7c89499d85795d6727f8d864733b78870f3ce076ed4aa065c8f8cc44ee126b1f

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ggpermV3/woof.bat
Size

1KB
MD5

9dfe4e730dcc5e0d3951038ad2a095a1
SHA1

e033d9a40234b9544606ec4d603add264cb38841
SHA256

bfffd2faf6710e02912de0eec63b593f35a8bebef114932b4a4bc9c67fad59b8
SHA512

297e9950fd207687af957a94c5fb7d073bb89dcebdd6ee047fa0465f55bb95b42563c7310980bf1e41ca671a1f8c824e86dfe515b844f99f307965d199d8dbfd

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops file in System32 directory 7 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

3144 sc.exe
4356 sc.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

4408 ipconfig.exe
Runs net.exe
Suspicious behavior: LoadsDriver 26 IoCs

Processes:

pid process

656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

pid	process
3144	sc.exe
4356	sc.exe

pid	process
4408	ipconfig.exe

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	1552	svchost.exe
Token: SeIncreaseQuotaPrivilege	1552	svchost.exe
Token: SeSecurityPrivilege	1552	svchost.exe
Token: SeTakeOwnershipPrivilege	1552	svchost.exe
Token: SeLoadDriverPrivilege	1552	svchost.exe
Token: SeSystemtimePrivilege	1552	svchost.exe
Token: SeBackupPrivilege	1552	svchost.exe
Token: SeRestorePrivilege	1552	svchost.exe
Token: SeShutdownPrivilege	1552	svchost.exe
Token: SeSystemEnvironmentPrivilege	1552	svchost.exe
Token: SeUndockPrivilege	1552	svchost.exe
Token: SeManageVolumePrivilege	1552	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1552	svchost.exe
Token: SeIncreaseQuotaPrivilege	1552	svchost.exe
Token: SeSecurityPrivilege	1552	svchost.exe
Token: SeTakeOwnershipPrivilege	1552	svchost.exe
Token: SeLoadDriverPrivilege	1552	svchost.exe
Token: SeSystemtimePrivilege	1552	svchost.exe
Token: SeBackupPrivilege	1552	svchost.exe
Token: SeRestorePrivilege	1552	svchost.exe
Token: SeShutdownPrivilege	1552	svchost.exe
Token: SeSystemEnvironmentPrivilege	1552	svchost.exe
Token: SeUndockPrivilege	1552	svchost.exe
Token: SeManageVolumePrivilege	1552	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1552	svchost.exe
Token: SeIncreaseQuotaPrivilege	1552	svchost.exe
Token: SeSecurityPrivilege	1552	svchost.exe
Token: SeTakeOwnershipPrivilege	1552	svchost.exe
Token: SeLoadDriverPrivilege	1552	svchost.exe
Token: SeSystemtimePrivilege	1552	svchost.exe
Token: SeBackupPrivilege	1552	svchost.exe
Token: SeRestorePrivilege	1552	svchost.exe
Token: SeShutdownPrivilege	1552	svchost.exe
Token: SeSystemEnvironmentPrivilege	1552	svchost.exe
Token: SeUndockPrivilege	1552	svchost.exe
Token: SeManageVolumePrivilege	1552	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1552	svchost.exe
Token: SeIncreaseQuotaPrivilege	1552	svchost.exe
Token: SeSecurityPrivilege	1552	svchost.exe
Token: SeTakeOwnershipPrivilege	1552	svchost.exe
Token: SeLoadDriverPrivilege	1552	svchost.exe
Token: SeSystemtimePrivilege	1552	svchost.exe
Token: SeBackupPrivilege	1552	svchost.exe
Token: SeRestorePrivilege	1552	svchost.exe
Token: SeShutdownPrivilege	1552	svchost.exe
Token: SeSystemEnvironmentPrivilege	1552	svchost.exe
Token: SeUndockPrivilege	1552	svchost.exe
Token: SeManageVolumePrivilege	1552	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1552	svchost.exe
Token: SeIncreaseQuotaPrivilege	1552	svchost.exe
Token: SeSecurityPrivilege	1552	svchost.exe
Token: SeTakeOwnershipPrivilege	1552	svchost.exe
Token: SeLoadDriverPrivilege	1552	svchost.exe
Token: SeSystemtimePrivilege	1552	svchost.exe
Token: SeBackupPrivilege	1552	svchost.exe
Token: SeRestorePrivilege	1552	svchost.exe
Token: SeShutdownPrivilege	1552	svchost.exe
Token: SeSystemEnvironmentPrivilege	1552	svchost.exe
Token: SeUndockPrivilege	1552	svchost.exe
Token: SeManageVolumePrivilege	1552	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1552	svchost.exe
Token: SeIncreaseQuotaPrivilege	1552	svchost.exe
Token: SeSecurityPrivilege	1552	svchost.exe
Token: SeTakeOwnershipPrivilege	1552	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exe

description	pid	process	target process
PID 2748 wrote to memory of 4556	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4556	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 900	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 900	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 3356	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 3356	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 2104	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 2104	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 1496	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 1496	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 1060	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 1060	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 800	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 800	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4868	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4868	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 1180	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 1180	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 3076	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 3076	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 1540	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 1540	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4848	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4848	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 1372	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 1372	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 436	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 436	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4628	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4628	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4836	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4836	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4688	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4688	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 208	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 208	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4904	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4904	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4240	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4240	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4976	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4976	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4484	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4484	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 3960	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 3960	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4168	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 4168	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 3652	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 3652	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 2360	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 2360	2748	cmd.exe	AMIDEWINx64.EXE
PID 2748 wrote to memory of 968	2748	cmd.exe	net.exe
PID 2748 wrote to memory of 968	2748	cmd.exe	net.exe
PID 968 wrote to memory of 3552	968	net.exe	net1.exe
PID 968 wrote to memory of 3552	968	net.exe	net1.exe
PID 2748 wrote to memory of 2980	2748	cmd.exe	net.exe
PID 2748 wrote to memory of 2980	2748	cmd.exe	net.exe
PID 2980 wrote to memory of 4732	2980	net.exe	net1.exe
PID 2980 wrote to memory of 4732	2980	net.exe	net1.exe
PID 2748 wrote to memory of 3144	2748	cmd.exe	sc.exe
PID 2748 wrote to memory of 3144	2748	cmd.exe	sc.exe
PID 2748 wrote to memory of 4356	2748	cmd.exe	sc.exe
PID 2748 wrote to memory of 4356	2748	cmd.exe	sc.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\woof.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 1906010926621176
  2⤵
  PID:3356
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BV 24599167721032512297
  2⤵
  PID:1496
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CS 311326368281668902
  2⤵
  PID:1060
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SV 13001211452721222584
  2⤵
  PID:2104
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 1765227350892525134
  2⤵
  PID:900
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 2469732312503230911
  2⤵
  PID:4556
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PSN 13755320481075719796
  2⤵
  PID:800
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PAT 29909916984231523
  2⤵
  PID:1180
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PPN 28230151481324430128
  2⤵
  PID:3076
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SM 2002329816178324359
  2⤵
  PID:4848
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SF 28085120643106922424
  2⤵
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BP 1897224644137832186
  2⤵
  PID:4688
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM 5482415758325652
  2⤵
  PID:4240
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CV 3218819912266032084
  2⤵
  PID:4484
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CO 2391731085284974975
  2⤵
  PID:4168
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CA 2950618299243906899
  2⤵
  PID:3960
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CT 12063120921317425482
  2⤵
  PID:4976
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BLC 2285328522936512980
  2⤵
  PID:4904
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BT 16972321811493022877
  2⤵
  PID:208
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BM 3265106652303516209
  2⤵
  PID:4836
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 933148412526922327
  2⤵
  PID:436
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SP 23683559261897294
  2⤵
  PID:1372
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /IV 4245129493013827983
  2⤵
  PID:1540
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SU AUTO
  2⤵
  PID:4868
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSK 1111021880175509692
  2⤵
  PID:3652
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SK 2123466643701740
  2⤵
  PID:2360
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:968
- C:\Windows\system32\net.exe
  net start winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start winmgmt /y
    3⤵
    PID:4732
- C:\Windows\system32\sc.exe
  sc stop winmgmt
  2⤵
  - Launches sc.exe
  PID:3144
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:4408
- C:\Windows\system32\sc.exe
  sc start winmgmt
  2⤵
  - Launches sc.exe
  PID:4356

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop winmgmt /y
1⤵
PID:3552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656