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3b8f4165-0abd-29df-3d66-3557b6719229}\SETC64D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3b8f4165-0abd-29df-3d66-3557b6719229}\segwindrv.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3b8f4165-0abd-29df-3d66-3557b6719229}\SETC64B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3b8f4165-0abd-29df-3d66-3557b6719229}\segwindrv.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3b8f4165-0abd-29df-3d66-3557b6719229}\SETC64D.tmp	DrvInst.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	H2OSDE-Wx64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	H2OSDE-Wx64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
396	rundll32.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeSystemEnvironmentPrivilege	2576	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2576	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2576	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2576	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2576	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2576	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2576	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2576	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2576	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2576	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2576	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2576	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2576	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2576	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2576	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	1932	DrvInst.exe
Token: SeRestorePrivilege	1932	DrvInst.exe
Token: SeRestorePrivilege	1932	DrvInst.exe
Token: SeRestorePrivilege	1932	DrvInst.exe
Token: SeRestorePrivilege	1932	DrvInst.exe
Token: SeRestorePrivilege	1932	DrvInst.exe
Token: SeRestorePrivilege	1932	DrvInst.exe
Token: SeRestorePrivilege	1932	DrvInst.exe
Token: SeRestorePrivilege	1932	DrvInst.exe
Token: SeRestorePrivilege	1932	DrvInst.exe
Token: SeRestorePrivilege	1932	DrvInst.exe
Token: SeRestorePrivilege	1932	DrvInst.exe
Token: SeRestorePrivilege	1932	DrvInst.exe
Token: SeRestorePrivilege	1932	DrvInst.exe
Token: SeRestorePrivilege	396	rundll32.exe
Token: SeRestorePrivilege	396	rundll32.exe
Token: SeRestorePrivilege	396	rundll32.exe
Token: SeRestorePrivilege	396	rundll32.exe
Token: SeRestorePrivilege	396	rundll32.exe
Token: SeRestorePrivilege	396	rundll32.exe
Token: SeRestorePrivilege	396	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2576	1900	cmd.exe	31
PID 1900 wrote to memory of 2576	1900	cmd.exe	31
PID 1900 wrote to memory of 2576	1900	cmd.exe	31
PID 1932 wrote to memory of 396	1932	DrvInst.exe	33
PID 1932 wrote to memory of 396	1932	DrvInst.exe	33
PID 1932 wrote to memory of 396	1932	DrvInst.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Insyde\spoof.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe
  H2OSDE-Wx64.exe -SU AUTO
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2576

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5957cf90-0020-6d7c-0399-901b7411703b}\segwindrv.inf" "9" "69f798bf3" "0000000000000398" "WinSta0\Default" "00000000000002B8" "208" "c:\users\admin\appdata\local\temp\insyde"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{2b4720de-c866-614e-6426-965eef421e0b} Global\{44bb7ebf-d95d-1ad5-8725-68572fb94b75} C:\Windows\System32\DriverStore\Temp\{3b8f4165-0abd-29df-3d66-3557b6719229}\segwindrv.inf C:\Windows\System32\DriverStore\Temp\{3b8f4165-0abd-29df-3d66-3557b6719229}\segwindrv.cat
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabC592.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC595.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5957cf90-0020-6d7c-0399-901b7411703b}\segwindrv.cat

Filesize
10KB

MD5
43d3603cf918445cbd1d7253b49bf527

SHA1
fabfaee55f2c4e6ca508d735b297bdb738ab1c7d

SHA256
e830efe7786b0fb9dd84eb647614fa1795ec5caa605d44d9a13f0fdbd0f4d6b5

SHA512
183b8498e4c86966050be324a027fc0a7f8179bb77d032ec97cf64ab91dac72c8e7fcdda36c733c2815973b72c91cee19d3263376a7e3b955c616f548690186e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5957cf90-0020-6d7c-0399-901b7411703b}\segwindrv.inf

Filesize
4KB

MD5
843fb7475608ce359da7cbd48fa3ab1d

SHA1
ae16643aa1756b34391e4c615958343ecb17b153

SHA256
e1449864c7403b9cd3d828c6fc9710fe1fbb3f35c7b6522a5dcbcf97685f40d7

SHA512
9db610ebff1ab1e24147abadf10f978eab95358f2b0806d17fb8df6e53723b0523dd26d0207430d029f5b6826a02c3a5d73ff01d8f6e28d53e82c230075f2b34

Download Submit
C:\Windows\System32\DriverStore\Temp\{3b8f4165-0abd-29df-3d66-3557b6719229}\SETC64B.tmp

Filesize
103KB

MD5
e46dfe45c1714f4920d3fd2546f2f630

SHA1
28cdb0b48c1d88d71421ec9e40ce52836ab79956

SHA256
b44f4384f95cc9d3f86f0c27fc0abba9a291a7cc24483f41e70c1234bc61edc6

SHA512
97480d19e22ebef836e61f33d5540c41a08a9edc71af97a59fef71b3d60abd9ab78b32896ee0812cae1780da08f875e3cb32c048edf4fcae523fa04e23d2246c

Download Submit
C:\Windows\Temp\CabC6BB.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarC6FC.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit