Overview
overview
10Static
static
3AMI/AMIDEWINx64.exe
windows7-x64
1AMI/AMIDEWINx64.exe
windows10-2004-x64
1AMI/amigendrv64.sys
windows10-2004-x64
1AMI/spoof.bat
windows7-x64
1AMI/spoof.bat
windows10-2004-x64
1Insyde/H2O...64.exe
windows7-x64
5Insyde/H2O...64.exe
windows10-2004-x64
Insyde/seg...64.sys
windows7-x64
1Insyde/seg...64.sys
windows10-2004-x64
1Insyde/spoof.bat
windows7-x64
5Insyde/spoof.bat
windows10-2004-x64
VHD/VHD.bat
windows7-x64
3VHD/VHD.bat
windows10-2004-x64
3check.bat
windows7-x64
1check.bat
windows10-2004-x64
5tweaks/1.bat
windows7-x64
10tweaks/1.bat
windows10-2004-x64
10Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 11:33
Static task
static1
Behavioral task
behavioral1
Sample
AMI/AMIDEWINx64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
AMI/AMIDEWINx64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
AMI/amigendrv64.sys
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
AMI/spoof.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral5
Sample
AMI/spoof.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
Insyde/H2OSDE-Wx64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral7
Sample
Insyde/H2OSDE-Wx64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
Insyde/segwindrvx64.sys
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral9
Sample
Insyde/segwindrvx64.sys
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
Insyde/spoof.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral11
Sample
Insyde/spoof.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
VHD/VHD.bat
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral13
Sample
VHD/VHD.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
check.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral15
Sample
check.bat
Resource
win10v2004-20240910-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
tweaks/1.bat
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral17
Sample
tweaks/1.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
check.bat
-
Size
274B
-
MD5
e8db7ba2184c7b20e20182d01522e6c6
-
SHA1
877be10ebd8d6281da715d96b4741dddbbd258c3
-
SHA256
3c36f73644642fa71c86fe48d24cc47f5293cedcec8bd0981d111e5823bda3ea
-
SHA512
1024d79d1b3f6208c577b7c45ac8e3a985887736af0712fbec2e54c837c4d6de14afa7dfbe58266d157490952c9a857a402ec3ec393d560d6611273aac55d529
Malware Config
Signatures
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2808 WMIC.exe Token: SeSecurityPrivilege 2808 WMIC.exe Token: SeTakeOwnershipPrivilege 2808 WMIC.exe Token: SeLoadDriverPrivilege 2808 WMIC.exe Token: SeSystemProfilePrivilege 2808 WMIC.exe Token: SeSystemtimePrivilege 2808 WMIC.exe Token: SeProfSingleProcessPrivilege 2808 WMIC.exe Token: SeIncBasePriorityPrivilege 2808 WMIC.exe Token: SeCreatePagefilePrivilege 2808 WMIC.exe Token: SeBackupPrivilege 2808 WMIC.exe Token: SeRestorePrivilege 2808 WMIC.exe Token: SeShutdownPrivilege 2808 WMIC.exe Token: SeDebugPrivilege 2808 WMIC.exe Token: SeSystemEnvironmentPrivilege 2808 WMIC.exe Token: SeRemoteShutdownPrivilege 2808 WMIC.exe Token: SeUndockPrivilege 2808 WMIC.exe Token: SeManageVolumePrivilege 2808 WMIC.exe Token: 33 2808 WMIC.exe Token: 34 2808 WMIC.exe Token: 35 2808 WMIC.exe Token: SeIncreaseQuotaPrivilege 2808 WMIC.exe Token: SeSecurityPrivilege 2808 WMIC.exe Token: SeTakeOwnershipPrivilege 2808 WMIC.exe Token: SeLoadDriverPrivilege 2808 WMIC.exe Token: SeSystemProfilePrivilege 2808 WMIC.exe Token: SeSystemtimePrivilege 2808 WMIC.exe Token: SeProfSingleProcessPrivilege 2808 WMIC.exe Token: SeIncBasePriorityPrivilege 2808 WMIC.exe Token: SeCreatePagefilePrivilege 2808 WMIC.exe Token: SeBackupPrivilege 2808 WMIC.exe Token: SeRestorePrivilege 2808 WMIC.exe Token: SeShutdownPrivilege 2808 WMIC.exe Token: SeDebugPrivilege 2808 WMIC.exe Token: SeSystemEnvironmentPrivilege 2808 WMIC.exe Token: SeRemoteShutdownPrivilege 2808 WMIC.exe Token: SeUndockPrivilege 2808 WMIC.exe Token: SeManageVolumePrivilege 2808 WMIC.exe Token: 33 2808 WMIC.exe Token: 34 2808 WMIC.exe Token: 35 2808 WMIC.exe Token: SeIncreaseQuotaPrivilege 2624 WMIC.exe Token: SeSecurityPrivilege 2624 WMIC.exe Token: SeTakeOwnershipPrivilege 2624 WMIC.exe Token: SeLoadDriverPrivilege 2624 WMIC.exe Token: SeSystemProfilePrivilege 2624 WMIC.exe Token: SeSystemtimePrivilege 2624 WMIC.exe Token: SeProfSingleProcessPrivilege 2624 WMIC.exe Token: SeIncBasePriorityPrivilege 2624 WMIC.exe Token: SeCreatePagefilePrivilege 2624 WMIC.exe Token: SeBackupPrivilege 2624 WMIC.exe Token: SeRestorePrivilege 2624 WMIC.exe Token: SeShutdownPrivilege 2624 WMIC.exe Token: SeDebugPrivilege 2624 WMIC.exe Token: SeSystemEnvironmentPrivilege 2624 WMIC.exe Token: SeRemoteShutdownPrivilege 2624 WMIC.exe Token: SeUndockPrivilege 2624 WMIC.exe Token: SeManageVolumePrivilege 2624 WMIC.exe Token: 33 2624 WMIC.exe Token: 34 2624 WMIC.exe Token: 35 2624 WMIC.exe Token: SeIncreaseQuotaPrivilege 2624 WMIC.exe Token: SeSecurityPrivilege 2624 WMIC.exe Token: SeTakeOwnershipPrivilege 2624 WMIC.exe Token: SeLoadDriverPrivilege 2624 WMIC.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2336 2504 cmd.exe 31 PID 2504 wrote to memory of 2336 2504 cmd.exe 31 PID 2504 wrote to memory of 2336 2504 cmd.exe 31 PID 2336 wrote to memory of 2684 2336 net.exe 32 PID 2336 wrote to memory of 2684 2336 net.exe 32 PID 2336 wrote to memory of 2684 2336 net.exe 32 PID 2504 wrote to memory of 2808 2504 cmd.exe 33 PID 2504 wrote to memory of 2808 2504 cmd.exe 33 PID 2504 wrote to memory of 2808 2504 cmd.exe 33 PID 2504 wrote to memory of 2624 2504 cmd.exe 35 PID 2504 wrote to memory of 2624 2504 cmd.exe 35 PID 2504 wrote to memory of 2624 2504 cmd.exe 35 PID 2504 wrote to memory of 2716 2504 cmd.exe 36 PID 2504 wrote to memory of 2716 2504 cmd.exe 36 PID 2504 wrote to memory of 2716 2504 cmd.exe 36 PID 2504 wrote to memory of 2616 2504 cmd.exe 37 PID 2504 wrote to memory of 2616 2504 cmd.exe 37 PID 2504 wrote to memory of 2616 2504 cmd.exe 37
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\check.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\system32\net.exenet stop winmgmt /y2⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /y3⤵PID:2684
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get manufacturer, product, serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get manufacturer, releasedate, serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get name, uuid2⤵PID:2716
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵PID:2616
-