Overview
overview
10Static
static
3AMI/AMIDEWINx64.exe
windows10-2004-x64
1AMI/amigendrv64.sys
windows10-2004-x64
1AMI/spoof.bat
windows10-2004-x64
1Insyde/H2O...64.exe
windows10-2004-x64
Insyde/seg...64.sys
windows10-2004-x64
1Insyde/spoof.bat
windows10-2004-x64
VHD/0.25000001.bat
windows10-2004-x64
3check.bat
windows10-2004-x64
5tweaks/1.bat
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2024 12:46
Static task
static1
Behavioral task
behavioral1
Sample
AMI/AMIDEWINx64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
AMI/amigendrv64.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
AMI/spoof.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
Insyde/H2OSDE-Wx64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Insyde/segwindrvx64.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
Insyde/spoof.bat
Resource
win10v2004-20240910-en
Behavioral task
behavioral7
Sample
VHD/0.25000001.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
check.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
tweaks/1.bat
Resource
win10v2004-20240802-en
General
-
Target
check.bat
-
Size
274B
-
MD5
e8db7ba2184c7b20e20182d01522e6c6
-
SHA1
877be10ebd8d6281da715d96b4741dddbbd258c3
-
SHA256
3c36f73644642fa71c86fe48d24cc47f5293cedcec8bd0981d111e5823bda3ea
-
SHA512
1024d79d1b3f6208c577b7c45ac8e3a985887736af0712fbec2e54c837c4d6de14afa7dfbe58266d157490952c9a857a402ec3ec393d560d6611273aac55d529
Malware Config
Signatures
-
Drops file in System32 directory 7 IoCs
Processes:
svchost.exedescription ioc Process File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exesvchost.exedescription pid Process Token: SeIncreaseQuotaPrivilege 5084 WMIC.exe Token: SeSecurityPrivilege 5084 WMIC.exe Token: SeTakeOwnershipPrivilege 5084 WMIC.exe Token: SeLoadDriverPrivilege 5084 WMIC.exe Token: SeSystemProfilePrivilege 5084 WMIC.exe Token: SeSystemtimePrivilege 5084 WMIC.exe Token: SeProfSingleProcessPrivilege 5084 WMIC.exe Token: SeIncBasePriorityPrivilege 5084 WMIC.exe Token: SeCreatePagefilePrivilege 5084 WMIC.exe Token: SeBackupPrivilege 5084 WMIC.exe Token: SeRestorePrivilege 5084 WMIC.exe Token: SeShutdownPrivilege 5084 WMIC.exe Token: SeDebugPrivilege 5084 WMIC.exe Token: SeSystemEnvironmentPrivilege 5084 WMIC.exe Token: SeRemoteShutdownPrivilege 5084 WMIC.exe Token: SeUndockPrivilege 5084 WMIC.exe Token: SeManageVolumePrivilege 5084 WMIC.exe Token: 33 5084 WMIC.exe Token: 34 5084 WMIC.exe Token: 35 5084 WMIC.exe Token: 36 5084 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 4992 svchost.exe Token: SeIncreaseQuotaPrivilege 4992 svchost.exe Token: SeSecurityPrivilege 4992 svchost.exe Token: SeTakeOwnershipPrivilege 4992 svchost.exe Token: SeLoadDriverPrivilege 4992 svchost.exe Token: SeSystemtimePrivilege 4992 svchost.exe Token: SeBackupPrivilege 4992 svchost.exe Token: SeRestorePrivilege 4992 svchost.exe Token: SeShutdownPrivilege 4992 svchost.exe Token: SeSystemEnvironmentPrivilege 4992 svchost.exe Token: SeUndockPrivilege 4992 svchost.exe Token: SeManageVolumePrivilege 4992 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4992 svchost.exe Token: SeIncreaseQuotaPrivilege 4992 svchost.exe Token: SeSecurityPrivilege 4992 svchost.exe Token: SeTakeOwnershipPrivilege 4992 svchost.exe Token: SeLoadDriverPrivilege 4992 svchost.exe Token: SeSystemtimePrivilege 4992 svchost.exe Token: SeBackupPrivilege 4992 svchost.exe Token: SeRestorePrivilege 4992 svchost.exe Token: SeShutdownPrivilege 4992 svchost.exe Token: SeSystemEnvironmentPrivilege 4992 svchost.exe Token: SeUndockPrivilege 4992 svchost.exe Token: SeManageVolumePrivilege 4992 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4992 svchost.exe Token: SeIncreaseQuotaPrivilege 4992 svchost.exe Token: SeSecurityPrivilege 4992 svchost.exe Token: SeTakeOwnershipPrivilege 4992 svchost.exe Token: SeLoadDriverPrivilege 4992 svchost.exe Token: SeSystemtimePrivilege 4992 svchost.exe Token: SeBackupPrivilege 4992 svchost.exe Token: SeRestorePrivilege 4992 svchost.exe Token: SeShutdownPrivilege 4992 svchost.exe Token: SeSystemEnvironmentPrivilege 4992 svchost.exe Token: SeUndockPrivilege 4992 svchost.exe Token: SeManageVolumePrivilege 4992 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4992 svchost.exe Token: SeIncreaseQuotaPrivilege 4992 svchost.exe Token: SeSecurityPrivilege 4992 svchost.exe Token: SeTakeOwnershipPrivilege 4992 svchost.exe Token: SeLoadDriverPrivilege 4992 svchost.exe Token: SeSystemtimePrivilege 4992 svchost.exe Token: SeBackupPrivilege 4992 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cmd.exenet.exedescription pid Process procid_target PID 3724 wrote to memory of 4784 3724 cmd.exe 83 PID 3724 wrote to memory of 4784 3724 cmd.exe 83 PID 4784 wrote to memory of 1160 4784 net.exe 84 PID 4784 wrote to memory of 1160 4784 net.exe 84 PID 3724 wrote to memory of 5084 3724 cmd.exe 85 PID 3724 wrote to memory of 5084 3724 cmd.exe 85 PID 3724 wrote to memory of 3912 3724 cmd.exe 88 PID 3724 wrote to memory of 3912 3724 cmd.exe 88 PID 3724 wrote to memory of 4572 3724 cmd.exe 89 PID 3724 wrote to memory of 4572 3724 cmd.exe 89 PID 3724 wrote to memory of 2432 3724 cmd.exe 90 PID 3724 wrote to memory of 2432 3724 cmd.exe 90
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\check.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\system32\net.exenet stop winmgmt /y2⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /y3⤵PID:1160
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get manufacturer, product, serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get manufacturer, releasedate, serialnumber2⤵PID:3912
-
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get name, uuid2⤵PID:4572
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵PID:2432
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4992