Overview
overview
10Static
static
3AMI/AMIDEWINx64.exe
windows7-x64
1AMI/AMIDEWINx64.exe
windows10-2004-x64
1AMI/amigendrv64.sys
windows10-2004-x64
1AMI/spoof.bat
windows7-x64
1AMI/spoof.bat
windows10-2004-x64
1Insyde/H2O...64.exe
windows7-x64
5Insyde/H2O...64.exe
windows10-2004-x64
Insyde/seg...64.sys
windows7-x64
1Insyde/seg...64.sys
windows10-2004-x64
1Insyde/spoof.bat
windows7-x64
5Insyde/spoof.bat
windows10-2004-x64
VHD/VHD.bat
windows7-x64
3VHD/VHD.bat
windows10-2004-x64
3check.bat
windows7-x64
1check.bat
windows10-2004-x64
5tweaks/1.bat
windows7-x64
10tweaks/1.bat
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 11:33
Static task
static1
Behavioral task
behavioral1
Sample
AMI/AMIDEWINx64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
AMI/AMIDEWINx64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
AMI/amigendrv64.sys
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
AMI/spoof.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral5
Sample
AMI/spoof.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
Insyde/H2OSDE-Wx64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral7
Sample
Insyde/H2OSDE-Wx64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
Insyde/segwindrvx64.sys
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral9
Sample
Insyde/segwindrvx64.sys
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
Insyde/spoof.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral11
Sample
Insyde/spoof.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
VHD/VHD.bat
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral13
Sample
VHD/VHD.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
check.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral15
Sample
check.bat
Resource
win10v2004-20240910-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
tweaks/1.bat
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral17
Sample
tweaks/1.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
check.bat
-
Size
274B
-
MD5
e8db7ba2184c7b20e20182d01522e6c6
-
SHA1
877be10ebd8d6281da715d96b4741dddbbd258c3
-
SHA256
3c36f73644642fa71c86fe48d24cc47f5293cedcec8bd0981d111e5823bda3ea
-
SHA512
1024d79d1b3f6208c577b7c45ac8e3a985887736af0712fbec2e54c837c4d6de14afa7dfbe58266d157490952c9a857a402ec3ec393d560d6611273aac55d529
Malware Config
Signatures
-
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1740 WMIC.exe Token: SeSecurityPrivilege 1740 WMIC.exe Token: SeTakeOwnershipPrivilege 1740 WMIC.exe Token: SeLoadDriverPrivilege 1740 WMIC.exe Token: SeSystemProfilePrivilege 1740 WMIC.exe Token: SeSystemtimePrivilege 1740 WMIC.exe Token: SeProfSingleProcessPrivilege 1740 WMIC.exe Token: SeIncBasePriorityPrivilege 1740 WMIC.exe Token: SeCreatePagefilePrivilege 1740 WMIC.exe Token: SeBackupPrivilege 1740 WMIC.exe Token: SeRestorePrivilege 1740 WMIC.exe Token: SeShutdownPrivilege 1740 WMIC.exe Token: SeDebugPrivilege 1740 WMIC.exe Token: SeSystemEnvironmentPrivilege 1740 WMIC.exe Token: SeRemoteShutdownPrivilege 1740 WMIC.exe Token: SeUndockPrivilege 1740 WMIC.exe Token: SeManageVolumePrivilege 1740 WMIC.exe Token: 33 1740 WMIC.exe Token: 34 1740 WMIC.exe Token: 35 1740 WMIC.exe Token: 36 1740 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1864 svchost.exe Token: SeIncreaseQuotaPrivilege 1864 svchost.exe Token: SeSecurityPrivilege 1864 svchost.exe Token: SeTakeOwnershipPrivilege 1864 svchost.exe Token: SeLoadDriverPrivilege 1864 svchost.exe Token: SeSystemtimePrivilege 1864 svchost.exe Token: SeBackupPrivilege 1864 svchost.exe Token: SeRestorePrivilege 1864 svchost.exe Token: SeShutdownPrivilege 1864 svchost.exe Token: SeSystemEnvironmentPrivilege 1864 svchost.exe Token: SeUndockPrivilege 1864 svchost.exe Token: SeManageVolumePrivilege 1864 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1864 svchost.exe Token: SeIncreaseQuotaPrivilege 1864 svchost.exe Token: SeSecurityPrivilege 1864 svchost.exe Token: SeTakeOwnershipPrivilege 1864 svchost.exe Token: SeLoadDriverPrivilege 1864 svchost.exe Token: SeSystemtimePrivilege 1864 svchost.exe Token: SeBackupPrivilege 1864 svchost.exe Token: SeRestorePrivilege 1864 svchost.exe Token: SeShutdownPrivilege 1864 svchost.exe Token: SeSystemEnvironmentPrivilege 1864 svchost.exe Token: SeUndockPrivilege 1864 svchost.exe Token: SeManageVolumePrivilege 1864 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1864 svchost.exe Token: SeIncreaseQuotaPrivilege 1864 svchost.exe Token: SeSecurityPrivilege 1864 svchost.exe Token: SeTakeOwnershipPrivilege 1864 svchost.exe Token: SeLoadDriverPrivilege 1864 svchost.exe Token: SeSystemtimePrivilege 1864 svchost.exe Token: SeBackupPrivilege 1864 svchost.exe Token: SeRestorePrivilege 1864 svchost.exe Token: SeShutdownPrivilege 1864 svchost.exe Token: SeSystemEnvironmentPrivilege 1864 svchost.exe Token: SeUndockPrivilege 1864 svchost.exe Token: SeManageVolumePrivilege 1864 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1864 svchost.exe Token: SeIncreaseQuotaPrivilege 1864 svchost.exe Token: SeSecurityPrivilege 1864 svchost.exe Token: SeTakeOwnershipPrivilege 1864 svchost.exe Token: SeLoadDriverPrivilege 1864 svchost.exe Token: SeSystemtimePrivilege 1864 svchost.exe Token: SeBackupPrivilege 1864 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3164 wrote to memory of 1956 3164 cmd.exe 84 PID 3164 wrote to memory of 1956 3164 cmd.exe 84 PID 1956 wrote to memory of 2144 1956 net.exe 85 PID 1956 wrote to memory of 2144 1956 net.exe 85 PID 3164 wrote to memory of 1740 3164 cmd.exe 91 PID 3164 wrote to memory of 1740 3164 cmd.exe 91 PID 3164 wrote to memory of 1008 3164 cmd.exe 94 PID 3164 wrote to memory of 1008 3164 cmd.exe 94 PID 3164 wrote to memory of 3160 3164 cmd.exe 95 PID 3164 wrote to memory of 3160 3164 cmd.exe 95 PID 3164 wrote to memory of 1084 3164 cmd.exe 96 PID 3164 wrote to memory of 1084 3164 cmd.exe 96
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\check.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\system32\net.exenet stop winmgmt /y2⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /y3⤵PID:2144
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get manufacturer, product, serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get manufacturer, releasedate, serialnumber2⤵PID:1008
-
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get name, uuid2⤵PID:3160
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵PID:1084
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1864