Overview
overview
10Static
static
3AMI/AMIDEWINx64.exe
windows10-2004-x64
1AMI/amigendrv64.sys
windows10-2004-x64
1AMI/spoof.bat
windows10-2004-x64
1Insyde/H2O...64.exe
windows10-2004-x64
Insyde/seg...64.sys
windows10-2004-x64
1Insyde/spoof.bat
windows10-2004-x64
VHD/0.25000001.bat
windows10-2004-x64
3check.bat
windows10-2004-x64
5tweaks/1.bat
windows10-2004-x64
10Analysis
-
max time kernel
125s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2024 12:46
Static task
static1
Behavioral task
behavioral1
Sample
AMI/AMIDEWINx64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
AMI/amigendrv64.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
AMI/spoof.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
Insyde/H2OSDE-Wx64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Insyde/segwindrvx64.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
Insyde/spoof.bat
Resource
win10v2004-20240910-en
Behavioral task
behavioral7
Sample
VHD/0.25000001.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
check.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
tweaks/1.bat
Resource
win10v2004-20240802-en
General
-
Target
VHD/0.25000001.bat
-
Size
82B
-
MD5
945e0ff83a6f23cf0568ba1444af9384
-
SHA1
184d295e43c244bb4891b79927e45049f9a1b8fe
-
SHA256
569a3ea35752c5f848269f90cc8fd72f3e587e44c987e9986af242ba3cbc93d8
-
SHA512
00991d10ec9fb366288b1a025eac20e2986ed31a09853dacc47dca21b420213d251c72c6006b32c02f77611284496d4ce2e4511e818de67d82e87342fd9b7789
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
DllHost.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\ConfigFlags vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_MSFT&PROD_VIRTUAL_DISK\2&1F4ADFFE&0&000003 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\FriendlyName vds.exe -
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies registry class 6 IoCs
Processes:
explorer.execontrol.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings control.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid Process 688 explorer.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
vds.execontrol.exeexplorer.exedescription pid Process Token: SeManageVolumePrivilege 4640 vds.exe Token: SeManageVolumePrivilege 4640 vds.exe Token: SeManageVolumePrivilege 4640 vds.exe Token: SeShutdownPrivilege 4036 control.exe Token: SeCreatePagefilePrivilege 4036 control.exe Token: SeShutdownPrivilege 688 explorer.exe Token: SeCreatePagefilePrivilege 688 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
explorer.exepid Process 688 explorer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid Process procid_target PID 3428 wrote to memory of 4772 3428 cmd.exe 83 PID 3428 wrote to memory of 4772 3428 cmd.exe 83 PID 3428 wrote to memory of 4036 3428 cmd.exe 89 PID 3428 wrote to memory of 4036 3428 cmd.exe 89
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\VHD\0.25000001.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\system32\diskpart.exediskpart /s 1.txt2⤵PID:4772
-
-
C:\Windows\system32\control.execontrol /name Microsoft.StorageSpaces2⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4672
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:3240
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:3908
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:688