Overview
overview
10Static
static
3AMI/AMIDEWINx64.exe
windows10-2004-x64
1AMI/amigendrv64.sys
windows10-2004-x64
1AMI/spoof.bat
windows10-2004-x64
1Insyde/H2O...64.exe
windows10-2004-x64
Insyde/seg...64.sys
windows10-2004-x64
1Insyde/spoof.bat
windows10-2004-x64
VHD/0.25000001.bat
windows10-2004-x64
3check.bat
windows10-2004-x64
5tweaks/1.bat
windows10-2004-x64
10Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2024 12:46
Static task
static1
Behavioral task
behavioral1
Sample
AMI/AMIDEWINx64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
AMI/amigendrv64.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
AMI/spoof.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
Insyde/H2OSDE-Wx64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Insyde/segwindrvx64.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
Insyde/spoof.bat
Resource
win10v2004-20240910-en
Behavioral task
behavioral7
Sample
VHD/0.25000001.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
check.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
tweaks/1.bat
Resource
win10v2004-20240802-en
General
-
Target
tweaks/1.bat
-
Size
253B
-
MD5
ce17bbdf67566edb48a72c10dc53aa19
-
SHA1
5463f627871b844a098871aa5dbe43ef9f39d09e
-
SHA256
9ee833b3b341ab2fbbc1b215c2613a3cb947aa5174122f69c87068c54d3b6f8a
-
SHA512
6c76ccb6b1bf9c40c62c50ab04fe053f7358496eafa0345f14dc0a5f2e29cf58a3f87e301efe876ba9d2ac9f3ca5471d7af991d3f4c7097fd1f55dc9976360da
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" reg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1" reg.exe -
Processes:
reg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exepid Process 440 bcdedit.exe 2648 bcdedit.exe 4788 bcdedit.exe -
Modify Registry: Disable Windows Driver Blocklist 2 TTPs 1 IoCs
Disable Windows Driver Blocklist via Registry.
Processes:
reg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0" reg.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid Process 976 takeown.exe 1060 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid Process 976 takeown.exe 1060 icacls.exe -
Power Settings 1 TTPs 1 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\WallPaper reg.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powercfg.exetakeown.exedescription pid Process Token: SeShutdownPrivilege 4404 powercfg.exe Token: SeCreatePagefilePrivilege 4404 powercfg.exe Token: SeShutdownPrivilege 4404 powercfg.exe Token: SeCreatePagefilePrivilege 4404 powercfg.exe Token: SeTakeOwnershipPrivilege 976 takeown.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
cmd.exedescription pid Process procid_target PID 4448 wrote to memory of 440 4448 cmd.exe 83 PID 4448 wrote to memory of 440 4448 cmd.exe 83 PID 4448 wrote to memory of 2648 4448 cmd.exe 84 PID 4448 wrote to memory of 2648 4448 cmd.exe 84 PID 4448 wrote to memory of 4788 4448 cmd.exe 85 PID 4448 wrote to memory of 4788 4448 cmd.exe 85 PID 4448 wrote to memory of 4404 4448 cmd.exe 86 PID 4448 wrote to memory of 4404 4448 cmd.exe 86 PID 4448 wrote to memory of 4108 4448 cmd.exe 87 PID 4448 wrote to memory of 4108 4448 cmd.exe 87 PID 4448 wrote to memory of 976 4448 cmd.exe 88 PID 4448 wrote to memory of 976 4448 cmd.exe 88 PID 4448 wrote to memory of 1060 4448 cmd.exe 89 PID 4448 wrote to memory of 1060 4448 cmd.exe 89
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tweaks\1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\system32\bcdedit.exebcdedit /set bootuxdisabled yes2⤵
- Modifies boot configuration data using bcdedit
PID:440
-
-
C:\Windows\system32\bcdedit.exebcdedit /set quietboot on2⤵
- Modifies boot configuration data using bcdedit
PID:2648
-
-
C:\Windows\system32\bcdedit.exebcdedit /timeout 02⤵
- Modifies boot configuration data using bcdedit
PID:4788
-
-
C:\Windows\system32\powercfg.exepowercfg h off2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
-
C:\Windows\system32\reg.exereg import 1.reg2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Modify Registry: Disable Windows Driver Blocklist
- Sets desktop wallpaper using registry
PID:4108
-
-
C:\Windows\system32\takeown.exetakeown /F C:\Windows\System32\dbgeng.dll2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:976
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\dbgeng.dll /grant Administrators:D2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1060
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1